Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User can get token via client_credentials or password grants #808

Closed
socket70 opened this issue Jul 16, 2016 · 10 comments

Comments

Projects
None yet
4 participants
@socket70
Copy link

commented Jul 16, 2016

This is a simple authorization server based on the samples. The only real difference is I plug in a custom UserDetailsService and ClientDetailsService. They just hardcode the credentials but I was working on implementing the database when I came across this.

The problem: if you have both a client and a user with the same ID (clientId and username) the user can get an access token using the client_credentials or password grant flow.

Here is the sample code.

Am I doing something wrong or is this a bug?

Thanks.

@benkiefer

This comment has been minimized.

Copy link

commented Aug 10, 2016

@dsyer This is a security issue that is easily reproducible. Can you take a look at this?

@benkiefer

This comment has been minimized.

Copy link

commented Aug 16, 2016

@jgrandja saw you made several commits to this repository, and wanted to see if you could look at this?

We were able to patch it in our own code base by overriding the appropriate endpoints and adding pre-checks to ensure the authorization is the right type/user.

This exploit is easy to reproduce because the client id is part of the query parameters for the authorization flow.

@jgrandja jgrandja self-assigned this Aug 16, 2016

@jgrandja

This comment has been minimized.

Copy link
Contributor

commented Aug 16, 2016

@benkiefer @socket70 I'm looking into this now.

@jgrandja jgrandja added the Bug label Aug 18, 2016

@jgrandja jgrandja changed the title If user and client have the same name, user can login as a client with client_credentials or password grant flows User can get token via client_credentials or password grants Aug 18, 2016

jgrandja added a commit to jgrandja/spring-security-oauth that referenced this issue Aug 18, 2016

jgrandja added a commit to jgrandja/spring-security-oauth that referenced this issue Aug 25, 2016

@jgrandja jgrandja added this to the 2.0.11 milestone Aug 25, 2016

@jgrandja

This comment has been minimized.

Copy link
Contributor

commented Aug 25, 2016

@socket70 @benkiefer Thank you for reporting this! A fix has been applied and has been merged to master. Release is going out shortly.

@benkiefer

This comment has been minimized.

Copy link

commented Aug 25, 2016

@jgrandja Thank you!

@jgrandja

This comment has been minimized.

Copy link
Contributor

commented Aug 31, 2016

See blog post

@socket70

This comment has been minimized.

Copy link
Author

commented Aug 31, 2016

Thank you @jgrandja

@benkiefer

This comment has been minimized.

Copy link

commented Aug 31, 2016

Thank you!

@jfneis

This comment has been minimized.

Copy link

commented Dec 20, 2017

Sorry for commenting 1 year later but this bug fix is still confusing to me.

We have a scenario with client credentials and password authentication enabled, and we are trying to use /oauth/check_token endpoint to check if a provided token is valid.

What happens is that, even when sending a client_credentials token to check_token, Spring is trying to validate it against UserDetailsService (which, in our case, doesn't know about the client credential username).

Is that the expected behavior? Shouldn't check_token use ClientDetailsService in this case?

@jfneis

This comment has been minimized.

Copy link

commented Dec 21, 2017

Please ignore my previous question. After rebuilding the whole application I found a typo in the check_token endpoint, what was causing Spring to consider it as a regular endpoint (as expected!).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.