OAuth 2.0 - Current tokens still active when disabling an application

[exalate-issue-sync[bot]]

Describe the bug :

describe-the-bug-

When you disable an application on AM you can still use the last active tokens. After disabling we can't get new tokens which is normal but can use the last active.

To Reproduce :

to-reproduce-

Steps to reproduce the behavior:

1. Create an application on AM.
2. Create an API on APIM which would use AM in JWT or OAuth 2 plan and test if all is okay.
3. Use this request to disable the application:

Attachment - image.png

curl --location --request PATCH 'https://am.gravitee.io/management/organizations/DEFAULT/environments/DEFAULT/domains/90ebdf75-9c8b-4267-abdf-759c8bb267ca/applications/fcb9e58a-e6bd-41cd-b9e5-8ae6bd21cd4f' --header 'Content-Type: application/json' --header 'Authorization: ••••••' --header 'Cookie: XSRF-Graviteeio-AM-API-TOKEN=eyJraWQiOiJkZWZhdWx0LWdyYXZpdGVlLUFNLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IkhTMjU2In0.eyJpc3MiOiJodHRwczovL2dyYXZpdGVlLmFtIiwiaWF0IjoxNzIzMTk2ODY4LCJqdGkiOiJVeGhqTVhrd0pQODRmbndZTVdLVlJIc0FGMm5ndEVYZ2Y1ZjBzT1ZORVZRIiwidG9rZW4iOiJkOWExYjI4YS00YzdiLTQxZTMtODRiZC1lYzc3MzhjZmE1NjgifQ.jV-vKOaNlN1dqo9Y47up58fXv1ao_yMeUIFid5saAUU' --data '

{ "enabled": false}

'

1. Try and get a new token and you will not be able to.
2. Now go back to the API call with the JWT or OAuth2 plan and use the last active token and you still are able to get a response.

Expected behavior :

expected-behavior-

Tokens from disabled application should not be usable.

Desktop :

desktop-

• Environment: AM 4.3

_{* Please see Zendesk Support tab for further comments and attachments.}

[exalate-issue-sync[bot]]

This issue will be fixed in versions 4.4.5, 4.1.29, 4.3.12, 4.5.0, 4.2.20