search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
727 stars 711 forks source link

"request" token binding validation fails #20604

Open mifrazmurthaja opened 3 days ago

mifrazmurthaja commented 3 days ago

Describe the issue: With https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/2018, if it's enabled and the "Validate token binding" option is enabled, the userinfo API execution fails, since a valid Token Binder is not available for the binding type: request

However, similar to skipping the binding validation at isValidTokenBinding, the binding validation should be skipped for request binding as well, since this cannot be validated.

How to reproduce:

  1. Add the configuration below. 
    [oauth.jwt.renew_token_without_revoking_existing]
enable = true
allowed_grant_types = ["client_credentials", "authorization_code"]
  2. Enable "Validate token binding" on the service provider configurations.
  3. Obtain an access token using authorization_code grant type and invoke userinfo endpoint using the obtained access token.
  4. It will return the following error. 
    {
    "error_description": "Valid token binding value not present in the request.",
    "error": "invalid_request"
}

Expected behavior: The token binding validation should succeed, and the userinfo API (or any other API) should function correctly. A separate token binder should be implemented if there is a valid requirement to validate the request binding type.

Environment information

Related issues: https://github.com/wso2/product-is/issues/20513