Yeah, AFAIK we don't be descriptive on the error response. On Mon, Dec 5, 2016 at 10:45 AM, Sanjeewa Malalgoda <[email protected]> wrote:
> Yes i think its ok if introspection only send inactive. Anyway we don't > need to send specific error message as it make possible user to guess token. > As i know usually we dont send descriptive error message to users when > auth failure happens. > > Thanks, > sanjeewa. > > On Sat, Dec 3, 2016 at 9:55 PM, Ishara Cooray <[email protected]> wrote: > >> Thanks Farasath and Maduranga. >> >> Hi Nuwan/Sanjeewa, >> >> As per the above we won't be able to respond to an api request with >> reason for an inactive token such as 'token expired' but we will respond as >> 'token is inactive'. >> >> Appreciate your thoughts. >> >> >> >> Thanks & Regards, >> Ishara Cooray >> Senior Software Engineer >> Mobile : +9477 262 9512 <077%20262%209512> >> WSO2, Inc. | http://wso2.com/ >> Lean . Enterprise . Middleware >> >> On Sat, Dec 3, 2016 at 12:08 AM, Maduranga Siriwardena < >> [email protected]> wrote: >> >>> Hi Ishara, >>> >>> According to the specification, it is not recommended to expose too much >>> details about why the token is not active. >>> >>> Note that to avoid disclosing too >>> much of the authorization server's state to a third party, the >>> authorization server SHOULD NOT include any additional information >>> about an inactive token, including why the token is inactive. >>> >>> >>> Sending response as expired, expose too much details about the >>> authorization server's state, as I understand. And in the same time >>> specification >>> specifically says to send {"active": false} response for any inactive >>> token or any error response (other than unauthorized client). So sending >>> such a custom attribute is not suitable either. >>> >>> Thanks, >>> >>> On Fri, Dec 2, 2016 at 10:51 PM, Farasath Ahamed <[email protected]> >>> wrote: >>> >>>> Hi Ishara, >>>> >>>> The '*active*' parameter is mandatory according to the Introspection >>>> spec[1], to indicate the status of the token. >>>> >>>> If we are to send something like what you have suggested we could do so >>>> by using a custom attribute in response. But then again that would be >>>> something specific to our implementation and would not be understood by >>>> standard clients right? >>>> >>>> >>>> [1] https://tools.ietf.org/html/rfc7662#section-2.2 >>>> >>>> >>>> Thanks, >>>> Farasath Ahamed >>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>> Mobile: +94777603866 >>>> Blog: blog.farazath.com >>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>> <http://wso2.com/signature> >>>> >>>> >>>> >>>> On Fri, Dec 2, 2016 at 10:38 PM, Ishara Cooray <[email protected]> >>>> wrote: >>>> >>>>> I have used introspect end point to get token info with Identity >>>>> Server 5.3.0 >>>>> I get {'active':false} response even for expired token. >>>>> >>>>> *Request :* >>>>> curl -k -H 'Content-Type: application/x-www-form-urlencoded' -X POST >>>>> --data 'token=a2c12c81-33fb-3e07-aa5e-c50639011199' >>>>> https://localhost:9443/oauth2/introspect >>>>> <https://www.google.com/url?q=https%3A%2F%2Flocalhost%3A9443%2Foauth2%2Fintrospect&sa=D&sntz=1&usg=AFQjCNEpi8QB_64Z4cbYhSNt1Ip7mao6vQ> >>>>> >>>>> *Response:* >>>>> {'active':false} >>>>> >>>>> But, if we can have the{ state : expired } that way we can provide a >>>>> more concrete response to end user. >>>>> >>>>> wdyt? >>>>> >>>>> Thanks & Regards, >>>>> Ishara Cooray >>>>> Senior Software Eng >>>>> >>>>> ineer >>>>> Mobile : +9477 262 9512 <+94%2077%20262%209512> >>>>> WSO2, Inc. | http://wso2.com/ >>>>> Lean . Enterprise . Middleware >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Maduranga Siriwardena >>> Software Engineer >>> WSO2 Inc; http://wso2.com/ >>> >>> Email: [email protected] >>> Mobile: +94718990591 <+94%2071%20899%200591> >>> Blog: http://madurangasblogs.blogspot.com/ >>> <http://wso2.com/signature> >>> >> >> > > > -- > > *Sanjeewa Malalgoda* > WSO2 Inc. > Mobile : +94713068779 <+94%2071%20306%208779> > > <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda. > blogspot.com/ <http://sanjeewamalalgoda.blogspot.com/> > > > -- Nuwan Dias Software Architect - WSO2, Inc. http://wso2.com email : [email protected] Phone : +94 777 775 729
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
