Skip to content

v5.0.0-rc.3

Pre-release
Pre-release

Choose a tag to compare

View all tags
@jasonraimondi jasonraimondi released this 08 Jun 22:39
· 28 commits to main since this release
v5.0.0-rc.3
5047b1c
This commit was signed with the committer’s verified signature. The key has expired.
jasonraimondi Jason Raimondi
GPG key ID: F1C480ABB9E74720
Expired
Verified
Learn about vigilant mode.

Fixed

  • The /token/revoke endpoint now returns 401 invalid_client when client authentication fails (a missing or invalid client_id, a wrong client_secret, or a confidential client with no secret) instead of silently returning 200. RFC 7009 §2.1 requires a failed client authentication to be refused with an RFC 6749 §5.2 error response; the empty 200 is only correct for an invalid token (RFC 7009 §2.2). The introspect endpoint is harmonized for the missing-client_id case. Cross-client token-ownership mismatches and invalid/unknown/malformed tokens still return 200. (#234)
Assets 2
Loading