Robert Munteanu created SLING-12999:
---------------------------------------
Summary: Invalid refresh tokens are not cleared
Key: SLING-12999
URL: https://issues.apache.org/jira/browse/SLING-12999
Project: Sling
Issue Type: Bug
Components: Extensions
Reporter: Robert Munteanu
Assignee: Robert Munteanu
Fix For: OAuth Client 0.1.6
Then trying to obtain an access token with an invalid refresh token the
{{OAuthRefresherImpl}} does not clear the invalid refresh token.
When tested against the Google token endpoint (
https://oauth2.googleapis.com/token ) , a 400 response is returned with the
following body contents:
{noformat}
{"error_description":"Token has been expired or
revoked.","error":"invalid_grant"}
{noformat}
Currently the bundle errors out because the response is expected to have a 200
status code
{noformat}
Caused by: com.nimbusds.oauth2.sdk.ParseException: Unexpected HTTP status code
400, must be [200]
at
com.nimbusds.oauth2.sdk.http.HTTPResponse.ensureStatusCode(HTTPResponse.java:190)
[oauth2-oidc-sdk:11.30.1]
at
com.nimbusds.oauth2.sdk.AccessTokenResponse.parse(AccessTokenResponse.java:227)
[oauth2-oidc-sdk:11.30.1]
at
org.apache.sling.auth.oauth_client.impl.OAuthTokenRefresherImpl.refreshTokensInternal(OAuthTokenRefresherImpl.java:79)
... 105 common frames omitted
{noformat}
If the server returns an error response we should clear the refresh token, log
a warning and throw a generic error about failing to refresh the token. In
interactive scenarios the user can start a new OAuth flow.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
