Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introspection Response: access_token and refresh_token are not valid token_type #1762

Closed
UkonnRa opened this issue Mar 18, 2020 · 7 comments
Closed

Introspection Response: access_token and refresh_token are not valid token_type #1762

UkonnRa opened this issue Mar 18, 2020 · 7 comments
Labels
bug Something is not working. help wanted We are looking for help on this one.
Milestone
v1.11

Comments

@UkonnRa
Copy link

UkonnRa commented Mar 18, 2020
edited
Loading

As for Introspection Spec and Access Token Spec, bearer and mac are the only valid Access Tokens. Some framework (like Vertx OAuth2) may consider all other token_type as invalid

https://github.com/vert-x3/vertx-auth/issues/376 is the related issue
@aeneasr aeneasr added the bug Something is not working. label Mar 18, 2020
@aeneasr aeneasr added this to the v1.4.0 milestone Mar 18, 2020
@aeneasr
Copy link
Member

aeneasr commented Mar 18, 2020

Triaged as a bug, we should find a better key name for token_type to indicate whether the token is an access or a refresh token.

@UkonnRa UkonnRa mentioned this issue Mar 18, 2020
Closed
@UkonnRa
Copy link
Author

UkonnRa commented Mar 18, 2020

I think metadata.token_type or hydra_token_type is good. BTW, why should I want to know whether the token is an access or a refresh token? There is nothing related in the spec.

@aeneasr
Copy link
Member

aeneasr commented Mar 18, 2020

BTW, why should I want to know whether the token is an access or a refresh token?

Because you might want to prevent people from using a refresh token as the access token, given that they usually don't expire.

@aeneasr
Copy link
Member

aeneasr commented Mar 30, 2020

I think token_use is an appropriate name:

  • token_use: access_token
  • token_use: refresh_token

@UkonnRa
Copy link
Author

UkonnRa commented Mar 30, 2020

I think so, a good name!

@aeneasr aeneasr modified the milestones: v1.4.0, v1.4.1 Apr 2, 2020
@aeneasr aeneasr modified the milestones: v1.4.1, v1.5.0 Apr 23, 2020
@TuxCoder TuxCoder mentioned this issue Jun 30, 2020
Closed
@aeneasr aeneasr modified the milestones: v1.5.0, v1.6.0 Jul 1, 2020
@aeneasr aeneasr modified the milestones: v1.6.0, v1.8.0, v1.7.0 Aug 4, 2020
@aeneasr aeneasr modified the milestones: v1.7.0, v1.8.0 Aug 17, 2020
@aeneasr aeneasr added help wanted We are looking for help on this one. and removed up for grabs labels Aug 20, 2020
ajanthan added a commit to ajanthan/fosite that referenced this issue Sep 26, 2020
@ajanthan
fix: returning valid token_type in introspection response ory/hydra#1762
76ff013
@ajanthan ajanthan mentioned this issue Sep 26, 2020
Merged
5 tasks
@aeneasr
Copy link
Member

aeneasr commented Sep 30, 2020

I just realized that the request parameters have a token_type_hint parameter which can be access_token or refresh_token (see also RFC7009) but then return token_type in a completely different context (related to the HTTP auth mechanism). Classic OAuth2 ...

ajanthan pushed a commit to ajanthan/fosite that referenced this issue Oct 2, 2020
@aeneasr
fix: returning valid token_type in introspection response ory/hydra#1762
508edbb
ajanthan added a commit to ajanthan/fosite that referenced this issue Oct 2, 2020
@ajanthan
Merge pull request #1 from ajanthan/tokenuse
6ad122a 
fix: returning valid token_type in introspection response ory/hydra#1762
ajanthan added a commit to ajanthan/fosite that referenced this issue Oct 2, 2020
@ajanthan
fix: returning valid token_type in introspection response ory/hydra#1762
4aefc65
aeneasr pushed a commit to ory/fosite that referenced this issue Oct 6, 2020
@ajanthan
fix: rename TokenType to TokenUse in introspection (#486)
4b81316 
See ory/hydra#1762

BREAKING CHANGE: Type `fosite.TokenType` has been renamed to `fosite.TokenUse`.
aeneasr added a commit that referenced this issue Oct 11, 2020
@aeneasr
refactor: rename token introspection token_type to token_use
48a23c8 
BREAKING CHANGE: Previously, the OAuth2 Token Introspection endpoint would return `access_token` or `refresh_token` for the key `token_type`. This however is not according to spec, which specifies `bearer` as the only valid (unless an extension is used) `token_type` parameter. Please be aware that `token_type_hint` in the **request parameters** is still correct. For more information consult [RFC7662](https://tools.ietf.org/html/rfc7662). If you wish to know if a token can be used as an access or refresh token, check the new `token_use` parameter!

Closes #1762
aeneasr added a commit that referenced this issue Nov 10, 2020
@aeneasr
refactor: rename token_type to token_use in introspection
52fa432 
Closes #1762

BREAKING CHANGE: This changes the OAuth2 Token Introspection response to ensure compliance with the OAuth2 Token Introspection specification. Previously, `token_type` would return `access_token` or `refresh_token`. The specification however mandates that `token_type` is always `Bearer`. This patch resolves that issue. The previous behaviour of `token_type` has now been moved to `token_use` which can be `access_token` or `refresh_token`.
aeneasr added a commit that referenced this issue Nov 10, 2020
@aeneasr
refactor: rename token_type to token_use in introspection
26f2d5a 
Closes #1762

BREAKING CHANGE: This changes the OAuth2 Token Introspection response to ensure compliance with the OAuth2 Token Introspection specification. Previously, `token_type` would return `access_token` or `refresh_token`. The specification however mandates that `token_type` is always `Bearer`. This patch resolves that issue. The previous behaviour of `token_type` has now been moved to `token_use` which can be `access_token` or `refresh_token`.
aeneasr added a commit that referenced this issue Nov 17, 2020
@aeneasr
refactor: rename token_type to token_use in introspection
13e5f8c 
Closes #1762

BREAKING CHANGE: This changes the OAuth2 Token Introspection response to ensure compliance with the OAuth2 Token Introspection specification. Previously, `token_type` would return `access_token` or `refresh_token`. The specification however mandates that `token_type` is always `Bearer`. This patch resolves that issue. The previous behaviour of `token_type` has now been moved to `token_use` which can be `access_token` or `refresh_token`.
aeneasr added a commit that referenced this issue Nov 17, 2020
@aeneasr
refactor: rename token_type to token_use in introspection
5ce2f81 
Closes #1762

BREAKING CHANGE: This changes the OAuth2 Token Introspection response to ensure compliance with the OAuth2 Token Introspection specification. Previously, `token_type` would return `access_token` or `refresh_token`. The specification however mandates that `token_type` is always `Bearer`. This patch resolves that issue. The previous behaviour of `token_type` has now been moved to `token_use` which can be `access_token` or `refresh_token`.
@ghenry
Copy link

ghenry commented Apr 27, 2021

Would token_type be Bearer or bearer?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working. help wanted We are looking for help on this one.
Projects
None yet
Milestone
v1.11
Development

No branches or pull requests
3 participants
@ghenry @aeneasr @UkonnRa