Hi Scott,
Thank you for your anwer. We use [oauth-auth] configuration. I collected the pdweb.oauth logs and I could see, that if I do a request with a new token, then webseal sends an RST request to check the token and bekomes a RequestSecurityTokenResponse with information about the token. So the WebSEAL knows, that the token is valid, knows the user and can build the session for the request.
Next time I send a request with the same token, the webseal ( in most cases) doesn't send an RST request to prove the token, it accepts the request and sends it to the backend instead. If token bekomes invalid, the WebSEAL can't know it, because it doesn't prove the token every time. For that reason the result of the RST responce must be cached. It makes sence, since it would be too expensive to check the token for every request, but I could use an invalid token for at least several minutes bevor I stopped testing. I could imagine, that WebSEAL consider the token to be valid for a time of the session or for a lifetime of the token, but sometimes WebSEAL notices that the token is not valid anymore immediatelly.
Could you say, which rules follows the WebSEAL to determine that it's time to check the token?
Best Regards,
Ivan
------------------------------
Ivan Yartsev
------------------------------
Original Message:
Sent: Wed October 13, 2021 05:09 PM
From: Scott Exton
Subject: WebSEAL Accepts invalid OAuth Tokens
Jens,
How is WebSEAL configured to consume the tokens? There are actually 3 options available, oauth-eas, oauth-auth and oauth introspection.
I know that oauth-eas implements caching, and you can disable the cache by changing the '[oauth-eas] cache-size' configuration entry.
I don't believe that the other two mechanisms implement any caching, but authenticated sessions do get created. However, the session lifetime should correspond to the OAuth token lifetime.
I hope that this helps.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 10/13/2021 9:36:00 AM
From: Jens Petersen
Subject: WebSEAL Accepts invalid OAuth Tokens
Hi All,
we noticed that WebSEAL accepts invalid tokens e.g. timed out tokens. Not every time but sometimes. And if you try over a longer period it will be rejected. I couldn't find out how to control this behavior and also if there is a deterministic rule on it. I could imagine that this is a caching issue but for me this is not acceptable for a security appliance. Can anybody confirm that this works as designed? Otherwise I'd raise a PMR on that. We are on 10.0.1.0.
Cheers,
Jens
------------------------------
Jens Petersen
------------------------------