Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

access_token intorspection must be protected by PAT #432

Closed
yuriyz opened this issue Jan 12, 2017 · 3 comments
Closed

access_token intorspection must be protected by PAT #432

yuriyz opened this issue Jan 12, 2017 · 3 comments
Assignees
@yuriyz
Milestone
CE 3.0.0

Comments

@yuriyz
Copy link
Contributor

yuriyz commented Jan 12, 2017

No description provided.

@yuriyz yuriyz self-assigned this Jan 12, 2017
@yuriyz yuriyz modified the milestones: CE 3.1.0, CE 3.0.0 Jan 12, 2017
@yuriyz
Copy link
Contributor Author

yuriyz commented Jan 12, 2017

return scopes in introspection endpoint

yuriyz added a commit that referenced this issue Jan 12, 2017
@yuriyz
#432 , # 433 : introspection endpoint must be protected by PAT and re…
5013269 
…turn scopes.
yuriyz added a commit that referenced this issue Jan 12, 2017
@yuriyz
#432 , # 433 : fixing client tests
99892eb
@yuriyz
Copy link
Contributor Author

yuriyz commented Jan 13, 2017

fixed in master for 3.0 version

@yuriyz yuriyz closed this as completed Jan 13, 2017
@yuriyz
Copy link
Contributor Author

yuriyz commented Mar 17, 2017

[01/12/2017 17:45:19] Yuriy Zabrovarnyy: so with valid access_token it's possible to introspect any access_tokens
[01/12/2017 17:45:51] Yuriy Zabrovarnyy: right now we returning : active: true/false, exp, iat, acr_values
[01/12/2017 17:46:13] Yuriy Zabrovarnyy: only these 4 fields
[01/12/2017 17:53:47 | Edited 17:52:25] Yuriy Zabrovarnyy: 1) If I use the OpenID Connect access token at the calendar API, can the calendar API introspect the access token?yes, we can
[01/12/2017 17:57:44] Michael Schwartz: We need to return scopes too...
[01/12/2017 17:58:30] Michael Schwartz: so with valid access_token it's possible to introspect any access_tokens
[01/12/2017 17:58:38] Michael Schwartz: This is not correct.
[01/12/2017 17:58:51] Michael Schwartz: I think introspection should be limited to a PAT token
[01/12/2017 17:59:28] Michael Schwartz: because any client can dynamically register and obtain an access token

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yuriyz yuriyz

Labels
None yet
Projects
None yet
Milestone
CE 3.0.0
Development

No branches or pull requests
1 participant
@yuriyz