Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: remove token_type validation from authenticator_oauth2 introspec… #556

Merged
merged 6 commits into from
Oct 18, 2020
Merged

fix: remove token_type validation from authenticator_oauth2 introspec… #556

merged 6 commits into from
Oct 18, 2020

Conversation

daviddelucca
Copy link
Contributor

@daviddelucca daviddelucca commented Oct 11, 2020
edited
Loading

The authenticator_oauth2 introspection flow only works if the token_type is an access_token. It works great if your authentication server always return this type but it crashes if returns other types.

Related issue

#553

Proposed changes

My proposal is to remove this validation and allow other token_type's. I have checked RFC but I didn't find what types should be allowed so my suggestion is to allow any token_type.

Checklist

  • I have read the contributing guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security. vulnerability, I
    confirm that I got green light (please contact
    [email protected]) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further comments

There is no docs to update.

@CLAassistant
Copy link

CLAassistant commented Oct 11, 2020
edited
Loading

CLA assistant check
All committers have signed the CLA.

aeneasr
aeneasr requested changes Oct 11, 2020
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thank you for your contribution! This looks pretty good but I have some ideas how to improve it further :)

pipeline/authn/authenticator_oauth2_introspection.go Outdated Show resolved Hide resolved
@daviddelucca daviddelucca requested a review from aeneasr October 13, 2020 01:40
@daviddelucca daviddelucca requested a review from aeneasr October 13, 2020 14:40
aeneasr
aeneasr approved these changes Oct 18, 2020
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for all the hard work!

@aeneasr aeneasr merged commit b18d90a into ory:master Oct 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@daviddelucca @CLAassistant @aeneasr