[gateway] [oauth2] Disable a user should be return active false on an introspect ?

[claudusd]

I have a question about disable a user an introspect his token.

Current Behavior

First i generate a token for my user

curl -s -u $CLIENT_ID:$CLIENT_SECRET --data-urlencode "username=claudusd" --data-urlencode "password=Azerty@123456" --data-urlencode "scope=openid" --data-urlencode "grant_type=password" -H "Content-Type:application/x-www-form-urlencoded" $URL/$DOMAIN/oauth/token)

After that is disable my user

curl -X PUT -H "authorization: Bearer $TOKEN" -H "Content-Type: application/json" --data '{"enabled": false}' $URL/management/organizations/DEFAULT/environments/DEFAULT/domains/03cbe712-145f-4cc2-8be7-12145f0cc21c/users/783466fd-4cdd-45b3-b466-fd4cdd35b324/status

And finally i introspect my token

curl --http1.1 -H "Authorization: Basic $BASIC" --data-urlencode "token=$JWT" -H "Accept: application/json" $URL/$DOMAIN/oauth/introspect

I have this result

{
  "sub" : "783466fd-4cdd-45b3-b466-fd4cdd35b324",
  "identity_id" : "06ec813f-72d8-4e1f-ac81-3f72d8ae1f53",
  "iss" : "https://XXXX/YYYY/oidc",
  "active" : true,
  "token_type" : "bearer",
  "client_id" : "88437dd6-e35d-4f0f-837d-d6e35dbf0ff1",
  "scope" : "openid",
  "domain" : "03cbe712-145f-4cc2-8be7-12145f0cc21c",
  "exp" : 1634233552,
  "iat" : 1634226152,
  "jti" : "Jfgnzl5-AKnGN1EhkOz2JE_Zi6Q7IPVF-NImhIpu49M",
  "username" : "claudusd"
}

The introspect attribute active is set to true

Expected Behavior

I expected to have the token introspection result :

{
  "active" : false
}

If I disable a user the auth is disable but the introspection should return false too. I am wrong or not ?

Your Environment

Version used: latest graviteeio/am-gateway:3

Thanks,

[tcompiegne]

Hi @claudusd ,

It's actually a good question :). Let me discuss with the team and come back to you.

[claudusd]

Have you discuss about this ?