Introspect returns 200 when access token does not exist

Question

Introspect returns 200 when access token does not exist

makeevolution opened this issue 4 months ago · comments

Describe the bug
If the access token does not exist in the database, when I use the introspect endpoint, the response is still 200
https://github.com/jazzband/django-oauth-toolkit/blob/master/oauth2_provider/views/introspect.py#L31

To Reproduce
Create a request with an access token in the header/body that you know doesn't exist in the database; the response is 200

Expected behavior
A 401 response since the authentication credentials provided is incorrect

Version
2.3.0

[ x] I have tested with the latest published release and it's still a problem.
[ x] I have tested with the master branch and it's still a problem.

Additional context

Alan Crosswell · Answer 1 · Tue Apr 30 2024 19:10:19 GMT+0800 (China Standard Time)

Todo: review https://www.oauth.com/oauth2-servers/token-introspection-endpoint/

Alan Crosswell · Answer 2 · Tue Apr 30 2024 21:37:25 GMT+0800 (China Standard Time)

@makeevolution I'm assuming the response body contains "active": false so this is not a huge issue. Please see the aforementioned description of the introspection endpoint and feel free to submit a PR to fix this.

aldo sebastian · Answer 3 · Tue Apr 30 2024 21:53:15 GMT+0800 (China Standard Time)

So the fix would be that the client (e.g. the resource server) that calls this endpoint should also check the active flag right? If not then return not authenticated?