Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Non-Admin users can get unauthorised scopes from KM #2363

Closed
jichinthaka opened this issue Jan 8, 2024 · 2 comments
Closed

Non-Admin users can get unauthorised scopes from KM #2363

jichinthaka opened this issue Jan 8, 2024 · 2 comments
Labels
4.3.0 Affected/APIM-4.1.0 Component/APIM Type/Bug
Milestone
4.3.0-Alpha2

Comments

@jichinthaka
Copy link

Description

Non-Admin users can generate Opaque tokens with APIM Rest API admin scopes from IS-as-KM token endpoint. And Non-Admin users can access APIM Rest APIs with the above-generated token. tokens

Steps to Reproduce

(Assume a IS-as-KM setup with APIM 4.1.0 and IS-KM 5.11.0)

Generate Opaque token using Non-Admin user:

curl --location 'https://localhost:9444/oauth2/token'
--header 'Authorization: Basic <base64Encoded(key:secret)>'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=password'
--data-urlencode 'username=test'
--data-urlencode 'password=admin'
--data-urlencode 'scope=apim:admin apim:admin_alert_manage apim:admin_application_view apim:admin_operations apim:admin_settings'

Your response contains all the requested APIM Rest API admin scopes.

Use the above-generated token to invoke an APIM Rest API. You will succeed.

Affected Component

APIM

Version

4.1.0

Environment Details (with versions)

No response

Relevant Log Output

No response

Related Issues

No response

Suggested Labels

No response
@chashikajw chashikajw mentioned this issue Jan 10, 2024
Merged
@chashikajw chashikajw mentioned this issue Jan 19, 2024
Open
@chashikajw chashikajw mentioned this issue Feb 18, 2024
Open
@tharikaGitHub
Copy link
Member

Public PRs to be merged :

  1. Add system property to avoid whitelisting apim rest apis scopes wso2-extensions/apim-km-wso2is#114
  2. [APIM-IS-KM] Add system property to avoid allowlisting apim rest api scopes wso2-extensions/identity-inbound-auth-oauth#2328
  3. Update KM connector docs-apim#7683

@tharikaGitHub tharikaGitHub added this to the 4.3.0-Beta milestone Mar 16, 2024
@tharikaGitHub
Copy link
Member

Closing the issue as only PR wso2-extensions/apim-km-wso2is#114 needs to be added to the public branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
4.3.0 Affected/APIM-4.1.0 Component/APIM Type/Bug
Projects
None yet
Milestone
4.3.0-Alpha2
Development

No branches or pull requests
2 participants
@tharikaGitHub @jichinthaka