During refresh token grant if token is invalid or expired return status code should be 400 about fosite HOT 3 OPEN

Users implementing their own storage interface implementation should realistically carefully model their implementation similar to the memory example as this is often used in the testing.

You will notice that upon inspection that the GetRefreshTokenSession of this specific struct returns only two specific errors. If the token does not exist it returns fosite.ErrNotFound, and if it returns fosite.ErrInactiveToken if the token is inactive. As such I don't believe this is a workaround but is the intended method to communicate this issue from that interface but it's just not documented (the library is mostly intended for use with hydra however I think there is reasonable argument that this should be documented to help avoid bugs over on hydra itself).

Other errors are usually indicative of SQL errors and the like. I can see an argument for enhancing this interaction (globally) where if the error is a *fosite.RFC6749Error that is appropriate for the request type that it is just returned however this could also lead to serious bugs with other implementations. This kind of behavior is also a lot harder to communicate clearly.

from fosite.

Please note that returning fosite.ErrInactiveToken from the store means that the response status code is 401 fosite/errors.go which is not the correct response status as per RFC as it should be 400.

In case where refresh token is invalid, expired, or revoked it should return an invalid_grant error with a 400 status code.

from fosite.

Bumping this issue, I've also observed that Ory returns a 401 and token_inactive (a string which I can't find in the spec at all) when a refresh token is reused, rather than 400 and invalid_grant as one would expect by reading the spec.

Happy to write a test and a more complete/fleshed out issue for this if you agree that this is a bug.

from fosite.