Comments (3)
Users implementing their own storage interface implementation should realistically carefully model their implementation similar to the memory example as this is often used in the testing.
You will notice that upon inspection that the GetRefreshTokenSession
of this specific struct returns only two specific errors. If the token does not exist it returns fosite.ErrNotFound
, and if it returns fosite.ErrInactiveToken
if the token is inactive. As such I don't believe this is a workaround but is the intended method to communicate this issue from that interface but it's just not documented (the library is mostly intended for use with hydra however I think there is reasonable argument that this should be documented to help avoid bugs over on hydra itself).
Other errors are usually indicative of SQL errors and the like. I can see an argument for enhancing this interaction (globally) where if the error is a *fosite.RFC6749Error
that is appropriate for the request type that it is just returned however this could also lead to serious bugs with other implementations. This kind of behavior is also a lot harder to communicate clearly.
from fosite.
Please note that returning fosite.ErrInactiveToken
from the store means that the response status code is 401 fosite/errors.go which is not the correct response status as per RFC as it should be 400.
In case where refresh token is invalid, expired, or revoked it should return an
invalid_grant
error with a 400 status code.
from fosite.
Bumping this issue, I've also observed that Ory returns a 401 and token_inactive
(a string which I can't find in the spec at all) when a refresh token is reused, rather than 400 and invalid_grant
as one would expect by reading the spec.
Happy to write a test and a more complete/fleshed out issue for this if you agree that this is a bug.
from fosite.
Related Issues (20)
- upstream reference closed: github.com/ory/fosite/pull/242 HOT 1
- Improve documentation for storage implementers HOT 1
- Invalid token (base64 error) isn't mapped to an RFC6749Error error
- Best way to replicate a refresh_token flow using Fosite. HOT 5
- RFC7523: Store the payload of the supplied JWT for later use in token hook in Hydra HOT 6
- Add custom form_post response writer HOT 1
- github.com/square/go-jose is deprecated HOT 3
- upstream reference closed: github.com/square/go-jose/issues/353 HOT 1
- RFC7523: Allow associating an audience allow list to a public key trust. HOT 1
- Auth Req omitted response_mode does not validate the default response_mode against the ResponseModeClient
- Failing to fetch a PKCE request session fails requests even when PKCE is not enforced HOT 3
- redirect_uri matching does not follow RFC3986 HOT 2
- Changelog is out of sync
- Allow revoking access token without revoking refresh token HOT 2
- authorize_helper.isLoopbackAddress has flaws HOT 1
- clientCredentialsFromRequest should not expect Basic Authorization terms being URL Escaped HOT 2
- Refresh token flow handler does not set the original request ID in the handler early enough
- use mattn/go-sqlite3 v2.0.3+incompatible no the new version HOT 6
- Failed to decode `id_token_hint` when using different signer for `id_token` and others
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fosite.