Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-130869

OAuth2 token introspection fails with empty client_secret for PKCE applications

Details

    Description

      Steps to reproduce:

      1. Create new OAuth2 application, choose Client Profile: Other and select PKCE
      2. Edit the OAuth2 app, specify Client Id: pkce and check Token Introspection checkbox
      3. Obtain access token using http://martamedio.com/oauth2-tester/pkce/, for example:
        7b47179c5dc6dd43bb4d46b5ea47bae0cbf4b04f999b50a255bad7d988725
      1. Execute from cmd line:
        curl 'http://localhost:8080/o/oauth2/introspect' \
          -H 'Content-Type: application/x-www-form-urlencoded' \
          --data 'client_id=pkce' \
          --data 'client_secret=' \
          --data 'token=7b47179c5dc6dd43bb4d46b5ea47bae0cbf4b04f999b50a255bad7d988725' \
          --compressed
        

      Expected Result: Server returns information about the token
      Actual Result: Server returns error message

      {"error":"unauthorized_client"}
      

      Attachments

        Issue Links

          Activity

            People

              joyce.wang Joyce Wang
              tomas.polesovsky Tomáš Polešovský
              Kiyoshi Lee Kiyoshi Lee
              Tomáš Polešovský Tomáš Polešovský
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                31 weeks, 6 days ago

                Packages

                  Version Package
                  7.2.10 DXP FP13
                  7.2.X
                  7.3.7 CE GA8
                  7.3.10 DXP FP2
                  7.3.X
                  7.4.1 CE GA2 DXP 7,4
                  7.4.13 DXP GA1
                  7.4.3.22 CE GA22
                  7.4.3.23 CE GA23
                  Master