Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth2AuthProviderImpl loses Access Token after introspect call #659

Closed
chrispatmore opened this issue Aug 29, 2023 · 2 comments
Closed

OAuth2AuthProviderImpl loses Access Token after introspect call #659

chrispatmore opened this issue Aug 29, 2023 · 2 comments
Labels
bug
Milestone
5.0.0

Comments

@chrispatmore
Copy link
Contributor

chrispatmore commented Aug 29, 2023
edited
Loading

Version

Version: 4.3.8 +

Context

Whilst investigating 654, I discovered there is an issue when the AT does not validate as a JWT. In these cases (either its an invalid JWT as the code is concerned e.g. 654. or it is just an opaque token) the code then attempts a token introspect here if this passes we know the token is valid and the User is created here. However at this point the access_token is lost, the user placed into the context has no access_token so when I then try to make a userInfo call or some other request to the provider, I get rejected as I supplied an invalid token (no token, for example here). I have also noticed that since the version I am testing on a userInfo introspect has been added if there is no introspect endpoint here and this adds the token back to the user here

In short, the OAuth2AuthProviderImpl should be setting the access_token back into the User object when the token is valid, like happens when the token is validated using the userInfo endpoint. So that the token can then be used for future actions

Edit: This also then sets the subject in the user wrong in some cases, for example in the keycloak case, the json returned back from the introspect endpoint contains username which is then used to set the subject instead of the sub field in the response

Do you have a reproducer?

No

Steps to reproduce

  1. configure an app with OIDC with a provider that gives "invalid JWTs e.g. keycloak with current code" or plain tokens
  2. have the app perform a userInfo request with the AT
  3. log in and get an access token
  4. make an API call to the app with the access token
  5. request will fail because the user info call will fail
chrispatmore added a commit to chrispatmore/vertx-auth that referenced this issue Aug 30, 2023
@chrispatmore
fix: ensure access_token is available after introspect
8df2482 
Update the code to ensure the access token is available after
validating the token using token introspect

Contributes to: eclipse-vertx#659

Signed-off-by: Chris Patmore <[email protected]>
@chrispatmore chrispatmore mentioned this issue Aug 30, 2023
Merged
@vietj
Copy link
Member

vietj commented Sep 15, 2023

@pmlopes do you mind having a look ?

@chrispatmore
Copy link
Contributor Author

Closing as PR merged

@pmlopes pmlopes modified the milestones: 4.5.0, 5.0.0 Oct 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
5.0.0
Development

No branches or pull requests
3 participants
@vietj @pmlopes @chrispatmore