Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
However, similar to skipping the binding validation at isValidTokenBinding, the binding validation should be skipped for request binding as well, since this cannot be validated.
Enable "Validate token binding" on the service provider configurations.
Obtain an access token using authorization_code grant type and invoke userinfo endpoint using the obtained access token.
It will return the following error.
{
"error_description": "Valid token binding value not present in the request.",
"error": "invalid_request"
}
Expected behavior:
The token binding validation should succeed, and the userinfo API (or any other API) should function correctly. A separate token binder should be implemented if there is a valid requirement to validate the request binding type.
Describe the issue: With https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/2018, if it's enabled and the "Validate token binding" option is enabled, the userinfo API execution fails, since a valid Token Binder is not available for the binding type:
request
However, similar to skipping the binding validation at
isValidTokenBinding
, the binding validation should be skipped forrequest
binding as well, since this cannot be validated.How to reproduce:
Expected behavior: The token binding validation should succeed, and the userinfo API (or any other API) should function correctly. A separate token binder should be implemented if there is a valid requirement to validate the request binding type.
Environment information
Related issues: https://github.com/wso2/product-is/issues/20513