LI80860: NO CHECK TO THE REVOCATION URL ON ACCESS TOKEN WHEN CALLING AN API THAT THE FIRST SCOPE IS INVALID

APAR status

• Closed as program error.

Error description

• APIC v5 Gateway doesn't check the external revocation url on
  Access Token when calling an API that the first scope is invalid
  
  Steps to recreate
  1. Define multiple scopes and an external revocation URL in
  OAuth Provider API
      scopes:
        scope1: ''
        scope2: ''
  2. Set the scope in an API's security definition like following:
  security:
    - oauth-definition-name:
        - scope2
      client-id: []
    - client-id: []
      oauth-definition-name:
        - scope1
  3. Use the second scope to request access token
  4. Call the API using the  obtained access token
  -> At this time, APIC v5 Gateway doesn't connect to the
  revocation
  url to verify the access token is valid or not
  

Local fix

Problem summary

• OAuth Consumer API doesn't check the external revocation url on
  Access Token when calling an API which has first scope as
  invalid in its security definition. I.e., if multiple scopes are
  present in an Consumer API's security definition and the first
  one is invalid, then using a valid access token with second or
  subsequent scopes will result in no (external revocation) check
  for that access token.
  

Problem conclusion

• Fixed with API Connect v5.0.8.6-iFix2 and API Connect
  v2018.4.1.7
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  API CONNECT ENT

• Fixed component ID

  5725Z2201

Applicable component levels

• R50X PSY

     UP