[
https://issues.apache.org/jira/browse/CXF-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13416093#comment-13416093
]
Sergey Beryozkin commented on CXF-4427:
---------------------------------------
actually, I see Dan and Jordi agreeing it has to be off by default, fine with
me too, will be consistent with the way other security-related exceptions are
handled across CXF
> Error details are discarded and never sent to the client
> --------------------------------------------------------
>
> Key: CXF-4427
> URL: https://issues.apache.org/jira/browse/CXF-4427
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Jordi Torrente
> Labels: oauth2
>
> Current AccessTokenService implementation catches all OAuthServiceExceptions
> and returns a generic error response discarding all the exception details:
> ServerAccessToken serverToken = null;
> try {
> serverToken = handler.createAccessToken(client, params);
> } catch (OAuthServiceException ex) {
> // the error response is to be returned next
> }
> if (serverToken == null) {
> return createErrorResponse(params, OAuthConstants.INVALID_GRANT);
> }
> I think it would be more useful to create the OAuthError object to return
> using the exception's message, in order to receive the error code/details at
> the client layer
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
