[mitreid-connect] Introspection -> active true for expired tokens?
Luiz Omori
luiz.omori at duke.edu
Mon Dec 7 17:03:52 EST 2015
Hi,
We received reports about the “active” field returned by Introspection being true even when the provided token is expired. Looking at DefaultIntrospectionResultAssembler:assembleFrom I see that it unconditionally sets that field to true. Is this by design?
Note that we do have some overriding pieces in our deployment so it could be side effect from something on our side. We are NOT overriding the IntrospectionEndpoint or OAuth2TokenEntityService, either could be validating the token before proceeding, but I don’t see checks there either.
Regards,
Luiz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20151207/d0c41efb/attachment.html
More information about the mitreid-connect
mailing list