OAuth2 access tokens being removed from OAuth2Store when request returns any
4xx response
-----------------------------------------------------------------------------------------
Key: SHINDIG-1711
URL: https://issues.apache.org/jira/browse/SHINDIG-1711
Project: Shindig
Issue Type: Bug
Components: Java
Affects Versions: 2.5.0
Reporter: Stanton Sievers
Assignee: Stanton Sievers
Fix For: 2.5.0
If the url to which a gadget is doing a makeRequest doesn't exist, i.e.,
returns a 404 to the Shindig server, the access token is being removed from the
OAuth2 Store. This functionality is implemented here:
org.apache.shindig.gadgets.oauth2.BasicOAuth2Request.fetchFromServer(OAuth2Accessor,
HttpRequest)
fetchFromServer is checking only if the response code is 4xx, and if so, it is
removing the access token from the store. This seems right for 401 or 403
return codes, perhaps, but not for 404. The behavior for an end user would
then be that they have to do the OAuth dance again next time the gadget tries
to access a resource.
The proposal is to change the current implementation to look explicitly for 401
or 403 response codes in fetchFromServer instead of looking for any 4xx.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
