[mitreid-connect] Client credentials security issue?

Luiz Omori luiz.omori at duke.edu
Fri Jul 7 16:26:37 EDT 2017


Hi,

I’ve just run by chance into a suspicious behaviour while exercising the Client Credentials flow. Along with the request I’ve sent scope=openid offline_access. Interesting enough, I got an id_token back. That id-token was referring to a user that I used for an Authorization Code request done immediately before the Client Credentials call. My usage of scope for the Client Credentials may or may not be legal, but in any case I don’t think the server should be sending an ID Token back for Client Credentials. I’m using server version 1.3.1.

Regards,
Luiz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20170707/4aa811ff/attachment.html


More information about the mitreid-connect mailing list