[security:low, CVE-2021-35473] OAuth2 handler does not verify access token validity

Concerned version

Version: %2.0.4 to %2.0.11

Summary

Configure an OIDC client
Configure a OAuth2 handler
Set access token lifetime to 10 seconds
Use Access Token from OIDC client to access the OAuth2 handler => works
Wait 30 seconds
Use Access Token from OIDC client to access the OAuth2 handler => WORKS
/userinfo or /introspection correctly show that the token is expired

Logs

[debug] Found OAuth2 access token 597d0faa693e96f08823e73164c87366b586104f575dcc648cf7b90a88b8988e
[debug] Get OIDC session 597d0faa693e96f08823e73164c87366b586104f575dcc648cf7b90a88b8988e
# missing validation here
[debug] Get user session id 59941a30e71df1c86fb05e14eec697264ca38311b18c082731230af6f23f8787

Edited Jun 25, 2021 by Yadd