Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: wrong error code returned in case of inactive token #3441

Merged
merged 12 commits into from
Mar 31, 2024
Merged

fix: wrong error code returned in case of inactive token #3441

merged 12 commits into from
Mar 31, 2024

Conversation

supercairos
Copy link
Contributor

What this PR does / why we need it

While making #3404 I made a mistake and set inactive token to a status code 401 where it should be 200

https://datatracker.ietf.org/doc/html/rfc7662#section-2.2

   If the introspection call is properly authorized but the token is not
   active, does not exist on this server, or the protected resource is
   not allowed to introspect this particular token, then the
   authorization server MUST return an introspection response with the
   "active" field set to "false".  Note that to avoid disclosing too
   much of the authorization server's state to a third party, the
   authorization server SHOULD NOT include any additional information
   about an inactive token, including why the token is inactive.

   The following is a non-normative example response for a token that
   has been revoked or is otherwise invalid:

     HTTP/1.1 200 OK
     Content-Type: application/json

     {
      "active": false
     }

Also in Auth0 page:
https://www.oauth.com/oauth2-servers/token-introspection-endpoint/

In any of these cases, it is not considered an error response, and the endpoint returns simply an inactive flag.

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
 
{
  "active": false
}

@supercairos
[RFC7662] Add introspect endpoint to introspect access & refresh toke…
4e1031f 
…n. See issue dexidp#3387

Signed-off-by: Romain Caire <super.cairos@gmail.com>
@supercairos
Merge branch 'master' into rcaire/dex-introspect
433e059 
Signed-off-by: Romain Caire <super.cairos@gmail.com>
@supercairos
Fix following review
e7dbf1c 
Signed-off-by: Romain Caire <super.cairos@gmail.com>
@supercairos
Remove comment about route protection not being relevant.
d11648b 
Signed-off-by: Romain Caire <super.cairos@gmail.com>
@supercairos
Merge branch 'master' into rcaire/dex-introspect
86829c7
@supercairos
Fix lint
540a3a9 
Signed-off-by: Romain Caire <super.cairos@gmail.com>
@supercairos
Add introspect to discovery handler
672a46e 
Signed-off-by: Romain Caire <super.cairos@gmail.com>
@supercairos
Fix typo...
1594cc2 
Signed-off-by: Romain Caire <super.cairos@gmail.com>
@supercairos
Change URL from /introspect to /token/introspect
f54b43a 
Signed-off-by: Romain Caire <super.cairos@gmail.com>
@supercairos
Remove type only file and move content to introspect_handler file
47bb28f 
Signed-off-by: Romain Caire <super.cairos@gmail.com>
@supercairos
Merge branch 'master' into rcaire/dex-introspect
aa1504d
@supercairos
fix: wrong error code returned in case of inactive token
a64c9a7 
Signed-off-by: Romain Caire <super.cairos@gmail.com>
@nabokihms nabokihms self-requested a review March 31, 2024 14:46
@nabokihms nabokihms added the release-note/ignore Ignore this change when generating release notes label Mar 31, 2024
@nabokihms nabokihms merged commit 86e92aa into dexidp:master Mar 31, 2024
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nabokihms nabokihms nabokihms approved these changes

Assignees
No one assigned
Labels
release-note/ignore Ignore this change when generating release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@supercairos @nabokihms