You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@fineract.apache.org by "Michael Vorburger (Jira)" <ji...@apache.org> on 2020/09/10 20:06:00 UTC

[jira] [Commented] (FINERACT-1033) Fineract OAuth Token Change Bug

    [ https://issues.apache.org/jira/browse/FINERACT-1033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17193829#comment-17193829 ] 

Michael Vorburger commented on FINERACT-1033:
---------------------------------------------

[~saransh] there is no attached file and logs here, did you mean to attach that, but forgot?

Also, we should first document how this feature actually works, see FINERACT-1145.

Can you clarify if what you write above is affecting {{develop}} (1.4.0) or an older release? To clarify FINERACT-1144.

> Fineract OAuth Token Change Bug
> -------------------------------
>
>                 Key: FINERACT-1033
>                 URL: https://issues.apache.org/jira/browse/FINERACT-1033
>             Project: Apache Fineract
>          Issue Type: Bug
>          Components: Security
>            Reporter: Saransh Sharma
>            Priority: Major
>
> Fineract OAuth previously sent UUID values limited to 0-9, a-f, and dash for tokens. It recently changed to using a base-64 encoded value for tokens. This seems to work fine in many cases.
> Previous token example:
> "access_token": "a6c25cb8-7e73-446e-a49b-e9e54c3f26ee"
> Current token example:
> "access_token": "2VaGUd8Y25fCC1gBpGLZnfoC52s="
> However, if the base-64 encoded value contains a + (plus sign) authentication fails. Fineract generates and sends the value to the community app with the + in the token value. The community app returns the token value with the + included. Fineract looks up the value in the database but replaces the + with a space before doing so.
> In the example attached, Fineract provides an access token of 4JdlsEQzpa3gsM7CbH5mFxTy+FU=
> The community app uses the full token value with the + to request access.
> Fineract responds denying access with this message: Invalid access token: 4JdlsEQzpa3gsM7CbH5mFxTy FU=
>  
> Please review the attached file for detailed information and logs.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)