Uploaded image for project: 'COmanage'
  1. COmanage
  2. CO-2854

Oauth2Server obtainToken function assumes refresh token always returned

    XMLWordPrintable

Details

    Description

      The obtainToken() function for the Oauth2Server model includes the code

      // We shouldn't have a new refresh token on a refresh_token grant
      		 
      // (which just gets us a new access token).
      		 
      if($grantType != 'refresh_token') {
      		 
              $data['refresh_token'] = $json->refresh_token;
      		 
      }

      There is no protocol requirement that a refresh token be returned so there should be a test to see if the returned JSON has a refresh token before trying to assign it to $data['refresh_token'].

      As a concrete example, the login.microsoftonline.com OAuth2 server with a client credential grant does not return a refresh token.

      Attachments

        Issue Links

          is related to

          New Feature - A new feature of the product, which has yet to be developed. CO-2857 OAuth2Server method determine access token expired

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              benn.oshrin@at.internet2.edu Benn Oshrin
              scott.koranda@at.internet2.edu Scott Koranda
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: