Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authenticator oauth2_introspection only works if token_type returned is an "access_token" #553

Closed
daviddelucca opened this issue Oct 8, 2020 · 2 comments
Closed

Authenticator oauth2_introspection only works if token_type returned is an "access_token" #553

daviddelucca opened this issue Oct 8, 2020 · 2 comments
Labels
bug Something is not working. good first issue A good issue to tackle when being a novice to the project. help wanted We are looking for help on this one.
Milestone
v0.39.0

Comments

@daviddelucca
Copy link
Contributor

daviddelucca commented Oct 8, 2020
edited
Loading

Describe the bug

When the introspect URL returns a token_type that is not an access_token, Oathkeeper throws an exception:

Introspected token is not an access token but "..."

This error is related to this validation.

Reproducing the bug

Steps to reproduce the behavior:

Server logs

time="2020-10-07T20:41:47Z" level=error msg="An error occurred while handling a request" code=403 debug= details="map[]" error="Access credentials are not sufficient to access this resource" reason="Introspected token is not an access token but \"Bearer\"" request-id=53e06937-f10a-4164-9f6e-d1a2ef2224fd status=403 writer=JSON

Expected behavior

It should accept other token_types instead of works only with access_token.

Environment

  • Version: v0.38.2-beta.1
  • Environment: Ory Helm Chart

Additional context

If the solution is simple like remove that validation or validate the token_type accross a few values, I could open a PR for it. I have read RFC and I didn't find what are the expected values or if there are any.
@aeneasr
Copy link
Member

aeneasr commented Oct 8, 2020

Yes we should change that - the token_type is Bearer. We'll be introducing a new token_use in the introspection response which would then be access token for example. I think we should fix this here!

@aeneasr
Copy link
Member

aeneasr commented Oct 8, 2020

Would you be up to contributing that change?

@aeneasr aeneasr added the bug Something is not working. label Oct 8, 2020
@aeneasr aeneasr added this to the v0.39.0 milestone Oct 8, 2020
@aeneasr aeneasr added good first issue A good issue to tackle when being a novice to the project. help wanted We are looking for help on this one. labels Oct 8, 2020
@daviddelucca daviddelucca mentioned this issue Oct 11, 2020
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working. good first issue A good issue to tackle when being a novice to the project. help wanted We are looking for help on this one.
Projects
None yet
Milestone
v0.39.0
Development

No branches or pull requests
2 participants
@aeneasr @daviddelucca