Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(oxauth): Duplicate iss and aud on introspection as jwt #1748

Closed
kdhttps opened this issue Nov 30, 2022 · 1 comment
Closed

bug(oxauth): Duplicate iss and aud on introspection as jwt #1748

kdhttps opened this issue Nov 30, 2022 · 1 comment
Assignees
@yuriyz
Labels
bug bug in code
Milestone
4.5

Comments

@kdhttps
Copy link
Contributor

kdhttps commented Nov 30, 2022

Describe the issue

If you do an introspection on a token during a authorization code flow and include the "response_as_jwt" body value as true, the jwt is returned with a duplicate iss and aud.

Example JWT:

eyJraWQiOiI5N2M0MDU1ZS00YjEwLTQ3YTMtOTA0NS1jYTYxN2YxNTFiZTFfc2lnX3JzMjU2IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhdWQiOlsiYzcyYTcyNTktY2Q1NS00ZGMxLWJmYzAtY2Y1NmIzY2M3NzJmIiwiYzcyYTcyNTktY2Q1NS00ZGMxLWJmYzAtY2Y1NmIzY2M3NzJmIl0sInN1YiI6IjBzMXJydHFCYmZNV2lTeVV4ZlUzSFB6MzZwSEZxS2NFNnlxSFJRemp3bkUiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiYWNyX3ZhbHVlcyI6InBhc3Nwb3J0X3NvY2lhbCIsImlzcyI6WyJodHRwczovL3AyLmdsdXUub3JnIiwiaHR0cHM6Ly9wMi5nbHV1Lm9yZyJdLCJhY3RpdmUiOnRydWUsInRva2VuX3R5cGUiOiJiZWFyZXIiLCJleHAiOjE2Njk3OTc4NzAsImlhdCI6MTY2OTc5NzU3MCwiY2xpZW50X2lkIjoiYzcyYTcyNTktY2Q1NS00ZGMxLWJmYzAtY2Y1NmIzY2M3NzJmIiwidXNlcm5hbWUiOiJkaG9uaSJ9.WHpFAhid6Ga_iUfrN8Wp42Vh_s9t6DMmJ0yqtvVGJURZTZxZEfdKDFZXmLEHI_zN6vLlrFrC1BdWUzdGjGZjBz3nC-GaQNmm1-YnkgNqziBl2qI1OT8O1gwsSJIsCCQJUFg0YthlAVazo-rI7WuZFUeEl7hrKrqHfEQDxrb-FLa886pbbsgRg-j7HWyndTht9M6dM_JU1yWJ41BPJwD1mGfubeuuCZYcFJFr2icWimpaRVpHwRojSTx8gHVWHdk3tFHZLdXZQQg5-rfxD072TN7LKc3b5xmZvBaGZwks-FQYVfaU6wFj1QpbBtGREbtgzuP16MuvCyeYvDOkTfuFNw

Steps To Reproduce

Steps to reproduce the behavior:

  1. Implement the Code Auth Flow
  2. Get access token from Code Auth flow
  3. Try to instrospect access token with response_as_jwt=true
curl -k --location --request POST 'https://xxx.xxx.xxx/oxauth/restv1/introspection' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer ec16a583-8dc9-xxxx-bd11-aec2ca5fd6f0' \
--data-urlencode 'token=699dba57-dde7-4e80-xxxx-debdafa5803a' \
--data-urlencode 'response_as_jwt=true'
  1. You will get JWT token in response but with duplicate iss and aud

Expected behavior

JWT token should have one iss and aud

Actual behavior

JWT token has duplicate "iss" and "aud"

Desktop:

  • OS: Ubuntu20.04LTS
@yuriyz yuriyz added the bug bug in code label Nov 30, 2022
@yuriyz yuriyz modified the milestones: 4.5.1, 4.5 Nov 30, 2022
@yuriyz yuriyz mentioned this issue Dec 20, 2022
Closed
yuriyz added a commit that referenced this issue Dec 21, 2022
@yuriyz
fix(oxauth): duplicate iss and aud on introspection as jwt #1748
08ccb33
@yuriyz yuriyz mentioned this issue Dec 21, 2022
Merged
yuriyz added a commit that referenced this issue Dec 21, 2022
@yuriyz
fix(oxauth): duplicate iss and aud on introspection as jwt #1748 (#1766)
a3c565f
@yuriyz
Copy link
Contributor

yuriyz commented Dec 21, 2022

Fixed in #1766

@yuriyz yuriyz closed this as completed Dec 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yuriyz yuriyz

Labels
bug bug in code
Projects
None yet
Milestone
4.5
Development

No branches or pull requests
2 participants
@yuriyz @kdhttps