Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12186

Introspect endpoint for RPT does not check the authorization scheme

    Details

    • Sprint:
      AM Sustaining Sprint 60
    • Story Points:
      2
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      No
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When introspecting a RPT, the introspect endpoint accepts the header "Authorization: Basic" instead of "Authorization: Bearer" and returns UMA permissions -note that you do need to use the PAT, it will not give UMA permissions when using the client Basic AuthZ clientID/clientpassword.

      How to reproduce the issue

      1. Setup AM as UMA authorization server
      2. Obtain a RPT token (see docs: https://backstage.forgerock.com/docs/am/5.5/uma-guide/#chap-uma-implementation)
      3. Introspect the RPT (using PAT token), using the header "Authorization: Basic"
      Expected behaviour
      $ curl --request POST --header "Authorization: Basic 16b34cbd-39d7-48a9-83fb-cf0560546c14" 'http://openam.example.com:18080/openam/oauth2/realms/root/introspect?token=cc98b11f-caa0-4040-ad6a-093aa5168b99'
      
      Should return some error as the scheme should be Bearer, not Basic.
      Current behaviour
      $ curl --request POST --header "Authorization: Basic 16b34cbd-39d7-48a9-83fb-cf0560546c14" 'http://openam.example.com:18080/openam/oauth2/realms/root/introspect?token=cc98b11f-caa0-4040-ad6a-093aa5168b99'
      
      {"active":true,"permissions":[{"resource_id":"1d3ac7b6-ff76-4fbe-ba2b-13a72c28b8ee0","resource_scopes":["read"],"exp":1512652515}],"token_type":"access_token","exp":1512652515,"iss":"http://openam.example.com:18080/openam/oauth2"}
      

       

        Attachments

          Activity

            People

            • Assignee:
              sachiko Sachiko Wallace
              Reporter:
              nathalie.hoet Nathalie Hoet
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: