Disabled user can refresh access token

[saxicek]

Description:

I configured account disabling and I though that when I disable user which holds refresh token the user won't be able to get new access token. But /oauth2/token endpoint is issuing new tokens no matter if user is disabled or not.

Suggested Labels:

Suggested Assignees:

Affected Product Version:
WSO2 IS 5.9.0

OS, DB, other environment details and versions:
I used Docker Hub image wso2/wso2is:5.9.0.

Steps to reproduce:

1. Create user and role.
2. Add SP and configure OAuth Inbound Authentication using defaults except for:
   • renew refresh token - false
   • allow client authentication without client secret - true
   • token issuer - JWT
   • callback URL
3. Configure account disabling (https://is.docs.wso2.com/en/5.9.0/learn/account-disabling/)
4. Login to web application using SP configured in step 2 and use OAuth 2.0 Authorization Code flow. Refresh of access tokens should work.
5. Disable user in WSO2 IS.
6. Web application is still able to refresh access tokens which is not expected - request to /oauth2/token with grant_type=refersh_token should be denied with error invalid_grant.

Related Issues:

When I investigated I found out that it works as expected when account is locked from user profile. But only when just "Account Locked" is set to true. When I set both "Account Locked" and "Account Disabled" to true then again access tokens can be refreshed.

[janakamarasena]

Did you see any errors in the terminal?

[saxicek]

No. No errors were shown.

I tried to debug it and in IdentityOathEventListener#revokeTokensOfDisabledUser the call IdentityUtil.threadLocalProperties.get().get(IdentityCoreConstants.USER_ACCOUNT_STATE); returned null which is I think the root cause of the issue.