- edited description
Http status code missing in case /userinfo is called with an expired access token
Issue #299
resolved
If /userinfo responds with a bearer token error like this
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer, error="invalid_token", error_description="The Token was expired"
(similar to https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError )
The resulting error object has http status set to 0 because we end up executing https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/38f3b3326e6a8ee3ee2c85ab74b2a5a75db882e4/src/main/java/com/nimbusds/oauth2/sdk/token/BearerTokenError.java#lines-539
I would have expected http status code 401 here?
Comments (7)
-
reporter
-
reporter
- edited description
-
- changed status to open
Thanks for the report, will check the test cases.
-
Yep, this is obviously a bug. The fix is to set the status code from the HTTP response.
-
BTW, the header includes comma delimiters that are not permitted in the syntax:
https://tools.ietf.org/html/rfc6750#section-3.1
This causes a parse exception now, will see if it can be made more lenient.correction: the extra comma after Bearer is acutally ignored.I’d suggest you contact the server maintainers to consider fixing this, because it may be causing issues with other client libs
as well.
-
- changed status to resolved
Fixed in commit ac26935e, will be pushed now as v8.4.3.
-
reporter
Thanks for the fast response and fix!
- Log in to comment
