Token Refreshes with bogus refresh_token produces valid JWT
#826
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Token Refreshes with bogus
Follow-on from #815, using this test script: https://gist.github.com/micolous/e54b84dec86fcc45754c5c429ed834c4
mock-oauth2-serverreturns validid_tokens when sent a bogusrefresh_token(random UUID), as long as it includes aclient_idparameter or HTTP Basic auth (as required by spec).To reproduce, run the above script with:
--attempt_count 0 --refresh_count 0 --bogus_refresh_count 2 --client_id_in_query(client_idin query string)--attempt_count 0 --refresh_count 0 --bogus_refresh_count 2 --http_basic_auth(client_idin HTTP Basic auth)--attempt_count 0 --refresh_count 0 --bogus_refresh_count 2 --client_id_in_query --http_basic_auth(both)If this was a real OAuth 2.0 server, this would be a security bug. 😄
This also shows the same symptoms as #825, where custom claims in
requestMappings[].claimsare only provided ifclient_idis provided as a query string only, and not HTTP basic auth.Environment
Running
mock-oauth2-server2.1.10 in Docker, with this config:{ "httpServer": { "type": "NettyWrapper", "ssl": { "keyPassword": "", "keystoreFile": "/run/secrets/server_p12", "keystoreType": "PKCS12", "keystorePassword": "" } }, "interactiveLogin": true, "tokenCallbacks": [ { "issuerId": "test-issuer", "tokenExpiry": 90, "requestMappings": [ {"requestParam": "client_id", "match": "*", "claims": {"customClaim": ["foo"]}} ] } ] }The text was updated successfully, but these errors were encountered: