One of our developers asked me a question I thought deserved some investigation. If we are making an API call through a webseal to some API sitting behind it, and we are authenticating with a bearer token in the authorization header, and that token is invalid (expired, revoked, etc.), webseal returns http status code 200 and the JSON response operation cert_login. Obviously good tokens work just fine.
The question at hand is, when these tokens are invalid, can webseal do something different than return with a 200 with that operation cert_login? I see the developer's point in that this is confusing for the client making the call, as it is getting back a 200.
Any thoughts? Thanks!
------------------------------
Matt Jenkins
------------------------------