Conversation
There was a problem hiding this comment.
Pull request overview
This PR fixes a critical security vulnerability (CVE-2026-22723) in the token revocation endpoint where improper authorization logic allowed users to revoke other users' tokens. The vulnerability stemmed from using OR logic instead of AND logic when checking authorization for the /oauth/token/revoke/user/{userId}/client/{clientId} endpoint. The fix ensures that both the user ID and client ID in the request path must match the authenticated token, preventing unauthorized cross-user token revocation.
Changes:
- Fixed authorization logic in
OauthEndpointSecurityConfigurationto require both user and client match using a single combined check instead of separate OR'd checks - Added
TOKEN_REVOCATION_CLIENT_USERcheck type and supporting infrastructure inSelfCheckAuthorizationManagerto enforce AND logic for combined user+client validation - Added integration test
aUserCannotRevokeClientTokens()to verify users cannot revoke other users' tokens even when using the same client
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| server/src/main/java/org/cloudfoundry/identity/uaa/web/SelfCheckAuthorizationManager.java | Adds new TOKEN_REVOCATION_CLIENT_USER check type with combined AND logic for user and client validation, plus supporting factory method and constructor overload |
| server/src/main/java/org/cloudfoundry/identity/uaa/oauth/beans/OauthEndpointSecurityConfiguration.java | Replaces vulnerable OR'd authorization checks with single combined check that requires both user and client to match |
| uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenRevocationEndpointMockMvcTest.java | Adds integration test verifying that users cannot revoke another user's tokens for the same client |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
...c/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenRevocationEndpointMockMvcTest.java
Outdated
Show resolved
Hide resolved
...c/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenRevocationEndpointMockMvcTest.java
Outdated
Show resolved
Hide resolved
...c/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenRevocationEndpointMockMvcTest.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
...c/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenRevocationEndpointMockMvcTest.java
Outdated
Show resolved
Hide resolved
...c/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenRevocationEndpointMockMvcTest.java
Outdated
Show resolved
Hide resolved
...c/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenRevocationEndpointMockMvcTest.java
Outdated
Show resolved
Hide resolved
cf-foundation-community-automation
bot
moved this to Inbox
in Foundational Infrastructure Working Group
github-project-automation
bot
moved this from Inbox
to Pending Merge | Prioritized
in Foundational Infrastructure Working Group
github-project-automation
bot
moved this from Pending Merge | Prioritized
to Done
in Foundational Infrastructure Working Group
If I know your user-id, and you have revocable tokens, I can revoke your tokens using my own token
The endpoint /oauth/token/revoke/user//client/: was migrated from XML to Java with commit a1459a3 old version: required both the user ID and client ID in the token to match the values given in the path new version: or operator effectively used for the two conditions instead of and
Fixes CVE-2026-22723