Hi, While supporting *token_type_hint *value access_token and refresh_token is good, it looks like we need to fix the logic of handling unknown token_type_hints.
I think Chanaka has raised a valid concern here. If an invalid token hint is given then we need to do a full search. But it seems that we rely on the provided token_type_hint to do the search. @Chanaka Lakmal <[email protected]> Can you create a git issue for this under product-is repo? Regards, Farasath On Fri, May 10, 2019 at 3:34 PM Nilasini Thirunavukkarasu <[email protected]> wrote: > Hi Chanaka, > > supporting *token_type_hint *parameter had been fixed in the master > branch [1][2] and will be released with the upcoming release. > > [1] https://github.com/wso2/product-is/issues/3780 > [2] > https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/970/files#diff-78ef442733b42d8573912a910e98d884R83 > > Thanks, > Nila. > > On Fri, May 10, 2019 at 3:09 PM Chanaka Lakmal <[email protected]> wrote: > >> Hi all, >> >> I encountered an issue when trying to Invoke the OAuth2 Introspection >> Endpoint of WSO2 IS 5.7.0 as guided by the doc [1]. These are the scenarios >> I tried a valid token, and a part of the response status: >> >> >> 1. Invoke introspection endpoint with the *token. *Response - >> {"active":true} >> curl -k -u admin:admin -H 'Content-Type: >> application/x-www-form-urlencoded' -X POST --data >> 'token=334060588-dd4e-36a5-ad93-440cc77a1cfb' >> https://localhost:9443/oauth2/introspect >> >> 2. Invoke introspection endpoint with the *token* and >> *token_type_hint*=*bearer*. Response - {"active":true} >> curl -k -u admin:admin -H 'Content-Type: >> application/x-www-form-urlencoded' -X POST --data >> 'token=334060588-dd4e-36a5-ad93-440cc77a1cfb&token_type_hint=bearer' >> https://localhost:9443/oauth2/introspect >> >> 3. Invoke introspection endpoint with the *token* and >> *token_type_hint*=*access_token*. Response - {"active":false} >> curl -k -u admin:admin -H 'Content-Type: >> application/x-www-form-urlencoded' -X POST --data >> 'token=334060588-dd4e-36a5-ad93-440cc77a1cfb&token_type_hint=access_token' >> https://localhost:9443/oauth2/introspect >> >> >> According to the OAuth2 token introspection specification [2], >> >> If the server is unable to locate the token using the given hint, >> >> it MUST extend its search across all of its supported token types. >> >> >> So, according to the specification, It should send the active parameter >> of the response as true in the 3rd scenario. >> >> Appreciate your thoughts on this. >> >> [1] >> https://docs.wso2.com/display/IS541/Invoke+the+OAuth+Introspection+Endpoint >> [2] https://tools.ietf.org/html/rfc7662#section-2.1 >> >> Thanks, >> Chanaka >> -- >> *Chanaka Lakmal* | Software Engineer | WSO2 Inc. >> Mobile : (+94) 77 596 2256 >> >> >> * <https://wso2.com/signature>* >> > > > -- > Nilasini Thirunavukkarasu > Senior Software Engineer - WSO2 > > Email : [email protected] > Mobile : +94775241823 > Web : http://wso2.com/ > > > <http://wso2.com/signature> > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- Farasath Ahamed Associate Technical Lead, WSO2 Inc.: http://wso2.com Mobile: +94777603866 Blog: https://farasath.blogspot.com / https://medium.com/@farasath Twitter: @farazath619 <https://twitter.com/farazath619> <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
