ory/fosite

Expired access tokens return the wrong error type

Closed this issue · 2 comments

snikch commented

(First up, thank you so much for your work on the ORY projects, they're a godsend).

RFC 6750 requires that resource servers should respond to expired access tokens with the error code invalid_token.
https://tools.ietf.org/html/rfc6750#section-3.1

The OpenID spec says that the userinfo response should use errors as per RFC 6750.
https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError

Hydra's implementation does not comply and responds to an expired access token with an error code token_expired.

fosite/handler/oauth2/strategy_hmacsha.go

Line 58 in 839d000

return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", r.GetRequestedAt().Add(h.AccessTokenLifespan)))

To Reproduce

Steps to reproduce the behavior:

  1. Generate an access token with ORY Hydra
  2. Wait until the access token is expired (or expire it via the db)
  3. Attempt to access the /userinfo endpoint with the expired access token
  4. You will receive a response with token_expired

Expected behavior

The response should return invalid_token.

Environment

  • Version: master
aeneasr commented

Nice find! Would you be up for a PR? :)

mitar commented

I think this can be closed now?