Details

    • Type: Bug
    • Status: Triage (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 10.0.1
    • Fix Version/s: None
    • Component/s: Admin - REST API
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      Run keycloak tests, because this behavior is specified in tests

      Show
      Run keycloak tests, because this behavior is specified in tests
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Hello,
      during developing with the keycloak admin REST API, I figured out that a call to

      realms/{realm}/protocol/openid-connect

      (refresh token way) with an expired/invalid refresh token provide a 400 Error.

      But, the RFC 6750 for The OAuth 2.0 Authorization Framework: Bearer Token Usage specified:

      invalid_token
      The access token provided is expired, revoked, malformed, or
      invalid for other reasons. The resource SHOULD respond with
      the HTTP 401 (Unauthorized) status code. The client MAY
      request a new access token and retry the protected resource
      request.

      Why do the choice to return a 400 Http error ? Even if you give more context informations with the error message, returning a 400 error means something completly different than a 401 and I think it add more confusion about errors

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                dpalmer Douglas Palmer
                Reporter:
                mdepach maxime de pachtere
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: