-
-
Notifications
You must be signed in to change notification settings - Fork 797
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introspection endpoint doesn't require "introspection" scope when used in client-credentials flow #1451
Comments
I think you are right that the introspection client (what DOT calls an application) should be somehow constrained in whether it is authorized to introspect. However I don't think using Introspection Basic auth was added pretty recently (2019 in #725:-) so I suspect the earlier Bearer-only version of introspection worked correctly [1]. When support for Basic was added it broke this checking. Prior to that PR, introspection could only be done with a Bearer access token. I expect a PR to fix this would somehow have to constrain applications with the client_credentials as discussed in #709 BTW, the part of the discussion in #709 about constraining which applications a particular introspection application can introspect might be a little too much. In my experience with a commercial product, an introspector can introspect any access token. And, with OIDC, anyone with a given Access Token can essentially introspect it via the Userinfo endpoint. However, in the commercial product, the introspector is specially identified with a "fake" grant type of So to summarize, using [1] Further, given that any client can request any scope, I think that means that any client's access token (Bearer) can be an introspector! |
Confirmed in testing that anyone can request Not a huge concern since the access token needs to be protected no matter what as possession means access to whatever resources allow it. |
Hey, thanks for the very quick response time.
facepalm - of course.
Sorry, I am still new to this thing. According to this article on the OAuth website the "client needs to authenticate themselves for this request. Typically the service will allow either additional request parameters client_id and client_secret, or accept the client ID and secret in the HTTP Basic auth header." This reads to me as if it's acceptable to use auth basic in the client credentials flow. Maybe I'm missing something.
I dug around a bit and it seems to me like the
Thanks for the summary, this seems logical to me (although I still wonder about the article above). |
Hi. I am not entirely sure if this is a bug or I am misunderstanding something about OAuth2, I'd like to apologize in advance if it's the latter.
Describe the bug
I followed the tutorial to create an access token and tried using the
IntrospectTokenView
with that token. This view is aClientProtectedScopedResourceView
that includesrequired_scopes = ["introspection"]
. My understanding of the documentation around these made me believe that if I use a bearer token without the appropriate scope, my request will fail. To my surprise, the call succeeds regardless of the scopes in the token I use.To Reproduce
introspect
endpoint like so:curl -X POST -H "Authorization: Basic ${CREDENTIAL}" -H "Cache-Control: no-cache" -H "Content-Type: application/x-www-form-urlencoded" "http://127.0.0.1:8000/o/introspect/" -d "token=..."
Expected behavior
Even when using the client-credentials flow, I expect a token that doesn't have the
introspection
scope to be rejected when calling an endpoint declaringrequired_scopes = ["introspection"]
.Version
2.4.0
Additional context
I googled around and found this Auth0 thread for a similar question. There it is suggested that scopes in a token are not considered at all if using client-credentials. However, in that example the client itself has associated scopes. This isn't the case for the default setup of DOT, as far as I can see.
As it stands, when using client-credentials, any token can be inspected by any client. If this is the desired behavior that's fine with me. If not, however, you might consider a small change to
IntrospectTokenView.get_token_response
that usescls.required_scopes
:The text was updated successfully, but these errors were encountered: