Hi, With our current implementation, we check whether an OAuth app is active at [1]. This happens before we complete client authentication at [2].
Therefore even for an invalid client_id value, the error message that we would get will be "Oauth App is not in active state." which is not the expected behaviour. To fix this I see two options, 1. Handle the APP_STATE value being NULL (ie. no app was found for given consumer key) properly. APP_STATE column allows NULL as a value so we can't exactly say that APP_STATE == 'NULL' would imply that there is no app for a give consumer key 2. Move the APP_STATE validation logic to be done after [2] WDYT? [1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/token/OAuth2TokenEndpoint.java#L87-L97 [2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java#L168 Thanks, Farasath Ahamed Software Engineer, WSO2 Inc.; http://wso2.com Mobile: +94777603866 Blog: blog.farazath.com Twitter: @farazath619 <https://twitter.com/farazath619> <http://wso2.com/signature>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev