[
https://issues.apache.org/jira/browse/CXF-4673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13510432#comment-13510432
]
Sergey Beryozkin commented on CXF-4673:
---------------------------------------
IMHO if a client is allowed to bypass the end user authorization by utilizing a
pre-authorized token then having the client effectively overriding what this
token allows the client to do (re scopes) is a security concern...
ServerAccessToken only has a list of effective scopes which in case of the
redirection flows is what the provider thought was the combination of the
original client scopes and those actually approved by the user as provided by
AccessTokenRegistration.
So if a pre-authorized ServerAccessToken is available - it already has the
effective scope/permissions
See what I mean ?
> [OAuth2] Add requestedScope as a parameter to getPreauthorizedToken
> -------------------------------------------------------------------
>
> Key: CXF-4673
> URL: https://issues.apache.org/jira/browse/CXF-4673
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
>
> When using pre-authorized tokens I need the requested scope to be able to
> create the token.
> Please change the OAuthDataProvider interface to include:
> {code}
> ServerAccessToken getPreauthorizedToken(Client client,
> UserSubject subject,
> String grantType,
> List<String> requestedScope)
> throws OAuthServiceException;
> {code}
> And change RedirectionBasedGrantService.java and AbstractGrantHandler.java to
> pass the requestedScope variable in to getPreauthorizedToken.
> Thanks.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
