-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 5.5.1
-
Labels:
Bug description
When introspecting a RPT, the introspect endpoint accepts the header "Authorization: Basic" instead of "Authorization: Bearer" and returns UMA permissions -note that you do need to use the PAT, it will not give UMA permissions when using the client Basic AuthZ clientID/clientpassword.
How to reproduce the issue
- Setup AM as UMA authorization server
- Obtain a RPT token (see docs: https://backstage.forgerock.com/docs/am/5.5/uma-guide/#chap-uma-implementation)
- Introspect the RPT (using PAT token), using the header "Authorization: Basic"
Expected behaviour
$ curl --request POST --header "Authorization: Basic 16b34cbd-39d7-48a9-83fb-cf0560546c14" 'http://openam.example.com:18080/openam/oauth2/realms/root/introspect?token=cc98b11f-caa0-4040-ad6a-093aa5168b99' Should return some error as the scheme should be Bearer, not Basic.
Current behaviour
$ curl --request POST --header "Authorization: Basic 16b34cbd-39d7-48a9-83fb-cf0560546c14" 'http://openam.example.com:18080/openam/oauth2/realms/root/introspect?token=cc98b11f-caa0-4040-ad6a-093aa5168b99'
{"active":true,"permissions":[{"resource_id":"1d3ac7b6-ff76-4fbe-ba2b-13a72c28b8ee0","resource_scopes":["read"],"exp":1512652515}],"token_type":"access_token","exp":1512652515,"iss":"http://openam.example.com:18080/openam/oauth2"}