Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14111

Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow

    Details

    • Sprint:
      2019.1 - Chariot
    • Support Ticket IDs:
    • Verified Version/s:
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      OAuth2 Clients are able to use a Refresh Token to get a new Access Token despite the Refresh Token flow not being enabled on the Client

      How to reproduce the issue

      1. Enable OAuth2 Provider (enable Refresh Token)
      2. Add OAuth2 client (default is fine, don't add Refresh Token flow)
      3. Get Access Token, Refresh Token etc.
      4. Use Refresh Token flow to get a new Access Token
      Expected behaviour
      Error = The authenticated client is not authorized to use this authorization grant type.
      Current behaviour
      New Access Token issued
      

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                michael.carter Michael Carter
                Reporter:
                aaron.haskins Aaron Haskins
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 16h
                  16h