GoToWP affected CITRIX Authentication Upgrade for applications implementing OAuth???

March 11, 2015 4:38 pm

GoToWP affected CITRIX  Authentication Upgrade for applications implementing OAuth???

Authentication Upgrade for Citrix GoTo Product APIs

Later this month (March 2015), Citrix will release an upgrade for user authentication via API. This upgrade will introduce some security enhancements for the product APIs, and will result in a more consistent and easier sign-on experience for all of your users. In addition the authorization flow will automatically work for upcoming sign-on features from Citrix. The upgrade may impact some existing implementations.

Impact expected

The upgrade will impact the applications implementing OAuth in ways other than the ones documented or recommended. For example, embedding the product user credentials to avoid user interaction during login exposes the user accounts to security risks. This implementation will break after the upgrade is released.

Citrix has provided test OAuth and Direct Login requests you can use to validate your authorization method. We strongly advise that you run your calls using these requests within the next week or two to validate that your application will continue to run as expected. If your code does not run, this gives you time to revise your code as needed. In general, if you want to automate user login, Direct Login is the preferred method.

Published by 2 Comments

2 Replies

  • I have tested the free plugin and we intend to purchase the GoToWP  for WooCommerce-GoToWebinar, but I think the plugin is in the case described in this Citrix statement, because It’s implementing OAuth and  embedding the product user credentials to avoid user interaction during login.

    DEVELOPER, please :

    • Could you please confirm whether the this is the true? It’s a real problem?
    • If yes, it’s there a solution planned in the coming weeks ?
  • @AxiForo – I’m pasting below excerpts from my emailed response to you, so other people can see answer as well. Thanks for question and I hope you enjoy your weekend!

    ———————-
    The Woo Addon is designed to do the 2 things you outline, specifically:

    1) “WooCommerce” order in your website2) Register the customer who paid for the webinar product in WooCommerce in CITRIX

    I cannot comment on the API change definitely. Our plugin does fall in the “No Impact Expected” portion of the Citrix email, which states:

    If you are using Direct Login for your authorization flows, you should see no change. In addition, if you are using the OAuth flow as documented on the site, you should see no change.

    We have tried to clarify what is meant by “No Impact Expected” but have not gotten a clear answer.

    Unfortunately, I have no idea what their API change will actually mean until they roll it out. I would hate to lose your business, but I also am not comfortable promising our plugin will continue to work as is when they rollout the API change, as I simply do not have enough info from Citrix to make that promise.

    ——————–

Leave a Reply

Your email address will not be published.