j3parker
commented
8 years ago Huh, we should be returning OAuth 2.0 standard error messages. I know we're very strict about that in the auth service but maybe we're not doing this right for this library.
Open mtseD2L opened 8 years ago
j3parker
commented
8 years ago Huh, we should be returning OAuth 2.0 standard error messages. I know we're very strict about that in the auth service but maybe we're not doing this right for this library.
j3parker
commented
8 years ago FYI @mpharoah-d2l
mtseD2L
commented
8 years ago I added the package versions we're using.
mpharoah-d2l
commented
8 years ago Do we have a specification for how services that make calls to the Auth Service should respond when authentication fails? I see a bunch of information about how the auth service itself responds to the service, but do we have a standard for how services should relay the error information to the client?
Anyways, the OAuth 2.0 web API defines the format that services respond to the client in here. Don't know if that's the format it's supposed to use or not. Seems wrong since it doesn't have a type field, which I would expect.
It looks like it never sets the detail field on an error, so you just get null.
Also, is a 401 response correct? Doesn't look like we're sending back a WWW-Authenticate header which is supposed to be required for 401 responses.
https://github.com/Brightspace/D2L.Security.OAuth2/blob/e577fa38962a1e9bde340d37a427ac2db96b5b54/src/D2L.Security.OAuth2/Validation/AccessTokens/AccessTokenValidator.cs#L88 suggests that we display "The access token is expired" to the client when a token has expired.
However, when using an expired token, the client is presented with
{"title":"Authentication required","status":401,"detail":null}.We are using: