-
Type:
New Feature
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 12.0.1
-
Component/s: oauth2
-
Labels:
As of now (last stable release is 12.0.1), if an access_token is obtained from realmB, a request to tokeninfo endpoint must contain a reference to the correct realm realmB - either through DNS Alias or parameter - to succeed.
For example the following is not successful:
$ curl --request POST --data "client_secret=clientsecret&client_id=testclient&username=testuser&password=userpassword&grant_type=password&scope=email" http://openam.example.com:8080/openam/oauth2/access_token?realm=/testrealm {"scope":"email","expires_in":59,"token_type":"Bearer","access_token":"ca79234e-0a4f-4abb-85f3-6de4e538ee8f"} $ curl -k 'http://openam.example.com:8080/openam/oauth2/tokeninfo?access_token=ca79234e-0a4f-4abb-85f3-6de4e538ee8f' {"error":"invalid_request","error_description":"Access Token not valid"}
This happens because the second request does not contain the realm and a check is performed when validating the token.
There exists scenarios for which it would make sense to give access to information on an access_token from any realm and it would be good to have a configuration that allows such behaviour.
If implemented, the related documentation should highlight which type of environment can safely disable strict realm checking and which environment would be at risk.