Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tokens not revoked in APIM GW #2270

Closed
vikumkbv opened this issue Nov 16, 2023 · 1 comment
Closed

Tokens not revoked in APIM GW #2270

vikumkbv opened this issue Nov 16, 2023 · 1 comment
Labels
Affected/APIM-3.1.0 Type/Bug

Comments

@vikumkbv
Copy link

Description

Hi Team,

We have observed the following behavior in APIM 3.1.0 with IS-as-KM setup with is 5.10.0 [1]: users are able to invoke APIs using the old access token (JWT) even after it has been renewed using the refresh_token grant.

In the IDN_OAUTH2_ACCESS_TOKEN_AUDIT table, the previous token is in the INACTIVE state, while in the IDN_OAUTH2_ACCESS_TOKEN table, we have the new token in the ACTIVE state. Please refer to the following screenshot from the database.

Screenshot from 2023-11-10 15-29-04

Steps to reproduce

  1. Get the APIM 3.1.0 u2 217 pack and create an API
  2. Generate the JWT token and invoke the API (use the following curl)
    curl -k -X POST https://localhost:8243/token -d "grant_type=password&username=admin&password=admin" -H "Authorization: Basic VzdPT3pCbHQ3bEFhenE3alBCRVRLeFNOM2ZnYTpvX2dETXlKNXp4cHNGQVN5ZXZid2ZNUk1vWVVh"

3.Then renew the access token using refresh_grant and invoke the API.
curl -k -d "grant_type=refresh_token&refresh_token=<refresh token>" -H "Authorization: Basic VzdPT3pCbHQ3bEFhenE3alBCRVRLeFNOM2ZnYTpvX2dETXlKNXp4cHNGQVN5ZXZid2ZNUk1vWVVh" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token

  1. Then try to invoke the API again using the access token generated in step 2, as we have renewed this token at step 3, this invocation should give the following error with 401 status code, but we were able to invoke api without any error using this old token.
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
  <ams:code>900901</ams:code>
  <ams:message>Invalid Credentials</ams:message>
  <ams:description>Invalid JWT token. Make sure you have provided the correct security credentials</ams:description>
</ams:fault>

Hope we need to fix this

Setup details

APIM 3.1.0 - U2 217
wso2is-km-5.10.0 - U2 223

[1] https://apim.docs.wso2.com/en/3.1.0/install-and-setup/setup/distributed-deployment/configuring-wso2-identity-server-as-a-key-manager/

Thanks,
Vikum

Steps to Reproduce

N/A

Affected Component

APIM

Version

3.1.0

Environment Details (with versions)

No response

Relevant Log Output

No response

Related Issues

No response

Suggested Labels

No response
@dulithsenanayake
Copy link

Hi all,

Since this U2 update has already been released, we are closing this public git issue.

Thanks,
Dulith

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Affected/APIM-3.1.0 Type/Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dulithsenanayake @vikumkbv