-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 6.5.0
-
Component/s: oauth2
Bug description
OAuth2 Clients are able to use a Refresh Token to get a new Access Token despite the Refresh Token flow not being enabled on the Client
How to reproduce the issue
- Enable OAuth2 Provider (enable Refresh Token)
- Add OAuth2 client (default is fine, don't add Refresh Token flow)
- Get Access Token, Refresh Token etc.
- Use Refresh Token flow to get a new Access Token
Expected behaviour
Error = The authenticated client is not authorized to use this authorization grant type.
Current behaviour
New Access Token issued
- caused
-
OPENAM-14780 Refresh token missing when switching from 6.5.0 to 6.5.1
-
- Resolved
-