New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introspection endpoint must return 200 http status code with active=false if token is not found on AS instead of 400 #929

Closed
yuriyz opened this Issue Oct 26, 2018 · 1 comment

Comments

Projects
None yet
1 participant
@yuriyz
Contributor

yuriyz commented Oct 26, 2018

From spec https://tools.ietf.org/html/rfc7662#section-2.2:

If the introspection call is properly authorized but the token is not
   active, does not exist on this server, or the protected resource is
   not allowed to introspect this particular token, then the
   authorization server MUST return an introspection response with the
   "active" field set to "false". 

@yuriyz yuriyz added the bug label Oct 26, 2018

@yuriyz yuriyz added this to the 3.1.5 milestone Oct 26, 2018

@yuriyz yuriyz self-assigned this Oct 26, 2018

yuriyz added a commit that referenced this issue Oct 26, 2018

#929 : Introspection endpoint must return 200 http status code with a…
…ctive=false if token is not found on AS instead of 400

#929

yuriyz added a commit that referenced this issue Oct 26, 2018

#929 (4.0) : Introspection endpoint must return 200 http status code …
…with active=false if token is not found on AS instead of 400

                                   #929

                                   (cherry picked from commit e542364)
@yuriyz

This comment has been minimized.

Contributor

yuriyz commented Oct 26, 2018

Fixed in 3.1.5 and master.

@yuriyz yuriyz closed this Oct 26, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment