OpenAM as an OAuth 2.0 authorization server – part 2

OpenAM as an OAuth 2.0 authorization server: in part 1, we saw how to get an authorization code. Here, we’ll see how to use it. Actually, the OAuth 2.0 RFC provides a single type of usage, but I discovered that with OpenAM 11.0, the code could be used in a second manner too …

The usual way to use the authorization code, is to get an access token, as shown below:

./get_OAuth2_code.sh AQIC…..JTSQACMDEAAlNLA…….MTAx*  

{
« access_token »: « bb61cd2a-d741-4bdf-95db-13c073f10db3 »,
« expires_in »: 59,
« refresh_token »: « 3085ab23-72ee-4409-8f86-165b01ed86a1 »,
« token_type »: « Bearer »
}

In the script above, I provide the following arguments:

– OpenAM token: it’s required in this case since the OAuth 2.0 token endpoint is located behind the reverse proxy where the OpenAM agent resides. Without that token, the agent would redirect the request to the OpenAM login page.

– the second parameter is the string « code ». It just means we’ll use the third argument as an authorization code. Said differently, it will generate a request to the token endpoint with the parameter « grant_type=authorization_code&code=$3 » .

– the third argument is the authorization code itself.

The Json response is expected and complies with the OAuth 2.0 RFC. Notice it contains both an access token and a refresh token.

Now, let me show you a second usage of the previously obtained authorization code:

./get_access_token.sh AQIC…..JTSQACMDEAAlNLA…….MTAx* refresh 1f5f1da1-ba9b-4581-8158-522313f4a504
{
« access_token »: « f3bc5b0c-eb7f-4191-8d0c-804cf44090ac »,
« expires_in »: 59,
« scope »: « cn »,
« token_type »: « Bearer »
}

In this example, I use the « refresh » keyword, which will generate a request to the token endpoint with the parameter « grant_type=refresh_token&refresh_token=$3 »

So, here, the authorization code is used as a refresh token, which is not a usage compliant with the OAuth2 RFC. Moreover, it introduces a security breach since the authorization code can be used at least twice in a row instead of being single usage.

Fortunately, I had the confirmation this bug’s been fixed in more recent OpenAM versions. I look forward to test again with OpenAM 12 …

• À propos
• Articles récents

janua

Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.

Les derniers articles par janua (tout voir)

• New Keycloak online training - 19 janvier 2022
• Sizing Keycloak or Redhat SSO projects - 8 juin 2021
• Keycloak.X Distribution - 28 janvier 2021