Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
Unknown
Description
AccessTokenValidatorService is a simple JAX-RS service which accepts validation requests remotely and delegates the actual validation to the super-class it extends, after validating the token it returns an internal token representation to the remote OAuthRequestFilter which does some more validation.
The fundamental problem with AccessTokenValidatorService is that it expects the 3rd party client authorization credentials passed in as Authorization header so if the bad client which stole the access token and somehow invokes directly on AccessTokenValidatorService then it will get the internal token state back.
I'm not marking it as Critical because this service can easily be replaced.