It is possible to invoke refresh_token flow with access_token (instead of refresh_token) #829

yuriyz · 2018-06-20T09:26:52Z

Reported in support ticket: https://support.gluu.org/authentication/5635/invoke-refresh_token-grant-type-with-an-access-token/

Currently it is possible to invoke the refresh_token grant type with an access_token. We used password grant_type to obain an access_token and a refresh_token. Afterwards we don NOT use the refresh_token but the access_token to invoke the refresh_token grant type.

Is this behaviour intended and if so where can we probably deactivate it?

… token flow. #829

… token flow. #829 (cherry picked from commit bfd7a49)

yuriyz · 2018-06-25T14:11:47Z

done in 3.1.4 and master

yuriyz added the bug bug in code label Jun 20, 2018

yuriyz added this to the 3.1.4 milestone Jun 20, 2018

yuriyz added a commit that referenced this issue Jun 25, 2018

#829 : forbid fetching authorization grant by access token in refresh…

bfd7a49

… token flow. #829

yuriyz added a commit that referenced this issue Jun 25, 2018

#829 : forbid fetching authorization grant by access token in refresh…

b3177b4

… token flow. #829 (cherry picked from commit bfd7a49)

yuriyz closed this as completed Jun 25, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

It is possible to invoke refresh_token flow with access_token (instead of refresh_token) #829

It is possible to invoke refresh_token flow with access_token (instead of refresh_token) #829

yuriyz commented Jun 20, 2018

yuriyz commented Jun 25, 2018

It is possible to invoke refresh_token flow with access_token (instead of refresh_token) #829

It is possible to invoke refresh_token flow with access_token (instead of refresh_token) #829

Comments

yuriyz commented Jun 20, 2018

yuriyz commented Jun 25, 2018