0

I'm building an Api with Jwt token auth, in my refresh token method i validate the token using the official JwtSecurityTokenHandler.ValidateToken() method then i go and get the user from the DB. My question is in the case that the validation was successfull, but the user was not found should i return a 404 user not found or a 401 Unauthorized?

A 404 because

  • The correct response for Resource not found
  • Because we know the token is valid we can give a more descriptive error without worrying as much abt security

A 401 because

  • Consistent error response regardless of reason
  • doesn't reveal to much like 404, so its safer
  • Since the user was not found during authentication, even if token is valid it is still 401 Unauthorized

link to JwtSecurityTokenHandler.ValidateToken() microsoft docs: https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler.validatetoken?view=msal-web-dotnet-latest

I'm learning so please go easy, Thank you

Improve this question

1 Answer 1

Reset to default
1

401 is not the solution as your credentials are given in the correct header and valid (so no 403 either)

404 is the solution as your user does not exist in your database.

However, the major problem here is "why did you forge a valid token for a non-exisiting user beforehand ?". That's why you need to explain the problem in a body sent with the 404, the status code itself does only respresents a global idea of what happened.

doesn't reveal to much like 404, so its safer

There is no "security" problem as you intend, the token is valid and the user has been granted permission to access part of your application. Why would you hide anything about it afterhand, a valid connection has already existed

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Agree, i asked this question in aug 2023 i have since come to the same conclusion as your answer i forgot to answer it myself

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.