OAuth2AuthProviderImpl loses Access Token after introspect call
chrispatmore opened this issue · 2 comments
Version
Version: 4.3.8 +
Context
Whilst investigating 654, I discovered there is an issue when the AT does not validate as a JWT. In these cases (either its an invalid JWT as the code is concerned e.g. 654. or it is just an opaque token) the code then attempts a token introspect here if this passes we know the token is valid and the User
is created here. However at this point the access_token
is lost, the user placed into the context has no access_token
so when I then try to make a userInfo
call or some other request to the provider, I get rejected as I supplied an invalid token (no token, for example here). I have also noticed that since the version I am testing on a userInfo
introspect has been added if there is no introspect endpoint here and this adds the token back to the user here
In short, the OAuth2AuthProviderImpl
should be setting the access_token
back into the User
object when the token is valid, like happens when the token is validated using the userInfo endpoint. So that the token can then be used for future actions
Edit: This also then sets the subject
in the user wrong in some cases, for example in the keycloak case, the json returned back from the introspect endpoint contains username
which is then used to set the subject instead of the sub
field in the response
Do you have a reproducer?
No
Steps to reproduce
- configure an app with OIDC with a provider that gives "invalid JWTs e.g. keycloak with current code" or plain tokens
- have the app perform a
userInfo
request with the AT - log in and get an access token
- make an API call to the app with the access token
- request will fail because the user info call will fail
Closing as PR merged