Open mtseD2L opened 8 years ago
Huh, we should be returning OAuth 2.0 standard error messages. I know we're very strict about that in the auth service but maybe we're not doing this right for this library.
FYI @mpharoah-d2l
I added the package versions we're using.
Do we have a specification for how services that make calls to the Auth Service should respond when authentication fails? I see a bunch of information about how the auth service itself responds to the service, but do we have a standard for how services should relay the error information to the client?
Anyways, the OAuth 2.0 web API defines the format that services respond to the client in here. Don't know if that's the format it's supposed to use or not. Seems wrong since it doesn't have a type
field, which I would expect.
It looks like it never sets the detail
field on an error, so you just get null
.
Also, is a 401 response correct? Doesn't look like we're sending back a WWW-Authenticate
header which is supposed to be required for 401 responses.
https://github.com/Brightspace/D2L.Security.OAuth2/blob/e577fa38962a1e9bde340d37a427ac2db96b5b54/src/D2L.Security.OAuth2/Validation/AccessTokens/AccessTokenValidator.cs#L88 suggests that we display "The access token is expired" to the client when a token has expired.
However, when using an expired token, the client is presented with
{"title":"Authentication required","status":401,"detail":null}
.We are using: