Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16695

Dynamic Client Registration: Access Token field does not perform validation.

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Not a defect
    • 6.5.2
    • None
    • oauth2, OpenID Connect
    • AM Sustaining Sprint 78
    • 3

      Description

      Bug description

      Under the context of Dynamic Client Registration, the Access Token field under OAuth2 Client > Advanced > Access Token, does not appear to enforce any form of expiry. Once the Access Token field is generated, you can wait the expiry time e.g. 6 minutes, then perform a client update REST request. See https://backstage.forgerock.com/docs/am/6.5/oauth2-guide/index.html#dynamic-management-update

      How to reproduce the issue

      1. Create OIDC provider (Ensure Allow Open Dynamic Client Registration is disabled.)
      2. Create Master OAuth2 Client as described in https://backstage.forgerock.com/docs/am/6.5/oauth2-guide/index.html#register-oauth2-client-dynamic-access-token-example
      3. Register Dynamic Client described in the same link as step 2.
      4. Wait a generous amount of time for the Access Token to expire as per your config (either set at client level or if set to 0, then provider level). Perform a dynamic update using the provided Access Token under OAuth2 Client > Advanced > Access Token.
      5. The PUT update config request will be successful, even though the access token should be expired. A new Access Token will be generated in the field.
      6. Additional test: You can change a character in the Access Token in the request, make the same change in the OAuth2 Client settings - and the request will be successful still. Therefore it seems like the setting doesn't seem to be enforcing much validation here.
      Expected behaviour
      Access Token should expire and generate a new token in the Access Token field.
      Current behaviour
      Access Token works regardless of expiry, and an arbitrary value can be set.
      

        Attachments

          Activity

            People

            chee-weng.chea C-Weng C
            darrel.nikolovski Darrel Nikolovski
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: