Expired access tokens return the wrong error type
Closed this issue · 2 comments
(First up, thank you so much for your work on the ORY projects, they're a godsend).
RFC 6750 requires that resource servers should respond to expired access tokens with the error code invalid_token
.
https://tools.ietf.org/html/rfc6750#section-3.1
The OpenID spec says that the userinfo
response should use errors as per RFC 6750.
https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
Hydra's implementation does not comply and responds to an expired access token with an error code token_expired
.
fosite/handler/oauth2/strategy_hmacsha.go
Line 58 in 839d000
To Reproduce
Steps to reproduce the behavior:
- Generate an access token with ORY Hydra
- Wait until the access token is expired (or expire it via the db)
- Attempt to access the
/userinfo
endpoint with the expired access token - You will receive a response with
token_expired
Expected behavior
The response should return invalid_token
.
Environment
- Version: master
Nice find! Would you be up for a PR? :)
I think this can be closed now?