<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>
<div>…and upon further investigations we found that there is a background task running every 5min (configurable value) that discards expired tokens. That in turn causes the Introspection to correctly return active=false. Shouldn’t the expired check be added
to the Introspection endpoint to avoid that window where the token is already expired but Introspection is returning active=true?</div>
<div><br>
</div>
<div>Regards,</div>
<div>Luiz</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE"></div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Luiz Omori <<a href="mailto:luiz.omori@dm.duke.edu">luiz.omori@dm.duke.edu</a>><br>
<span style="font-weight:bold">Date: </span>Monday, December 7, 2015 at 5:03 PM<br>
<span style="font-weight:bold">To: </span>"<a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a>" <<a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a>><br>
<span style="font-weight:bold">Subject: </span>Introspection -> active true for expired tokens?<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>
<div>Hi,</div>
<div><br>
</div>
<div>We received reports about the “active” field returned by Introspection being true even when the provided token is expired. Looking at DefaultIntrospectionResultAssembler:assembleFrom I see that it unconditionally sets that field to true. Is this by design?</div>
<div><br>
</div>
<div>Note that we do have some overriding pieces in our deployment so it could be side effect from something on our side. We are NOT overriding the IntrospectionEndpoint or OAuth2TokenEntityService, either could be validating the token before proceeding, but
I don’t see checks there either.</div>
<div><br>
</div>
<div>Regards,</div>
<div>Luiz</div>
<div>
<div id=""></div>
</div>
</div>
</div>
</div>
</div>
</span>
</body>
</html>