Skip to content

Properly handle non-existent tokens in Token Invalidate API  #53323

New issue
New issue
Closed
#54532
Closed
Properly handle non-existent tokens in Token Invalidate API #53323
#54532
Labels
:Security/AuthenticationLogging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)>bug
@jkakavas

Description

@jkakavas
jkakavas
opened on Mar 10, 2020

Invalidate Token API does not handle malformed and non-existent tokens correctly. It returns a 400 could not refresh the requested token if it can decode the refresh token and a 401 token malformed if the token document doesn't exist. The latter can happen in cases where we have already deleted the token document because the access token is expired/invalidated and the caller is not aware, or when we get a token that is malformed or not ours.

In all above cases we should be returning 200 with a body of

{
  "invalidated_tokens":0, 
  "previously_invalidated_tokens":0, 
  "error_count":0
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    :Security/AuthenticationLogging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)>bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions