Tokens from two different validGrantTypes are exchangeable! #99
Comments
|
It turns out that it's possible to set the redis database per grant type directly in swagger without modifying the code. In the yaml file, I have this: `x-volos-resources: pwOAuth2: But only 'client_credentials' paths ( /accesstoken & /invalidate) are accessible. Calling 'password' paths, such as /login, returns the following error:
|
|
@Techna Thank you for your report! I agree this is a serious concern and I will have to investigate. |
|
One easy solution I can think of is to store tokens for each grant type under a directory matching the grant type name (or better yet the security definition name set by the user). So, instead of storing this token in redis using this path: Volos can add the grant type or name to the path, like the following: This easy trick will group tokens generated by each grant type and seperate them from the rest. |
When using OAuth2, some resources require 'password' grant type and others only need 'client_credentials'. Volos supports both, but a token generated from one grant type would grant access to endpoints and methods protected by the other!
This means that having different grant types in one API is ineffective, because a token generated from any type allows access to all resources in the API.
Since I'm testing with redis now, I thought of hacking the code to force each grant type to use different database. For example, 'password' would use DB0 and 'client_credentials' would use DB1. But there might be a better solution.
The text was updated successfully, but these errors were encountered: