Review where IsActive is called #258
Comments
|
IsActive being called from the user interaction service makes some sense -- this is where we determine prompt mode and decide if we're triggering login, or login_required error response. We could move this up to the authorize request validator, and then just treat the user as anonymous for the rest of the request (assuming no where else queries the authentication managed on the http context). The interaction service does good logging, though, on the situation, whereas the authorize request validator isn't inspecting the prompt param. The reason we opened this issue in the first place is that we expected IsActive to really be called from the authorize response generator (when it issues its tokens). But looking at the token endpoint validator and response generator, they also do the same pattern where it's the validator's job to check IsActive. So technically IsActive isn't ever called where we issue tokens -- it's called when we validate token requests (to be pedantic about it). So, given that authorization validation requires not only protocol level validation, but user interaction validation, I think the code is fine the way it is. TL;DR: I think we can close this issue. |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
In general, but specifically from authorization endpoint
The text was updated successfully, but these errors were encountered: