Yes i think its ok if introspection only send inactive. Anyway we don't need to send specific error message as it make possible user to guess token. As i know usually we dont send descriptive error message to users when auth failure happens.
Thanks, sanjeewa. On Sat, Dec 3, 2016 at 9:55 PM, Ishara Cooray <isha...@wso2.com> wrote: > Thanks Farasath and Maduranga. > > Hi Nuwan/Sanjeewa, > > As per the above we won't be able to respond to an api request with reason > for an inactive token such as 'token expired' but we will respond as 'token > is inactive'. > > Appreciate your thoughts. > > > > Thanks & Regards, > Ishara Cooray > Senior Software Engineer > Mobile : +9477 262 9512 <077%20262%209512> > WSO2, Inc. | http://wso2.com/ > Lean . Enterprise . Middleware > > On Sat, Dec 3, 2016 at 12:08 AM, Maduranga Siriwardena <madura...@wso2.com > > wrote: > >> Hi Ishara, >> >> According to the specification, it is not recommended to expose too much >> details about why the token is not active. >> >> Note that to avoid disclosing too >> much of the authorization server's state to a third party, the >> authorization server SHOULD NOT include any additional information >> about an inactive token, including why the token is inactive. >> >> >> Sending response as expired, expose too much details about the >> authorization server's state, as I understand. And in the same time >> specification >> specifically says to send {"active": false} response for any inactive >> token or any error response (other than unauthorized client). So sending >> such a custom attribute is not suitable either. >> >> Thanks, >> >> On Fri, Dec 2, 2016 at 10:51 PM, Farasath Ahamed <farasa...@wso2.com> >> wrote: >> >>> Hi Ishara, >>> >>> The '*active*' parameter is mandatory according to the Introspection >>> spec[1], to indicate the status of the token. >>> >>> If we are to send something like what you have suggested we could do so >>> by using a custom attribute in response. But then again that would be >>> something specific to our implementation and would not be understood by >>> standard clients right? >>> >>> >>> [1] https://tools.ietf.org/html/rfc7662#section-2.2 >>> >>> >>> Thanks, >>> Farasath Ahamed >>> Software Engineer, WSO2 Inc.; http://wso2.com >>> Mobile: +94777603866 >>> Blog: blog.farazath.com >>> Twitter: @farazath619 <https://twitter.com/farazath619> >>> <http://wso2.com/signature> >>> >>> >>> >>> On Fri, Dec 2, 2016 at 10:38 PM, Ishara Cooray <isha...@wso2.com> wrote: >>> >>>> I have used introspect end point to get token info with Identity Server >>>> 5.3.0 >>>> I get {'active':false} response even for expired token. >>>> >>>> *Request :* >>>> curl -k -H 'Content-Type: application/x-www-form-urlencoded' -X POST >>>> --data 'token=a2c12c81-33fb-3e07-aa5e-c50639011199' >>>> https://localhost:9443/oauth2/introspect >>>> <https://www.google.com/url?q=https%3A%2F%2Flocalhost%3A9443%2Foauth2%2Fintrospect&sa=D&sntz=1&usg=AFQjCNEpi8QB_64Z4cbYhSNt1Ip7mao6vQ> >>>> >>>> *Response:* >>>> {'active':false} >>>> >>>> But, if we can have the{ state : expired } that way we can provide a >>>> more concrete response to end user. >>>> >>>> wdyt? >>>> >>>> Thanks & Regards, >>>> Ishara Cooray >>>> Senior Software Eng >>>> >>>> ineer >>>> Mobile : +9477 262 9512 <+94%2077%20262%209512> >>>> WSO2, Inc. | http://wso2.com/ >>>> Lean . Enterprise . Middleware >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> _______________________________________________ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Maduranga Siriwardena >> Software Engineer >> WSO2 Inc; http://wso2.com/ >> >> Email: madura...@wso2.com >> Mobile: +94718990591 <+94%2071%20899%200591> >> Blog: http://madurangasblogs.blogspot.com/ >> <http://wso2.com/signature> >> > > -- *Sanjeewa Malalgoda* WSO2 Inc. Mobile : +94713068779 <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda.blogspot.com/ <http://sanjeewamalalgoda.blogspot.com/>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev