Uploaded image for project: 'PUBLIC - OAuth2'
  1. PUBLIC - OAuth2
  2. OAUTH2-166 OAuth2 Documentation for 7.1.0 Release
  3. OAUTH2-206

DOC: Document immediate effect on changing OAUTH2 SAP entries (TOC-TOU)

    Details

    • Type: Sub-Task
    • Status: Closed
    • Priority: Minor
    • Resolution: Completed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      When access token is granted with SAPEntry based scope to access JSONWS services, changing the SAPEntry definition has immediate effect on JSONWS endpoints accessibility.

      This can be perceived as TOC-TOU (time-of-check vs. time-of-use) vulnerability: When token is approved by user the accessible JSONWS endpoints / surface can be different from when token is later used. But only portal administrator can change Service Access Policies, so there is no real vulnerability, we don't expect Portal Admin to subvert the portal itself.

       

      Please see OAUTH2-101 for wider context.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              id30721 id30721
              Reporter:
              tomas.polesovsky Tomáš Polešovský
              Participants of an Issue:
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Packages

                  Version Package