Introspection endpoint reads token from query-parameters

Basics

Logistics

Basics

Logistics

Description

@Pasquale Barbaro reported that the OP’s introspection endpoint also accepts the token from query parameters. It should only read them from the parameters sent as "application/x-www-form-urlencoded” data, see section 2.1 in [1].

We still rely heavily on Nimbus for decoding request messages. The bug has been reported at [2]. As it’s the holiday season, the fix may take some time though. If that’s the case, we may want to fix it ourselves in OAuth2IntrospectionRequestDecoder

[1 ]RFC 7662: OAuth 2.0 Token Introspection
[2] https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/432

Environment

None

Activity

Henri Mikkonen

September 8, 2023 at 7:17 AM

Verified on a test deployment that the use of token in the query parameters will now produce an invalid_request error response message.

Henri Mikkonen

September 1, 2023 at 11:04 AM

Added a check to OAuth2IntrospectionRequestDecoder to verify that the token parameter is not included in the query string.

Resize issue view side panel

Fixed

Details

Assignee

Henri Mikkonen

Reporter

Henri Mikkonen

Components

Introspection Endpoint

Fix versions

4.0.0

Created August 18, 2023 at 5:45 AM

Updated September 8, 2023 at 7:17 AM

Resolved September 1, 2023 at 11:04 AM

Introspection endpoint reads token from query-parameters

Description

Environment

Activity

Details

Assignee

Reporter

Components

Fix versions

Flag notifications

Something's gone wrong

Something's gone wrong

Something's gone wrong