/admin/oauth2/auth/requests/login returns 200 instead of 410 for a used login_challenge #3755
Closed
5 tasks done
Labels
bug
Something is not working.
Preflight checklist
Ory Network Project
No response
Describe the bug
Currently, I am using ory version 2.1.1 and /admin/oauth2/auth/requests/login API returns 410 with redirect url in redirect_to parameter for a used login_challenge.
But in version 2.2.0, /oauth2/auth/requests/login API is returning 200 for a used login_challenge. This is leading to a breaking flow at the end as login_challenge is already used.
I don't see any mention of this in the release notes, so reporting it as a bug.
Reproducing the bug
hydra serve all
curl -X GET http://example.com:80/oauth2/auth\?client_id\=client-1
=> this gives login challenge, say foo
Get login challenge
curl -X GET http://example.com:9080/admin/oauth2/auth/requests/login\?login_challenge\=foo
Accept login
curl -X PUT http://example.com:9080/admin/oauth2/auth/requests/login/accept\?login_challenge\=foo -d '{"subject": "subject", "remember": true, "remember_for": 1}'
=> this gives redirect url in redirect_to
Once redirect url is visited, login challenge is used.
Get login challenge again
curl -X GET http://example.com:9080/admin/oauth2/auth/requests/login\?login_challenge\=foo
In version 2.1.1, this get login return 410 with redirect_to url.
But in version 2.2.0, it is returning 200.
Relevant log output
No response
Relevant configuration
No response
Version
2.2.0
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response
The text was updated successfully, but these errors were encountered: