Hi Inthirakumaaran, According to the specification[1], if a token is inactive then we should only return *"active": false*, we should not return why the token in inactive.
authorization server SHOULD NOT include any additional information > about an inactive token, including why the token is inactive [1] https://tools.ietf.org/html/rfc7662#section-2.2 Thanks, Nila. On Fri, Jan 18, 2019 at 3:24 PM Inthirakumaaran Tharmakulasingham < [email protected]> wrote: > Hi, > > If we validate the expired JWT token in the introspection endpoint it > prompts a error log with stack trace while sending the correct response to > the user. The detail stack trace is in [1]. This happens because we are > throwing an IdentityOAuth2Exception while checking the expiry time and > propagating to a point where we log the error with the stack trace. > > There two viable solutions to this problem. > 1. Creating a sub Exception extending the IdentityOAuth2Exception. > 2. Creating an error code for this time expiration. > > Then we can build the correct introspection response without logging the > stack trace if we encountered the exception or error code. > > What would be the suitable solution to tackle this problem? Is there any > better way to handle this? > > This problem will occur for IS servers that are > using identity-inbound-auth-oauth module v6.0.66 or above. The current > is-product in the master branch have this module. > > [1]https://github.com/wso2/product-is/issues/4319 > > Thanks & Regards, > kumaaran > -- > *Inthirakumaaran* > Software Engineer | WSO2 > > E-mail:[email protected] > Mobile:+94775558050 > Web:https://wso2.com > > <http://wso2.com/signature> > > > -- Nilasini Thirunavukkarasu Software Engineer - WSO2 Email : [email protected] Mobile : +94775241823 Web : http://wso2.com/ <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
