2 Replies Latest reply on Sep 20, 2018 4:41 PM by edwardstat

    Elytron Bearer Token Authentication - Return a 401 on Expired Token?

    edwardstat
    edwardstat Sep 20, 2018 8:32 AM

      Currently in Elytron, when a Bearer token fails validation due to the token being expired, a 403 Response is sent. See: http://docs.wildfly.org/14/WildFly_Elytron_Security.html

       

      I am curious if there has been any discussion regarding returning a 401 in this scenario as noted in OAuth 2.0 Bearer Token Usage (RFC-6750)

       

      And in response to a protected resource request with an

        authentication attempt using an expired access token:

       

        HTTP/1.1 401 Unauthorized

        WWW-Authenticate: Bearer realm="example",

        error="invalid_token",

        error_description="The access token expired"

      My Use Case

      I am building a single-page application backed by Angular 6, RESTful services, JWT using Bearer token on EAP 7.2.0 Beta with Elytron. I have scenarios where I will be returning a 403 as the client is authenticated but should not access the resource. An expired token response will clash with these. In addition, it is a common approach when using Bearer Auth to intercept 401 responses to either redirect the user to the login page or to issue a request for a refresh token. Currently, my only option seems to be to check the token expiry on the client-side.

       

      Any thoughts?