Thanks Farasath and Maduranga. Hi Nuwan/Sanjeewa,
As per the above we won't be able to respond to an api request with reason for an inactive token such as 'token expired' but we will respond as 'token is inactive'. Appreciate your thoughts. Thanks & Regards, Ishara Cooray Senior Software Engineer Mobile : +9477 262 9512 WSO2, Inc. | http://wso2.com/ Lean . Enterprise . Middleware On Sat, Dec 3, 2016 at 12:08 AM, Maduranga Siriwardena <[email protected]> wrote: > Hi Ishara, > > According to the specification, it is not recommended to expose too much > details about why the token is not active. > > Note that to avoid disclosing too > much of the authorization server's state to a third party, the > authorization server SHOULD NOT include any additional information > about an inactive token, including why the token is inactive. > > > Sending response as expired, expose too much details about the > authorization server's state, as I understand. And in the same time > specification > specifically says to send {"active": false} response for any inactive > token or any error response (other than unauthorized client). So sending > such a custom attribute is not suitable either. > > Thanks, > > On Fri, Dec 2, 2016 at 10:51 PM, Farasath Ahamed <[email protected]> > wrote: > >> Hi Ishara, >> >> The '*active*' parameter is mandatory according to the Introspection >> spec[1], to indicate the status of the token. >> >> If we are to send something like what you have suggested we could do so >> by using a custom attribute in response. But then again that would be >> something specific to our implementation and would not be understood by >> standard clients right? >> >> >> [1] https://tools.ietf.org/html/rfc7662#section-2.2 >> >> >> Thanks, >> Farasath Ahamed >> Software Engineer, WSO2 Inc.; http://wso2.com >> Mobile: +94777603866 >> Blog: blog.farazath.com >> Twitter: @farazath619 <https://twitter.com/farazath619> >> <http://wso2.com/signature> >> >> >> >> On Fri, Dec 2, 2016 at 10:38 PM, Ishara Cooray <[email protected]> wrote: >> >>> I have used introspect end point to get token info with Identity Server >>> 5.3.0 >>> I get {'active':false} response even for expired token. >>> >>> *Request :* >>> curl -k -H 'Content-Type: application/x-www-form-urlencoded' -X POST >>> --data 'token=a2c12c81-33fb-3e07-aa5e-c50639011199' >>> https://localhost:9443/oauth2/introspect >>> <https://www.google.com/url?q=https%3A%2F%2Flocalhost%3A9443%2Foauth2%2Fintrospect&sa=D&sntz=1&usg=AFQjCNEpi8QB_64Z4cbYhSNt1Ip7mao6vQ> >>> >>> *Response:* >>> {'active':false} >>> >>> But, if we can have the{ state : expired } that way we can provide a >>> more concrete response to end user. >>> >>> wdyt? >>> >>> Thanks & Regards, >>> Ishara Cooray >>> Senior Software Eng >>> >>> ineer >>> Mobile : +9477 262 9512 <+94%2077%20262%209512> >>> WSO2, Inc. | http://wso2.com/ >>> Lean . Enterprise . Middleware >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Maduranga Siriwardena > Software Engineer > WSO2 Inc; http://wso2.com/ > > Email: [email protected] > Mobile: +94718990591 <+94%2071%20899%200591> > Blog: http://madurangasblogs.blogspot.com/ > <http://wso2.com/signature> >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
