Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor token introspection #1726

Merged
merged 1 commit into from
Aug 13, 2024
Merged

Refactor token introspection #1726

merged 1 commit into from
Aug 13, 2024

Conversation

nbulaj
Copy link
Member

@nbulaj nbulaj commented Aug 13, 2024

RFC:

If the protected resource uses an OAuth 2.0 bearer token to authorize
its call to the introspection endpoint and the token used for
authorization does not contain sufficient privileges or is otherwise
invalid for this request, the authorization server responds with an
HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token
Usage [RFC6750].

Note that a properly formed and authorized query for an inactive or
otherwise invalid token (or a token the protected resource is not
allowed to know about) is not considered an error response by this
specification. In these cases, the authorization server MUST instead
respond with an introspection response with the "active" field set to
"false" as described in Section 2.2.

Fixes #1716

@nbulaj nbulaj closed this Aug 13, 2024
@nbulaj nbulaj reopened this Aug 13, 2024
@nbulaj nbulaj changed the title Fix custom token introspection response when it evaluates to false Refactor token introspection Aug 13, 2024
@nbulaj nbulaj force-pushed the fixes/fix-token-introspection branch from e37d6b0 to 544d131 Compare August 13, 2024 12:33
@nbulaj nbulaj merged commit bafdf78 into main Aug 13, 2024
44 checks passed
@nbulaj nbulaj deleted the fixes/fix-token-introspection branch August 13, 2024 12:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
1 participant