User Credentials grant doesn't verify user_id vs Client Credentials user_id #1028

whvandervelde · 2022-06-27T15:24:19Z

When you are using the UserCredentials grant, the default TokenController doesn't check if Client Credentials user_id matches with UserCredentials user_id.
This means when you are requesting a token you can use any valid client_id + client_secret and username + password combo to get a valid token for the user(name).
Its hard to detect because token response doesn't containing user info, but TokenController should check if user_id's match.

The grantAccessToken in TokenController should probably contain something like this in its grantAccessToken():

if (!$clientInfo = $this->clientStorage->getClientDetails($clientId)) {
    $response->setError(400, 'unauthorized_client', 'The grant type is unauthorized for this client');
    return null;   
}

$userId = $clientInfo['user_id'] ?? null;
$matchUserId = $grantType->getUserId();

if (!isset($userId) || !($userId === $matchUserId)) {
    $response->setError(400, 'unauthorized_client', 'The grant type is unauthorized for this client');
    return null;   
}

The text was updated successfully, but these errors were encountered:

whvandervelde changed the title ~~UserCredential grant doesn't verify user_id vs Client Credentials user_id~~ User Credentials grant doesn't verify user_id vs Client Credentials user_id Jun 27, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

User Credentials grant doesn't verify user_id vs Client Credentials user_id #1028

User Credentials grant doesn't verify user_id vs Client Credentials user_id #1028

whvandervelde commented Jun 27, 2022

User Credentials grant doesn't verify user_id vs Client Credentials user_id #1028

User Credentials grant doesn't verify user_id vs Client Credentials user_id #1028

Comments

whvandervelde commented Jun 27, 2022