Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Openid tokenintrospection request uses the wrong form key #810

Closed
herojan opened this issue Oct 3, 2018 · 2 comments
Closed

Openid tokenintrospection request uses the wrong form key #810

herojan opened this issue Oct 3, 2018 · 2 comments

Comments

@herojan
Copy link
Contributor

herojan commented Oct 3, 2018

Expected:
The filter oauthTokenintrospectionAllKV("http://configurl", "key", "value") should call the introspection_endpoint with form parameters token=$token as per https://tools.ietf.org/html/rfc7662#section-2.1

Actual:
The filter sends the form parameters access_token=$token

See:

skipper/filters/auth/authclient.go

Line 105 in 3a77112

body.Add(accessTokenKey, auth)

I can create a PR to change this if it's wanted?
@szuecs
Copy link
Member

szuecs commented Oct 3, 2018

Yes please, weird I thought I checked it against one of our IAM backends.
Can you create a PR to change https://github.com/zalando/skipper/blob/master/filters/auth/auth.go#L48 variable and check where it it used?
It should be only used in the oauthTokenintrospection* filters and if so it's fine to fix it according to the RFC.

@herojan herojan mentioned this issue Oct 3, 2018
Merged
@herojan
Copy link
Contributor Author

herojan commented Oct 3, 2018

Grand, I opened a pr for it #811

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@szuecs @herojan