EG should differentiate the error between unauthorized and invalid token #701

djesani · 2018-04-18T23:25:35Z

Currently, if an authenticated endpoint is hit with no access_token, an "UNAUTHORIZED" error is returned, which is correct behaviour.

However, if I hit the same endpoint with a valid access_token but that token has expired, I should get a different error such as "INVALID_TOKEN".

The code must already doing checks against the token to determine its expired, so I presume at that point EG should return a different error.

I think this could be linked in with issue #692 .

XVincentX · 2018-04-19T10:01:29Z

They're not linked issues. #692 is about proxy errors — this is an authentication error that's handle per policy.

To close this issue there are couple of modifications needed in both JWT verifier policy as well as the opaque token verification.

XVincentX self-assigned this Apr 19, 2018

altsang added the ready label Apr 19, 2018

altsang added this to the 1.9.0 milestone Apr 19, 2018

XVincentX added in progress ready and removed ready in progress labels Apr 23, 2018

altsang removed the ready label Apr 23, 2018

altsang removed this from the 1.9.0 milestone Apr 23, 2018

XVincentX mentioned this issue May 28, 2018

oAuth2 error message are cryptic #741

Open

Provide feedback