Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: wrong error code returned in case of inactive token #3441

Merged
merged 12 commits into from
Mar 31, 2024

Conversation

supercairos
Copy link
Contributor

What this PR does / why we need it

While making #3404 I made a mistake and set inactive token to a status code 401 where it should be 200

https://datatracker.ietf.org/doc/html/rfc7662#section-2.2

   If the introspection call is properly authorized but the token is not
   active, does not exist on this server, or the protected resource is
   not allowed to introspect this particular token, then the
   authorization server MUST return an introspection response with the
   "active" field set to "false".  Note that to avoid disclosing too
   much of the authorization server's state to a third party, the
   authorization server SHOULD NOT include any additional information
   about an inactive token, including why the token is inactive.

   The following is a non-normative example response for a token that
   has been revoked or is otherwise invalid:

     HTTP/1.1 200 OK
     Content-Type: application/json

     {
      "active": false
     }

Also in Auth0 page:
https://www.oauth.com/oauth2-servers/token-introspection-endpoint/

In any of these cases, it is not considered an error response, and the endpoint returns simply an inactive flag.

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
 
{
  "active": false
}

…n. See issue dexidp#3387

Signed-off-by: Romain Caire <super.cairos@gmail.com>
Signed-off-by: Romain Caire <super.cairos@gmail.com>
Signed-off-by: Romain Caire <super.cairos@gmail.com>
Signed-off-by: Romain Caire <super.cairos@gmail.com>
Signed-off-by: Romain Caire <super.cairos@gmail.com>
Signed-off-by: Romain Caire <super.cairos@gmail.com>
Signed-off-by: Romain Caire <super.cairos@gmail.com>
Signed-off-by: Romain Caire <super.cairos@gmail.com>
Signed-off-by: Romain Caire <super.cairos@gmail.com>
Signed-off-by: Romain Caire <super.cairos@gmail.com>
@nabokihms nabokihms self-requested a review March 31, 2024 14:46
@nabokihms nabokihms added the release-note/ignore Ignore this change when generating release notes label Mar 31, 2024
@nabokihms nabokihms merged commit 86e92aa into dexidp:master Mar 31, 2024
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-note/ignore Ignore this change when generating release notes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants