You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jun 12, 2021. It is now read-only.
There are some issues regarding the token introspection endpoint:
Currently, do_jws method returns a reply in case of any exception, which manages to pass all checks and return active = True! I think any valid jwt with a wrong algorithm or an unknown key id will raise an exception in do_jws and return active = true. (Maybe do_jws should instead return None in that case)
The do_access_token fails to do any time checks.
Tokens are never checked for revocation (black_list).
self.endpoint_context.sdb[token] in do_access_token raises KeyError in the case of not-existing token. This is not handled (the if/else could be changed to a try except)
The rfc states that tokens should be within its given time window of validity, which means that the iss/nbf should be checked also to be before the current time.
This may be a little off-topic, but we are also interested in allowing configurable claims per client for the introspection response.
There are some issues regarding the token introspection endpoint:
self.endpoint_context.sdb[token]in do_access_token raises KeyError in the case of not-existing token. This is not handled (the if/else could be changed to a try except)within its given time window of validity, which means that the iss/nbf should be checked also to be before the current time.This may be a little off-topic, but we are also interested in allowing configurable claims per client for the introspection response.