Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Disabled clients can still be used for client secret authentication. #3462

Open
acollard opened this issue Jan 16, 2017 · 1 comment
Open
Assignees
Milestone

Comments

@acollard
Copy link

From ClientSecretValidator.cs:

// load client
var client = await _clients.FindClientByIdAsync(parsedSecret.Id);
if (client == null)
{
  await RaiseFailureEvent(parsedSecret.Id, "Unknown client");

  Logger.Info("No client with that id found. aborting");
  return fail;
}

This should check if the client is null or disabled.

if (client == null || !client.Enabled)

This issue is also present in TokenValidator.cs.
https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Validation/TokenValidator.cs#L114
https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Validation/TokenValidator.cs#L267

AuthorizeRequestValidator.cs handles it correctly.

@acollard
Copy link
Author

I just noticed your InMemoryClientStore.cs filters out disabled clients internally. In my scenario we use a custom IClientStore which is why I am seeing the issue.

Off the top of my head I can think of two reasons why the disabled flag should probably be handled outside:

  1. Users implementing the interface wouldn't expect disabled clients to be filtered out.
  2. A user may want to use the IClientStore outside of the authentication process, maybe an administrative page that lists the current clients and their state.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants