CVE-2023-20903 (user_account_and_authentication)

This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that identity provider, the administrator of the UAA deactivates the identity provider from the UAA. It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to …

access access tokens client cve disclosure external grant identity identity provider identity providers refresh token reject request token tokens vulnerability