Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16703

OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)

    XMLWordPrintable

    Details

    • AM Sustaining Sprint 78
    • 3
    • No
    • Yes
    • Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)

      Description

      Description

      Refreshed OAuth2 Access token (obtained with refresh token) is certificate-bound, regardless of "Certificate-Bound Access Tokens" configuration in Oauth2 client configuration. See: https://backstage.forgerock.com/docs/am/6.5/oauth2-guide/#PoP-Cert

      Reproduction steps

      See OPENAM-16566, but send client credentials using e.g. curl --user <client_id>:<client_secret> instead of posting using --data client_id and client_secret.

      Expected behaviour

      With no certificate proof of possession configured in either OAuth2 Provider or client configuration, access tokens should not be certificate bound (no cnf key).

      Current behaviour

      The access tokens obtained via refresh_token grant type is bound to a certificate even if not enabled on both the client and OAuth2Provider.

       

        Attachments

          Issue Links

            Activity

              People

              lawrence.yarham Lawrence Yarham
              lawrence.yarham Lawrence Yarham
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: