API resources can be accessed using id_token

[JanakaPushpakumara]

Description

Hi Team.

When executing an OpenID authorization_code OAuth2 flow to generate an access token it returns both an access_token and an id_token.

The problem comes when the user is able to use both the id_token and the access_token in the Authorization header to consume the API resources of the APIM.

According to the OpenID Connect Core [1] and RFC 6749 Oauth2 Framework [2]:

ID Tokens (OpenID Connect Core Spec, Sections 1.1, 2, 3.1.3.6) are used to authenticate the user and contain claims about the user's identity and authentication event.

Access Tokens (OAuth 2.0 Spec, Sections 1.4, 7, 3.3, 5.1) are used to authorize access to protected resources and contain information about the granted permissions and scope.

Therefore, an id_token should not be used as an access_token and should be used only to authenticate the user.

[1] - https://openid.net/specs/openid-connect-core-1_0.html
[2] - https://datatracker.ietf.org/doc/html/rfc6749

Thanks,
Janaka.

Steps to Reproduce

Call authorize endpoint:

GET https:///oauth2/authorize?response_type=code&client_id=xxxx&state=state&scope=openid&redirect_uri=xxxx

Call token endpoint:

POST https:///oauth2/token
grant_type=authorization_code&code=xxxx&redirect_uri=xxxx&client_id=xxx&client_secret=xxxx

Response of the token endpoint:

{ "access_token":"xxxxx",
"scope":"openid",
"id_token":"xxx",
"token_type":"Bearer",
"expires_in":3600
}

Invoke the API resource with id_token

Affected Component

APIM

Version

4.1.0

Environment Details (with versions)

No response

Relevant Log Output

No response

Related Issues

No response

Suggested Labels

wso2am-4.1.0

[Tharanidk]

Hi @lasanthaS ,

Please share the public fix and close this issue.

Regards,
Tharani.