Introspect returns 200 when access token does not exist

[makeevolution]

Describe the bug If the access token does not exist in the database, when I use the introspect endpoint, the response is still 200 https://github.com/jazzband/django-oauth-toolkit/blob/master/oauth2_provider/views/introspect.py#L31

To Reproduce Create a request with an access token in the header/body that you know doesn't exist in the database; the response is 200

Expected behavior A 401 response since the authentication credentials provided is incorrect

Version 2.3.0

• [ x] I have tested with the latest published release and it's still a problem.
• [ x] I have tested with the master branch and it's still a problem.

Additional context

[n2ygk]

Todo: review https://www.oauth.com/oauth2-servers/token-introspection-endpoint/

[n2ygk]

@makeevolution I'm assuming the response body contains "active": false so this is not a huge issue. Please see the aforementioned description of the introspection endpoint and feel free to submit a PR to fix this.

[makeevolution]

So the fix would be that the client (e.g. the resource server) that calls this endpoint should also check the active flag right? If not then return not authenticated?