Content
View differences
Updated by Eric Schubert about 4 years ago
If an oauth token is revoked on the OP side, the server does not indicate that in the response, to check if the token is valid we have to use oauth2 token introspection
see [https://datatracker.ietf.org/doc/html/rfc7662](https://datatracker.ietf.org/doc/html/rfc7662) & [https://www.oauth.com/oauth2-servers/token-introspection-endpoint/](https://www.oauth.com/oauth2-servers/token-introspection-endpoint/)
OP endpoint: `/oauth/introspect`
This is currently blocked because accessing the endpoint with oauth returns a 401 error
e.g `curl -X POST http://localhost:3000/oauth/introspect -H"Authorization: Bearer <mytoken>" -dtoken=<mytoken>`
### UPDATE 2022-03-03
An alternative to verifying a token with token introspection, we need to investigate, if OP API should work like this:
* If the request has no authentication and the endpoint is not public, the API must return 401.
* If the request has no authentication and the endpoint is public, the API must return 200 and the response body. The body MAY be incomplete due to nested items being not public.
* If the request has authentication, the token is valid, and the endpoint is public, the API must return 200 and everything the user is authorized to view.
* **If the request has authentication, the token is invalid, and the endpoint is public, the API must return 401.**
However, it could be, that this alternative is not possible due to the rules of the OP API. This must get checked with OP dev team. -dtoken=<mytoken>`
CC <mention class="mention" data-id="71476" data-type="user" data-text="@Eric Schubert">@Eric Schubert</mention>
see [https://datatracker.ietf.org/doc/html/rfc7662](https://datatracker.ietf.org/doc/html/rfc7662) & [https://www.oauth.com/oauth2-servers/token-introspection-endpoint/](https://www.oauth.com/oauth2-servers/token-introspection-endpoint/)
OP endpoint: `/oauth/introspect`
This is currently blocked because accessing the endpoint with oauth returns a 401 error
e.g `curl -X POST http://localhost:3000/oauth/introspect -H"Authorization: Bearer <mytoken>" -dtoken=<mytoken>`
### UPDATE 2022-03-03
An alternative to verifying a token with token introspection, we need to investigate, if OP API should work like this:
* If the request has no authentication and the endpoint is not public, the API must return 401.
* If the request has no authentication and the endpoint is public, the API must return 200 and the response body. The body MAY be incomplete due to nested items being not public.
* If the request has authentication, the token is valid, and the endpoint is public, the API must return 200 and everything the user is authorized to view.
* **If the request has authentication, the token is invalid, and the endpoint is public, the API must return 401.**
However, it could be, that this alternative is not possible due to the rules of the OP API. This must get checked with OP dev team.
CC <mention class="mention" data-id="71476" data-type="user" data-text="@Eric Schubert">@Eric Schubert</mention>