Access tokens can be refreshed even if Resource Owner has revoked grants to client application - Githubissues

Haufe-Lexware / wicked.haufe.io

An API Management system based on Mashape Kong

http://wicked.haufe.io

Other

123 stars 37 forks source link

Access tokens can be refreshed even if Resource Owner has revoked grants to client application #130

Closed DonMartin76 closed 5 years ago

DonMartin76 commented 5 years ago

Steps to reproduce:

Via the Authorization Code Grant, create an access/refresh token pair for an API which is using scopes, and where the client application is not trusted
This involves the user granting access to the API on behalf of himself to the client application
Now use the /auth//grants endpoint to revoke access to an API
Refresh the token using the refresh_token grant

Result:

The access token can be successfully refreshed, and it still has the original scopes assigned to it

Expected result:

The refresh token request must be denied; there is no way of creating a refreshed token with a smaller scope while not retaining the original scope of the refresh token, so the only logical consequence must be to not allow refreshing the token
The auth server must respond with 403 and unauthorized_client.

DonMartin76 commented 5 years ago

Fixed in 1.0.0-rc1