April 5, 2016 at 11:08 pm #9323
Is it possible to obtain the client id information as part of the /tokeninfo response?
EvaApril 6, 2016 at 2:01 pm #9336Bill NelsonParticipant
I am not aware of any way to do this, but I’m also not so sure that this is a good idea to do it in the first place. Keep in mind that an OAuth2 token is a bearer token granting authorization rights to the bearer of the token. When I give a valet key to the parking attendant, I am allowing them to drive my car, but not gain access to my glove box or trunk. So all the access token does is allow someone to do something on behalf of the Resource Owner and limits their access and/or scope.
If I am to assume that you are wanting this information to see if the access token was requested by someone you trust, then I would caution you not to try to establish trust with the requester, but with the issuer (the Authorization Server). You need to trust that “they” did the due diligence before issuing the token, itself.
From a security standpoint, if the client_id were passed back as part of the tokeninfo endpoint, then anyone possessing that token could for all intents and purposes determine one half of the client credentials and all they would then need to do is bang on the door to obtain the client secret. Once accomplished then they could essentially impersonate the client and (depending on your grant flow) could begin requesting their own tokens.
One other thing to note is that the access_token and authorize endpoints are defined by the OAuth2 standards, the tokeninfo endpoint is a convenience provided by ForgeRock and you have to be careful what you expose in that convenience.
I am sure that I went way beyond what you were asking for (I tend to read intent into questions at times) but to answer your question, I am not aware of any way to get the client_id from the tokeninfo endpoint.April 6, 2016 at 3:26 pm #9344
Hi Bill, thank you for the detailed answer.
The reason I’m asking is because I’m granting access to an API based on the access token, but not every client can access it so I need to do a second validation based on the client Id associated to that token. The problem I’m facing right now is that every user who’s been granted an access token can access all of the APIs.
I understand that this might be something that the tokeninfo endpoint is not designed to do, in the case of Ping Federate I can obtain the client Id from the access token but making a request to a protected endpoint and authenticating as a resource server. Is there something similar in OpenAM that I can use?
Thank you! And please feel free to share yor thoughts on the use case, it’s always good to discuss if one is taking the correct approach or notApril 7, 2016 at 3:19 pm #9381Peter MajorModerator
See OPENAM-5213, client_id will be returned in newer versions of OpenAM.April 7, 2016 at 5:02 pm #9393
Thank you Peter, that’s very helpful.February 22, 2017 at 9:25 pm #15969
You must be logged in to reply to this topic.