OpenAM as an OAuth 2.0 authorization server: in part 1, we saw how to get an authorization code. Here, we’ll see how to use it. Actually, the OAuth 2.0 RFC provides a single type of usage, but I discovered that with OpenAM 11.0, the code could be used in a second manner too …

The usual way to use the authorization code, is to get an access token, as shown below:


HTTP/1.1 302 Moved Temporarily                                                             
Cache-Control: no-store
Pragma: no-cache
Code: 1f5f1da1-ba9b-4581-8158-522313f4a504
./ AQIC…..JTSQACMDEAAlNLA…….MTAx* code 1f5f1da1-ba9b-4581-8158-522313f4a504

« access_token »: « bb61cd2a-d741-4bdf-95db-13c073f10db3 »,
« expires_in »: 59,
« refresh_token »: « 3085ab23-72ee-4409-8f86-165b01ed86a1 »,
« token_type »: « Bearer »

In the script above, I provide the following arguments:

– OpenAM token: it’s required in this case since the OAuth 2.0 token endpoint is located behind the reverse proxy where the OpenAM agent resides. Without that token, the agent would redirect the request to the OpenAM login page.

– the second parameter is the string « code ». It just means we’ll use the third argument as an authorization code. Said differently, it will generate a request to the token endpoint with the parameter « grant_type=authorization_code&code=$3 » .

– the third argument is the authorization code itself.

The Json response is expected and complies with the OAuth 2.0 RFC. Notice it contains both an access token and a refresh token.

Now, let me show you a second usage of the previously obtained authorization code:

./ AQIC…..JTSQACMDEAAlNLA…….MTAx* refresh 1f5f1da1-ba9b-4581-8158-522313f4a504
« access_token »: « f3bc5b0c-eb7f-4191-8d0c-804cf44090ac »,
« expires_in »: 59,
« scope »: « cn »,
« token_type »: « Bearer »

In this example, I use the « refresh » keyword, which will generate a request to the token endpoint with the parameter « grant_type=refresh_token&refresh_token=$3 »

So, here, the authorization code is used as a refresh token, which is not a usage compliant with the OAuth2 RFC. Moreover, it introduces a security breach since the authorization code can be used at least twice in a row instead of being single usage.

Fortunately, I had the confirmation this bug’s been fixed in more recent OpenAM versions. I look forward to test again with OpenAM 12 …


Les derniers articles par janua (tout voir)