Skip to content

Not existing tokens should return 200 within introspection (not 403) #1012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jan 1, 2022
Merged

Not existing tokens should return 200 within introspection (not 403) #1012

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2467913
Not existing tokens should return 200 as well
ZuSe Sep 15, 2021
19423dc
Finish the PR checklist.
n2ygk Jan 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions AUTHORS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ Michael Howitz
Paul Dekkers
Paul Oswald
Pavel Tvrdík
Patrick Palacin
Peter Carnesciali
Petr Dlouhý
Rodney Richardson
Expand Down
6 changes: 3 additions & 3 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
### Added
* #651 Batch expired token deletions in `cleartokens` management command

### Added

* Added pt-BR translations.

### Fixed
* #1012 Return status for introspecting a nonexistent token from 401 to the correct value of 200 per [RFC 7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2).

## [1.6.1] 2021-12-23

### Changed
Expand Down
4 changes: 2 additions & 2 deletions oauth2_provider/views/introspect.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ def get_token_response(token_value=None):
get_access_token_model().objects.select_related("user", "application").get(token=token_value)
)
except ObjectDoesNotExist:
return JsonResponse({"active": False}, status=401)
return JsonResponse({"active": False}, status=200)
else:
if token.is_valid():
data = {
Expand All @@ -42,7 +42,7 @@ def get_token_response(token_value=None):
data["username"] = token.user.get_username()
return JsonResponse(data)
else:
return JsonResponse({"active": False})
return JsonResponse({"active": False}, status=200)

def get(self, request, *args, **kwargs):
"""
Expand Down
4 changes: 2 additions & 2 deletions tests/test_introspection_view.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,7 +199,7 @@ def test_view_get_notexisting_token(self):
reverse("oauth2_provider:introspect"), {"token": "kaudawelsch"}, **auth_headers
)

self.assertEqual(response.status_code, 401)
self.assertEqual(response.status_code, 200)
content = response.json()
self.assertIsInstance(content, dict)
self.assertDictEqual(
Expand Down Expand Up @@ -269,7 +269,7 @@ def test_view_post_notexisting_token(self):
reverse("oauth2_provider:introspect"), {"token": "kaudawelsch"}, **auth_headers
)

self.assertEqual(response.status_code, 401)
self.assertEqual(response.status_code, 200)
content = response.json()
self.assertIsInstance(content, dict)
self.assertDictEqual(
Expand Down