[FINERACT-1033] Fineract OAuth Token Change Bug - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: Security
Labels:
None

Flags:

Important

Description

Fineract OAuth previously sent UUID values limited to 0-9, a-f, and dash for tokens. It recently changed to using a base-64 encoded value for tokens. This seems to work fine in many cases.

Previous token example:
"access_token": "a6c25cb8-7e73-446e-a49b-e9e54c3f26ee"

Current token example:
"access_token": "2VaGUd8Y25fCC1gBpGLZnfoC52s="

However, if the base-64 encoded value contains a + (plus sign) authentication fails. Fineract generates and sends the value to the community app with the + in the token value. The community app returns the token value with the + included. Fineract looks up the value in the database but replaces the + with a space before doing so.

In the example attached, Fineract provides an access token of 4JdlsEQzpa3gsM7CbH5mFxTy+FU=
The community app uses the full token value with the + to request access.
Fineract responds denying access with this message: Invalid access token: 4JdlsEQzpa3gsM7CbH5mFxTy FU=

Please review the attached file for detailed information and logs.

Attachments

Issue Links

is a parent of

FINERACT-1057 Running -Psecurity=oauth leads to memory leak issue

Closed

is fixed by

FINERACT-1012 Spring Security OAuth 2.x to Spring Security 5.2.x

Resolved

requires

FINERACT-1145 OAuth Support documentation is missing

Resolved

FINERACT-1144 OAuth broken (or is it?)

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Saransh Sharma

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Due:: 10/Jun/20

Created:: 09/Jun/20 16:22

Updated:: 27/Dec/21 01:47