subject:"\[Dev\] Returning token state from Identity Server introspect response."

Re: [Dev] Returning token state from Identity Server introspect response.

2016-12-04 Thread Nuwan Dias

Yeah, AFAIK we don't be descriptive on the error response. On Mon, Dec 5, 2016 at 10:45 AM, Sanjeewa Malalgoda wrote: > Yes i think its ok if introspection only send inactive. Anyway we don't > need to send specific error message as it make possible user to guess token. > As

Re: [Dev] Returning token state from Identity Server introspect response.

2016-12-04 Thread Sanjeewa Malalgoda

Yes i think its ok if introspection only send inactive. Anyway we don't need to send specific error message as it make possible user to guess token. As i know usually we dont send descriptive error message to users when auth failure happens. Thanks, sanjeewa. On Sat, Dec 3, 2016 at 9:55 PM,

Re: [Dev] Returning token state from Identity Server introspect response.

2016-12-03 Thread Ishara Cooray

Thanks Farasath and Maduranga. Hi Nuwan/Sanjeewa, As per the above we won't be able to respond to an api request with reason for an inactive token such as 'token expired' but we will respond as 'token is inactive'. Appreciate your thoughts. Thanks & Regards, Ishara Cooray Senior Software

Re: [Dev] Returning token state from Identity Server introspect response.

2016-12-02 Thread Maduranga Siriwardena

Hi Ishara, According to the specification, it is not recommended to expose too much details about why the token is not active. Note that to avoid disclosing too much of the authorization server's state to a third party, the authorization server SHOULD NOT include any additional

Re: [Dev] Returning token state from Identity Server introspect response.

2016-12-02 Thread Farasath Ahamed

Hi Ishara, The '*active*' parameter is mandatory according to the Introspection spec[1], to indicate the status of the token. If we are to send something like what you have suggested we could do so by using a custom attribute in response. But then again that would be something specific to our

[Dev] Returning token state from Identity Server introspect response.

2016-12-02 Thread Ishara Cooray

I have used introspect end point to get token info with Identity Server 5.3.0 I get {'active':false} response even for expired token. *Request :* curl -k -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=a2c12c81-33fb-3e07-aa5e-c50639011199'

Re: [Dev] Returning token state from Identity Server introspect response.

Re: [Dev] Returning token state from Identity Server introspect response.

Re: [Dev] Returning token state from Identity Server introspect response.

Re: [Dev] Returning token state from Identity Server introspect response.

Re: [Dev] Returning token state from Identity Server introspect response.

[Dev] Returning token state from Identity Server introspect response.

6 matches

Site Navigation

Mail list logo

Footer information