[
https://issues.apache.org/jira/browse/SLING-12999?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Munteanu closed SLING-12999.
-----------------------------------
> Invalid refresh tokens are not cleared
> --------------------------------------
>
> Key: SLING-12999
> URL: https://issues.apache.org/jira/browse/SLING-12999
> Project: Sling
> Issue Type: Bug
> Components: Extensions
> Reporter: Robert Munteanu
> Assignee: Robert Munteanu
> Priority: Major
> Fix For: OAuth Client 0.1.6
>
>
> Then trying to obtain an access token with an invalid refresh token the
> {{OAuthRefresherImpl}} does not clear the invalid refresh token.
> When tested against the Google token endpoint (
> https://oauth2.googleapis.com/token ) , a 400 response is returned with the
> following body contents:
> {noformat}
> {"error_description":"Token has been expired or
> revoked.","error":"invalid_grant"}
> {noformat}
> Currently the bundle errors out because the response is expected to have a
> 200 status code
> {noformat}
> Caused by: com.nimbusds.oauth2.sdk.ParseException: Unexpected HTTP status
> code 400, must be [200]
> at
> com.nimbusds.oauth2.sdk.http.HTTPResponse.ensureStatusCode(HTTPResponse.java:190)
> [oauth2-oidc-sdk:11.30.1]
> at
> com.nimbusds.oauth2.sdk.AccessTokenResponse.parse(AccessTokenResponse.java:227)
> [oauth2-oidc-sdk:11.30.1]
> at
> org.apache.sling.auth.oauth_client.impl.OAuthTokenRefresherImpl.refreshTokensInternal(OAuthTokenRefresherImpl.java:79)
> ... 105 common frames omitted
> {noformat}
> If the server returns an error response we should clear the refresh token,
> log a warning and throw a generic error about failing to refresh the token.
> In interactive scenarios the user can start a new OAuth flow.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
