Update details to inform client why auth failed on token timeouts.

[mtseD2L]

D2L.Security.OAuth2/src/D2L.Security.OAuth2/Validation/AccessTokens/AccessTokenValidator.cs

Line 88 in e577fa3

} catch( SecurityTokenExpiredException ) {

suggests that we display "The access token is expired" to the client when a token has expired.

However, when using an expired token, the client is presented with {"title":"Authentication required","status":401,"detail":null}.

We are using:

<package id="D2L.Security.OAuth2" version="4.4.3.0" targetFramework="net452" />
<package id="D2L.Security.OAuth2.WebApi" version="3.3.1.0" targetFramework="net452" />

[j3parker]

Huh, we should be returning OAuth 2.0 standard error messages. I know we're very strict about that in the auth service but maybe we're not doing this right for this library.

https://tools.ietf.org/html/rfc6749

[j3parker]

FYI @mpharoah-d2l

[mtseD2L]

I added the package versions we're using.

[mpharoah-d2l]

Do we have a specification for how services that make calls to the Auth Service should respond when authentication fails? I see a bunch of information about how the auth service itself responds to the service, but do we have a standard for how services should relay the error information to the client?

Anyways, the OAuth 2.0 web API defines the format that services respond to the client in here. Don't know if that's the format it's supposed to use or not. Seems wrong since it doesn't have a type field, which I would expect.
It looks like it never sets the detail field on an error, so you just get null.

Also, is a 401 response correct? Doesn't look like we're sending back a WWW-Authenticate header which is supposed to be required for 401 responses.