diff --git a/auth/api/iam/api.go b/auth/api/iam/api.go index 6f92e01f7f..a903efb43d 100644 --- a/auth/api/iam/api.go +++ b/auth/api/iam/api.go @@ -226,8 +226,12 @@ func (r Wrapper) IntrospectAccessToken(_ context.Context, request IntrospectAcce token := AccessToken{} if err := r.accessTokenServerStore().Get(request.Body.Token, &token); err != nil { // Return 200 + 'Active = false' when token is invalid or malformed - log.Logger().Debug("IntrospectAccessToken: failed to get token from store") - return IntrospectAccessToken200JSONResponse{}, err + if errors.Is(err, storage.ErrNotFound) { + log.Logger().Debug("IntrospectAccessToken: token not found (unknown or expired)") + return IntrospectAccessToken200JSONResponse{}, nil + } + log.Logger().WithError(err).Error("IntrospectAccessToken: failed to retrieve token") + return nil, err } if token.Expiration.Before(time.Now()) { diff --git a/auth/api/iam/api_test.go b/auth/api/iam/api_test.go index d3dfdca41b..f828ffeeec 100644 --- a/auth/api/iam/api_test.go +++ b/auth/api/iam/api_test.go @@ -564,9 +564,16 @@ func TestWrapper_IntrospectAccessToken(t *testing.T) { require.NoError(t, err) assert.Equal(t, res, IntrospectAccessToken200JSONResponse{}) }) + t.Run("error - other store error", func(t *testing.T) { + // token is invalid JSON + require.NoError(t, ctx.client.accessTokenServerStore().Put("err", "{")) + res, err := ctx.client.IntrospectAccessToken(context.Background(), IntrospectAccessTokenRequestObject{Body: &TokenIntrospectionRequest{Token: "err"}}) + assert.ErrorContains(t, err, "json: cannot unmarshal") + assert.Nil(t, res) + }) t.Run("error - does not exist", func(t *testing.T) { res, err := ctx.client.IntrospectAccessToken(context.Background(), IntrospectAccessTokenRequestObject{Body: &TokenIntrospectionRequest{Token: "does not exist"}}) - require.ErrorIs(t, err, storage.ErrNotFound) + require.NoError(t, err) assert.Equal(t, res, IntrospectAccessToken200JSONResponse{}) }) t.Run("error - expired token", func(t *testing.T) {