CheckTokenEndpoint should not throw invalid token exceptions
jzheaux opened this issue · 1 comments
jzheaux commented
The Introspection spec states (emphasis mine):
Note that a properly formed and authorized query for an inactive or
otherwise invalid token (or a token the protected resource is not
allowed to know about) is not considered an error response by this
specification. In these cases, the authorization server MUST instead
respond with an introspection response with the "active" field set to
"false" as described in Section 2.2.
CheckTokenEndpoint throws an InvalidTokenException in this case, but should instead respond with:
{
"active" : false
}Given that no further releases are planned for this project, I'm logging this simply as a point of reference to help address spring-projects/spring-security#10038.