Token Refreshes with bogus `refresh_token` produces valid JWT

[micolous]

Follow-on from #815, using this test script: https://gist.github.com/micolous/e54b84dec86fcc45754c5c429ed834c4

mock-oauth2-server returns valid id_tokens when sent a bogus refresh_token (random UUID), as long as it includes a client_id parameter or HTTP Basic auth (as required by spec).

To reproduce, run the above script with:

• --attempt_count 0 --refresh_count 0 --bogus_refresh_count 2 --client_id_in_query (client_id in query string)
• --attempt_count 0 --refresh_count 0 --bogus_refresh_count 2 --http_basic_auth (client_id in HTTP Basic auth)
• --attempt_count 0 --refresh_count 0 --bogus_refresh_count 2 --client_id_in_query --http_basic_auth (both)

If this was a real OAuth 2.0 server, this would be a security bug. 😄

This also shows the same symptoms as #825, where custom claims in requestMappings[].claims are only provided if client_id is provided as a query string only, and not HTTP basic auth.

Environment

Running mock-oauth2-server 2.1.10 in Docker, with this config:

{
  "httpServer": {
    "type": "NettyWrapper",
    "ssl": {
      "keyPassword": "",
      "keystoreFile": "/run/secrets/server_p12",
      "keystoreType": "PKCS12",
      "keystorePassword": ""
    }
  },
  "interactiveLogin": true,
  "tokenCallbacks": [
    {
      "issuerId": "test-issuer",
      "tokenExpiry": 90,
      "requestMappings": [
        {"requestParam": "client_id", "match": "*", "claims": {"customClaim": ["foo"]}}
      ]
    }
  ] 
}

[github-actions]

This issue is stale because it has been open for 60 days with no activity.

[github-actions]

This issue was closed because it has been inactive for 14 days since being marked as stale.

[tronghn]

Thanks for opening this issue with thorough reproduction steps!

We currently lack the capacity to look deeper into this, but we'll reopen the issue for now.