OpenID Connect, invalid/expired token returning 403 instead of 401

I’m not sure if this discussion has come up before, but I’ve been looking into why some of our users are getting access denied (403) rather than unauthorized (401) when their token has expired.

Tyk is returning 403 when validation fails:

Please correct me if I’m wrong, but the oauth spec says that 401 should be returned when the token is invalid:
https://tools.ietf.org/html/rfc6750#section-3.1 (I think I’m looking at the right spec here?).

Thanks.

Thanks! I’ve opened up a ticket for this which you can follow here: https://github.com/TykTechnologies/tyk/issues/1503 :slight_smile:

-Luan

Hey guys, is anyone looking at this issue yet?

Thanks.