[question] Token Endpoint responses with 'success' even when `client-secret` is wrong

casdoor / casdoor

An open-source UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, RADIUS, Google Workspace, Active Directory and Kerberos

https://casdoor.org

Apache License 2.0

9.2k stars 1.09k forks source link

[question] Token Endpoint responses with 'success' even when `client-secret` is wrong #2964

Closed amoraitis closed 1 month ago

amoraitis commented 1 month ago

Hitting the Token-Endpoint with incorrect client-secret value returns HTTP Status 200 OK, with an error.

Is that expected? Should not this return another response code (failure) and return the error in the JSON response as defined here?

Example from Microsoft's implementation.

casbin-bot commented 1 month ago

@tangyang9464 @JalinWang @imp2002

hsluoyz commented 1 month ago

@amoraitis Casdoor returns HTTP 200 for application-level errors, to differ from network errors. Use status and msg to parse the error