New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introspection endpoint doesn't follow RFCs for invalid token #42

darkweaver87 opened this Issue Apr 19, 2018 · 2 comments


None yet
2 participants

darkweaver87 commented Apr 19, 2018


I'm not doing a PR as I don't know how do you want to correct this issue (serveral possibilities). Here:

raise InvalidRequestError()

when the token doesn't exist it should return a 200 with active=false instead of an invalid request as the RFC mention it:

If the introspection call is properly authorized but the token is not active, does not exist on this server, r the protected resource is not allowed to introspect this particular token, then the authorization server MUST return an introspection response with the "active" field set to "false"

On my side I just did return a special value in query_token and handled it in introspect_token.


lepture added a commit that referenced this issue Apr 19, 2018


This comment has been minimized.


lepture commented Apr 19, 2018

Thanks for your report. I've made some changes, can you verify if it works?


This comment has been minimized.

darkweaver87 commented Apr 20, 2018

Yes my unit tests are working without my "patch" so perfect to me :-)
Many thanks ! 🥇

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment