Hi All, This is in relation to issue [1] which happens when using a valid access token issued to a SaaS enabled application (application in a separate domain. User from another tenant domain). After disabling SaaS, it is still possible to use the same access token to access the UserInfo endpoint for this user from another tenant. Also it is possible to obtain a new access token for the saas-disabled application by using the issued refresh token for a different tenant user.
For this I have added functionality to validate tenant domain and to check if the SP is SaaS enabled before granting access to the userInfo endpoint. It is evident that we should revoke the refresh token such that user is not permitted to obtain further access tokens for the application. In addition to this is it required to invalidate the already-issued access token? Appreciate your help on this. [1] https://wso2.org/jira/browse/IDENTITY-4981 Best regards, Sathya -- Sathya Bandara Software Engineer WSO2 Inc. http://wso2.com Mobile: (+94) 715 360 421 <+94%2071%20411%205032> <+94%2071%20411%205032>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
