Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14927

introspect endpoint must support mTLS authN

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 6.5.1
    • Fix Version/s: None
    • Component/s: oauth2
    • Labels:
    • Target Version/s:
    • Rank:
      1|hzy8zb:

      Description

      Bug description

      According to draft-ietf-oauth-mtls-14 (https://tools.ietf.org/html/draft-ietf-oauth-mtls-14) the introspect endpoint MUST via mTLS as described in the draft.

      "This document describes an additional
      mechanism of client authentication utilizing mutual TLS certificate-
      based authentication, which provides better security characteristics
      than shared secrets. While [RFC6749] documents client authentication
      for requests to the token endpoint, extensions to OAuth 2.0 (such as
      Introspection [RFC7662], Revocation [RFC7009], and the Backchannel
      Authentication Endpoint in [OpenID.CIBA]) define endpoints that also
      utilize client authentication and the mutual TLS methods defined
      herein are applicable to those endpoints as well."

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Register an OAuth2 client "RS" with a certificate
      2. Obtain an access_token (AT)
      3. RS validated AT at introspect as eg
        curl -X POST \
        —header "X-mtlsCertAuth: <lots-of-funny-chars>" \
        'http://id.init8.net:8080/openam/oauth2/introspect?token=$AT'
      Expected behaviour
      If the cert matches the registered RS cert, call should succeed. This is similar to "access_token" endpoint when accessed by an mTLS configured OAuth2 client.
      Current behaviour
      Authentication Method is ignored

      Work around

       

      Code analysis

      
      

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            steffo.weber Steffo Weber
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: