EnforcedInvalidationException docstring is full of lies
Bug #643731 reported by
Laurens Van Houtven
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
txOAuth |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The docstring says:
The OAuth specification asserts that assertions should be invalidated.
This is just not true. Here's what it says:
The authorization server MUST validate the client credentials (if
present) and the assertion and if valid issues an access token
response as described in Section 4.2. The authorization server
SHOULD NOT issue a refresh token (instead, require the client to use
the same or new assertion).
Authorization servers SHOULD issue access tokens with a limited
lifetime and require clients to refresh them by requesting a new
access token using the same assertion if it is still valid.
Otherwise the client MUST obtain a new valid assertion.
Related branches
To post a comment you must log in.
IAssertionStore .checkAssertion is also full of lies:
@param invalidate: If true, the assertion will be invalidated after
checking. Note that the specification believes this should always be
the case. Implementations may refuse to accept requests to keep the
assertion valid.