Follow-on from #815, using this test script: https://gist.github.com/micolous/e54b84dec86fcc45754c5c429ed834c4

mock-oauth2-server returns valid id_tokens when sent a bogus refresh_token (random UUID), as long as it includes a client_id parameter or HTTP Basic auth (as required by spec).

To reproduce, run the above script with:

• --attempt_count 0 --refresh_count 0 --bogus_refresh_count 2 --client_id_in_query (client_id in query string)
• --attempt_count 0 --refresh_count 0 --bogus_refresh_count 2 --http_basic_auth (client_id in HTTP Basic auth)
• --attempt_count 0 --refresh_count 0 --bogus_refresh_count 2 --client_id_in_query --http_basic_auth (both)

If this was a real OAuth 2.0 server, this would be a security bug. 😄

This also shows the same symptoms as #825, where custom claims in requestMappings[].claims are only provided if client_id is provided as a query string only, and not HTTP basic auth.

Environment

Running mock-oauth2-server 2.1.10 in Docker, with this config:

{ "httpServer": { "type": "NettyWrapper", "ssl": { "keyPassword": "", "keystoreFile": "/run/secrets/server_p12", "keystoreType": "PKCS12", "keystorePassword": "" } }, "interactiveLogin": true, "tokenCallbacks": [ { "issuerId": "test-issuer", "tokenExpiry": 90, "requestMappings": [ {"requestParam": "client_id", "match": "*", "claims": {"customClaim": ["foo"]}} ] } ] }