wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
748 stars 729 forks source link

DCR GET / DELETE Endpoints giving `401 Unauthorized` response when the client id and client name is incorrect #21624

Open ShanChathusanda93 opened 2 weeks ago

ShanChathusanda93 commented 2 weeks ago

Describe the issue: When calling the DCR GET endpoint with invalid client id or an invalid client name, it gives a 401 Unauthorized response.

DCR GET - Client ID

https://localhost:9443/t/carbon.super/api/identity/oauth2/dcr/v1.1/register/{{CLIENT_ID}}

DCR GET - Client Name

https://localhost:9443/t/carbon.super/api/identity/oauth2/dcr/v1.1/register/client_name={{CLIENT_NAME}}

Same occurs when calling the delete endpoint

https://localhost:9443/t/carbon.super/api/identity/oauth2/dcr/v1.1/register/{{CLIENT_ID}}

How to reproduce:

  1. Create an OAuth2 application.
  2. Try to get the created OAuth2 application from the DCR GET endpoint with client id.
  3. Now add an invalid client id and execute the DCR GET.
  4. Try to delete the created application from DCR DELETE.
  5. Try the deletion with an invalid client id.
  6. In both the above invalid scenarios the https response code is 401 Unauthorized

Expected behavior:

Environment information (Please complete the following information; remove any unnecessary fields) :

Thumimku commented 2 weeks ago

Reduced severity and priority based on the description because this is a negative request and there is not severe impact. CC: @ShanChathusanda93