Duende.AccessTokenManagement Race Condition Vulnerability in OAuth Client Credentials Flow

A race condition vulnerability has been identified in Duende.AccessTokenManagement versions through 3.1.1, when requesting access tokens via the client credentials flow. This issue arises from concurrent requests that use different protocol parameters, which can result in access tokens being issued with incorrect scopes, resource indicators, or other parameters. While this vulnerability is somewhat uncommon and likely affects only a small percentage of users, it can have varying impacts depending on the application's logic, security architecture, and the authorization policies of the resource servers.

Impact

Exploitation of this vulnerability can lead to a race condition where access tokens are issued with incorrect protocol parameters, potentially allowing unauthorized access to resources or actions that should be restricted.

Reproduction

The vulnerability can be reproduced by sending concurrent requests to obtain access tokens using the client credentials flow, while varying the protocol parameters such as scope or resource indicator. This can be done by calling the 'HttpContext.GetClientAccessTokenAsync()' method or the 'IClientCredentialsTokenManagementService.GetAccessTokenAsync()' method, using overloads that accept a 'TokenRequestParameters' object to customize the token request. Without proper synchronization, the concurrent requests will receive the same token, regardless of the different parameters used.

Remediation

Users can upgrade to Duende.AccessTokenManagement version 3.2.0 or later to address this vulnerability. Those who have customized the 'IClientCredentialsTokenCache' should modify their code to inject the 'ITokenRequestSynchronization' service into the derived class and pass it to the base constructor.