-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API resources can be accessed using id_token #2948
Closed
Comments
Hi @lasanthaS , Please share the public fix and close this issue. Regards, |
This was referenced Jul 9, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Hi Team.
When executing an OpenID authorization_code OAuth2 flow to generate an access token it returns both an access_token and an id_token.
The problem comes when the user is able to use both the id_token and the access_token in the Authorization header to consume the API resources of the APIM.
According to the OpenID Connect Core [1] and RFC 6749 Oauth2 Framework [2]:
ID Tokens (OpenID Connect Core Spec, Sections 1.1, 2, 3.1.3.6) are used to authenticate the user and contain claims about the user's identity and authentication event.
Access Tokens (OAuth 2.0 Spec, Sections 1.4, 7, 3.3, 5.1) are used to authorize access to protected resources and contain information about the granted permissions and scope.
Therefore, an id_token should not be used as an access_token and should be used only to authenticate the user.
[1] - https://openid.net/specs/openid-connect-core-1_0.html
[2] - https://datatracker.ietf.org/doc/html/rfc6749
Thanks,
Janaka.
Steps to Reproduce
Call authorize endpoint:
GET https:///oauth2/authorize?response_type=code&client_id=xxxx&state=state&scope=openid&redirect_uri=xxxx
Call token endpoint:
POST https:///oauth2/token
grant_type=authorization_code&code=xxxx&redirect_uri=xxxx&client_id=xxx&client_secret=xxxx
Response of the token endpoint:
{ "access_token":"xxxxx",
"scope":"openid",
"id_token":"xxx",
"token_type":"Bearer",
"expires_in":3600
}
Invoke the API resource with id_token
Affected Component
APIM
Version
4.1.0
Environment Details (with versions)
No response
Relevant Log Output
No response
Related Issues
No response
Suggested Labels
wso2am-4.1.0
The text was updated successfully, but these errors were encountered: