Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: able to obtain a token with default scopes even if they are not present in the application scopes when using client credentials #1558

Merged
merged 3 commits into from
Mar 30, 2022
Merged

Bug: able to obtain a token with default scopes even if they are not present in the application scopes when using client credentials #1558

merged 3 commits into from
Mar 30, 2022

Conversation

enrico
Copy link
Contributor

@enrico enrico commented Feb 21, 2022

see description of issue #1557

@enrico
fixes potential security bug in flow: a client_credentials request wi…
49e3fcc 
…ll return a token with the default scope even if the application scope does NOT include it.
houndci-bot
houndci-bot reviewed Feb 21, 2022
View reviewed changes
lib/doorkeeper/oauth/client_credentials/validator.rb Outdated Show resolved Hide resolved
lib/doorkeeper/oauth/client_credentials/validator.rb Outdated Show resolved Hide resolved
lib/doorkeeper/oauth/client_credentials/validator.rb Outdated Show resolved Hide resolved
spec/requests/flows/client_credentials_spec.rb Outdated Show resolved Hide resolved
spec/requests/flows/client_credentials_spec.rb Outdated Show resolved Hide resolved
@enrico
Copy link
Contributor Author

enrico commented Feb 21, 2022

not sure how to re-trigger houndci. I addressed the issues found in my second commit.

@enrico enrico changed the title Fixes issue #1557 Bug: able to obtain a token with default scopes even if they are not present in the application scopes when using client credentials Mar 11, 2022
nbulaj
nbulaj approved these changes Mar 30, 2022
View reviewed changes
Copy link
Member

@nbulaj nbulaj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nbulaj nbulaj merged commit 389f2f5 into doorkeeper-gem:main Mar 30, 2022
@nbulaj
Copy link
Member

nbulaj commented Mar 30, 2022

Thanks @enrico

@nbulaj nbulaj mentioned this pull request Apr 6, 2022
Closed
@enrico
Copy link
Contributor Author

enrico commented Apr 21, 2022

@nbulaj you're welcome!
I'm assuming you are planning to incorporate this in 5.6.0 , correct? If so, do you have an ETA for the release?

jsugarman added a commit to ministryofjustice/laa-hmrc-interface-service-api that referenced this pull request Sep 15, 2022
@jsugarman
Afix door keeper version to 5.5.4
1d57d09 
The bump to 5.6.0 broke our hmrc submissions
following the change in [pull request 1558](doorkeeper-gem/doorkeeper#1558)
which are documented in the CHANGELOG as:

[#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the application scopes when using client credentials.
@jsugarman jsugarman mentioned this pull request Sep 15, 2022
Merged
jsugarman added a commit to ministryofjustice/laa-hmrc-interface-service-api that referenced this pull request Sep 15, 2022
@jsugarman
Afix door keeper version to 5.5.4
5c60950 
The bump to 5.6.0 broke our hmrc submissions
following the change in [pull request 1558](doorkeeper-gem/doorkeeper#1558)
which are documented in the CHANGELOG as:

[#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the application scopes when using client credentials.
jsugarman added a commit to ministryofjustice/laa-hmrc-interface-service-api that referenced this pull request Sep 15, 2022
@jsugarman
Pessimistically version doorkeeper to version 5.5.4
f62168b 
The minor bump to 5.6.0 broke our hmrc submissions
following the change in [pull request 1558](doorkeeper-gem/doorkeeper#1558)
which are documented in the CHANGELOG as:

[#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the application scopes when using client credentials.
jsugarman added a commit to ministryofjustice/laa-hmrc-interface-service-api that referenced this pull request Sep 15, 2022
@jsugarman
Pessimistically version doorkeeper to version 5.5.4
a236c25 
The minor bump to 5.6.0 broke our hmrc submissions
following the change in [pull request 1558](doorkeeper-gem/doorkeeper#1558)
which are documented in the CHANGELOG as:

[#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the application scopes when using client credentials.
@colinbruce colinbruce mentioned this pull request Sep 15, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@houndci-bot houndci-bot houndci-bot left review comments

@nbulaj nbulaj nbulaj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@enrico @nbulaj @houndci-bot