Yeah, AFAIK we don't be descriptive on the error response.
On Mon, Dec 5, 2016 at 10:45 AM, Sanjeewa Malalgoda
wrote:
> Yes i think its ok if introspection only send inactive. Anyway we don't
> need to send specific error message as it make possible user to guess token.
> As
Yes i think its ok if introspection only send inactive. Anyway we don't
need to send specific error message as it make possible user to guess token.
As i know usually we dont send descriptive error message to users when auth
failure happens.
Thanks,
sanjeewa.
On Sat, Dec 3, 2016 at 9:55 PM,
Thanks Farasath and Maduranga.
Hi Nuwan/Sanjeewa,
As per the above we won't be able to respond to an api request with reason
for an inactive token such as 'token expired' but we will respond as 'token
is inactive'.
Appreciate your thoughts.
Thanks & Regards,
Ishara Cooray
Senior Software
Hi Ishara,
According to the specification, it is not recommended to expose too much
details about why the token is not active.
Note that to avoid disclosing too
much of the authorization server's state to a third party, the
authorization server SHOULD NOT include any additional
Hi Ishara,
The '*active*' parameter is mandatory according to the Introspection
spec[1], to indicate the status of the token.
If we are to send something like what you have suggested we could do so by
using a custom attribute in response. But then again that would be
something specific to our
I have used introspect end point to get token info with Identity Server
5.3.0
I get {'active':false} response even for expired token.
*Request :*
curl -k -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data
'token=a2c12c81-33fb-3e07-aa5e-c50639011199'