Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reject grant_type=client_credentials token requests containing scope=offline_access #12802

Merged
merged 1 commit into from
Nov 22, 2022
Merged

Reject grant_type=client_credentials token requests containing scope=offline_access #12802

merged 1 commit into from
Nov 22, 2022

Conversation

kevinchalet
Copy link
Member

We recently added the ability to automatically grant the requested scopes for grant_type=client_credentials (which requires that the client be granted the corresponding scope permissions, of course) but we forgot to add a check to prevent a refresh token from being requested via scope=offline_access, which is a scenario we deliberately don't allow. We have a check preventing blocking grant_type=refresh_token requests in this case:

OrchardCore/src/OrchardCore.Modules/OrchardCore.OpenId/Controllers/AccessController.cs

Lines 588 to 600 in 18938aa

if (request.IsRefreshTokenGrantType())
{
var type = info.Principal.FindFirst(OpenIdConstants.Claims.EntityType)?.Value;
if (!string.Equals(type, OpenIdConstants.EntityTypes.User))
{
return Forbid(new AuthenticationProperties(new Dictionary<string, string>
{
[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.UnauthorizedClient,
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] =
"The refresh token grant type is not allowed for refresh tokens retrieved using the client credentials flow."
}), OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
}
}

Since there's no point returning a refresh token that won't be usable, we should add a check to prevent the offline_access scope from being requested in the first place. That's exactly what this PR does 😄

@kevinchalet kevinchalet added this to the 1.6 milestone Nov 12, 2022
@kevinchalet kevinchalet merged commit 00742b3 into OrchardCMS:main Nov 22, 2022
@kevinchalet kevinchalet deleted the client_credentials_scopes branch November 22, 2022 18:02
@HengzheLi
Copy link

So, is that means after this change, the client_credentials granted client have to re-apply a new access token instead of refreshing the access token using refresh token?

@kevinchalet
Copy link
Member Author

kevinchalet commented Nov 23, 2022
edited
Loading

To get a new access token with client_credentials, simply send a new grant_type=client_credentials request instead of using refresh tokens.

grant_type=refresh_token with a refresh token issued after a first grant_type=client_credentials has never been supported, this PR just fixes a regression introduced in the last OC patch that allowed a refresh token to be returned (but you can't use it so there's really no point returning it in the first place).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug 🐛 OpenId
Projects
None yet
Milestone
1.6
Development

Successfully merging this pull request may close these issues.
2 participants
@kevinchalet @HengzheLi