Hi all,
I encountered an issue when trying to Invoke the OAuth2 Introspection
Endpoint of WSO2 IS 5.7.0 as guided by the doc [1]. These are the scenarios
I tried a valid token, and a part of the response status:
1. Invoke introspection endpoint with the *token. *Response -
{"active":true}
curl -k -u admin:admin -H 'Content-Type:
application/x-www-form-urlencoded' -X POST --data
'token=334060588-dd4e-36a5-ad93-440cc77a1cfb'
https://localhost:9443/oauth2/introspect
2. Invoke introspection endpoint with the *token* and *token_type_hint*=
*bearer*. Response - {"active":true}
curl -k -u admin:admin -H 'Content-Type:
application/x-www-form-urlencoded' -X POST --data
'token=334060588-dd4e-36a5-ad93-440cc77a1cfb&token_type_hint=bearer'
https://localhost:9443/oauth2/introspect
3. Invoke introspection endpoint with the *token* and *token_type_hint*=
*access_token*. Response - {"active":false}
curl -k -u admin:admin -H 'Content-Type:
application/x-www-form-urlencoded' -X POST --data
'token=334060588-dd4e-36a5-ad93-440cc77a1cfb&token_type_hint=access_token'
https://localhost:9443/oauth2/introspect
According to the OAuth2 token introspection specification [2],
If the server is unable to locate the token using the given hint,
it MUST extend its search across all of its supported token types.
So, according to the specification, It should send the active parameter of
the response as true in the 3rd scenario.
Appreciate your thoughts on this.
[1]
https://docs.wso2.com/display/IS541/Invoke+the+OAuth+Introspection+Endpoint
[2] https://tools.ietf.org/html/rfc7662#section-2.1
Thanks,
Chanaka
--
*Chanaka Lakmal* | Software Engineer | WSO2 Inc.
Mobile : (+94) 77 596 2256
* <https://wso2.com/signature>*
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
