[OPENAM-14111] Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow - ForgeRock JIRA

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 6.5.0
Fix Version/s: 6.5.1, 6.5.0.2, 7.0.0
Component/s: oauth2
Labels:
- AME
- Must-Fix
- NEWTON

Target Version/s:

6.5.1, 6.5.0.2, 7.0.0

Sprint:
2019.1 - Chariot

Support Ticket IDs:

Verified Version/s:

6.5.0.2
Functional tests:

Yes
Are the reproduction steps defined?:

Yes and I used the same an in the description

Description

Bug description

OAuth2 Clients are able to use a Refresh Token to get a new Access Token despite the Refresh Token flow not being enabled on the Client

How to reproduce the issue

Enable OAuth2 Provider (enable Refresh Token)
Add OAuth2 client (default is fine, don't add Refresh Token flow)
Get Access Token, Refresh Token etc.
Use Refresh Token flow to get a new Access Token

Expected behaviour

Error = The authenticated client is not authorized to use this authorization grant type.

Current behaviour

New Access Token issued

Attachments

Issue Links

caused

OPENAM-14780 Refresh token missing when switching from 6.5.0 to 6.5.1

Resolved

Activity

People

Assignee:

Michael Carter

Reporter:

Aaron Haskins

Votes:

0 Vote for this issue

Watchers:

9 Start watching this issue

Dates

Created:

11/Dec/18 11:35 AM

Updated:

24/Apr/19 11:27 AM

Resolved:

08/Jan/19 8:41 AM

Time Tracking

Estimated:

Not Specified

Remaining:

0h

Logged:

16h