Evaluate and fix issue known to OpenAM as #201801-01

WrenSecurity / wrenam

Community fork of OpenAM, an authentication and authorization system originally developed by ForgeRock.

Other

43 stars 27 forks source link

Evaluate and fix issue known to OpenAM as #201801-01 #10

Closed siepkes closed 1 year ago

siepkes commented 6 years ago

Since we share a common heritage with OpenAM the issue described here as "Issue #201801-01: Business Logic Vulnerability" probably affects wren:AM too.

We need to evaluate if and how this issue affects wren:AM and fix it.

The issue in the referenced document describes it is possible to access another resource owners access token by sending a specific type of request.

The document proposes not to use the JWT bearer token grant type as workaround

siepkes commented 6 years ago

Apparently in our ancestor (OpenAM) this was fixed by yanking out JWT bearer grant type support entirely. See OPENAM-11252 which is about removing the documentation for JWT bearer grant type support since support for it has been removed. The issue states rfc7523 section 2.1 support was incomplete and introduced a security issue and therefor removed.

I can't find the actual security issue in FR's bug tracker. The issue is presumably hidden.

karelmaxa commented 1 year ago

Workaround (removal of JWT bearer grant type) has been introduced in https://github.com/WrenSecurity/wrenam/pull/131.

karelmaxa commented 1 year ago

I'm closing this issue because support the for the JWT bearer grant type has been removed in https://github.com/WrenSecurity/wrenam/pull/131.