Hi Farasath, Seems like we have already added that logic as well [1]. If we have specified a known token type hint then we are only searching the token according to the given token_type_hint, if we are not specifying or specify an unknown token_type_hint then we are searching through all the available token validators and validate the token.
[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/970/files#diff-1e2e2c1e5664f2003188d37ab53048fdR237 Thanks, Nila. On Fri, May 10, 2019 at 4:08 PM Farasath Ahamed <farasa...@wso2.com> wrote: > Hi, > > While supporting *token_type_hint *value access_token and refresh_token > is good, it looks like we need to fix the logic of handling unknown > token_type_hints. > > I think Chanaka has raised a valid concern here. If an invalid token hint > is given then we need to do a full search. But it seems that we rely on the > provided token_type_hint to do the search. > > @Chanaka Lakmal <chana...@wso2.com> Can you create a git issue for this > under product-is repo? > > > Regards, > Farasath > > On Fri, May 10, 2019 at 3:34 PM Nilasini Thirunavukkarasu < > nilas...@wso2.com> wrote: > >> Hi Chanaka, >> >> supporting *token_type_hint *parameter had been fixed in the master >> branch [1][2] and will be released with the upcoming release. >> >> [1] https://github.com/wso2/product-is/issues/3780 >> [2] >> https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/970/files#diff-78ef442733b42d8573912a910e98d884R83 >> >> Thanks, >> Nila. >> >> On Fri, May 10, 2019 at 3:09 PM Chanaka Lakmal <chana...@wso2.com> wrote: >> >>> Hi all, >>> >>> I encountered an issue when trying to Invoke the OAuth2 Introspection >>> Endpoint of WSO2 IS 5.7.0 as guided by the doc [1]. These are the scenarios >>> I tried a valid token, and a part of the response status: >>> >>> >>> 1. Invoke introspection endpoint with the *token. *Response - >>> {"active":true} >>> curl -k -u admin:admin -H 'Content-Type: >>> application/x-www-form-urlencoded' -X POST --data >>> 'token=334060588-dd4e-36a5-ad93-440cc77a1cfb' >>> https://localhost:9443/oauth2/introspect >>> >>> 2. Invoke introspection endpoint with the *token* and >>> *token_type_hint*=*bearer*. Response - {"active":true} >>> curl -k -u admin:admin -H 'Content-Type: >>> application/x-www-form-urlencoded' -X POST --data >>> 'token=334060588-dd4e-36a5-ad93-440cc77a1cfb&token_type_hint=bearer' >>> https://localhost:9443/oauth2/introspect >>> >>> 3. Invoke introspection endpoint with the *token* and >>> *token_type_hint*=*access_token*. Response - {"active":false} >>> curl -k -u admin:admin -H 'Content-Type: >>> application/x-www-form-urlencoded' -X POST --data >>> >>> 'token=334060588-dd4e-36a5-ad93-440cc77a1cfb&token_type_hint=access_token' >>> https://localhost:9443/oauth2/introspect >>> >>> >>> According to the OAuth2 token introspection specification [2], >>> >>> If the server is unable to locate the token using the given hint, >>> >>> it MUST extend its search across all of its supported token types. >>> >>> >>> So, according to the specification, It should send the active parameter >>> of the response as true in the 3rd scenario. >>> >>> Appreciate your thoughts on this. >>> >>> [1] >>> https://docs.wso2.com/display/IS541/Invoke+the+OAuth+Introspection+Endpoint >>> [2] https://tools.ietf.org/html/rfc7662#section-2.1 >>> >>> Thanks, >>> Chanaka >>> -- >>> *Chanaka Lakmal* | Software Engineer | WSO2 Inc. >>> Mobile : (+94) 77 596 2256 >>> >>> >>> * <https://wso2.com/signature>* >>> >> >> >> -- >> Nilasini Thirunavukkarasu >> Senior Software Engineer - WSO2 >> >> Email : nilas...@wso2.com >> Mobile : +94775241823 >> Web : http://wso2.com/ >> >> >> <http://wso2.com/signature> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> > > > -- > Farasath Ahamed > Associate Technical Lead, WSO2 Inc.: http://wso2.com > Mobile: +94777603866 > Blog: https://farasath.blogspot.com / https://medium.com/@farasath > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > -- Nilasini Thirunavukkarasu Senior Software Engineer - WSO2 Email : nilas...@wso2.com Mobile : +94775241823 Web : http://wso2.com/ <http://wso2.com/signature>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
