You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.
IsActive being called from the user interaction service makes some sense -- this is where we determine prompt mode and decide if we're triggering login, or login_required error response.
We could move this up to the authorize request validator, and then just treat the user as anonymous for the rest of the request (assuming no where else queries the authentication managed on the http context). The interaction service does good logging, though, on the situation, whereas the authorize request validator isn't inspecting the prompt param.
The reason we opened this issue in the first place is that we expected IsActive to really be called from the authorize response generator (when it issues its tokens). But looking at the token endpoint validator and response generator, they also do the same pattern where it's the validator's job to check IsActive. So technically IsActive isn't ever called where we issue tokens -- it's called when we validate token requests (to be pedantic about it).
So, given that authorization validation requires not only protocol level validation, but user interaction validation, I think the code is fine the way it is.
In general, but specifically from authorization endpoint
The text was updated successfully, but these errors were encountered: