Introspect returns 200 when access token does not exist
makeevolution opened this issue · comments
Describe the bug
If the access token does not exist in the database, when I use the introspect endpoint, the response is still 200
https://github.com/jazzband/django-oauth-toolkit/blob/master/oauth2_provider/views/introspect.py#L31
To Reproduce
Create a request with an access token in the header/body that you know doesn't exist in the database; the response is 200
Expected behavior
A 401 response since the authentication credentials provided is incorrect
Version
2.3.0
- [ x] I have tested with the latest published release and it's still a problem.
- [ x] I have tested with the master branch and it's still a problem.
Additional context
@makeevolution I'm assuming the response body contains "active": false
so this is not a huge issue. Please see the aforementioned description of the introspection endpoint and feel free to submit a PR to fix this.
So the fix would be that the client (e.g. the resource server) that calls this endpoint should also check the active flag right? If not then return not authenticated?