State missing in location header request in cas of invalid scope #667

lemagicien00 · 2020-11-06T11:15:46Z

When request an authorization code with invalid scope and state parameter, 'location' in response header does not contain '&state=xxxx' in the url.

While for the others invalid cases (missing 'code_type' and Invalid 'code_type') it is present.

It's because scope validation failed and then state not added in error response.

AuthorizeHandler.prototype.handle = function(request, response) {
//...
        .then(function(validScope) { // **<-------this throw an error and skip adding state**
          scope = validScope;

          return this.generateAuthorizationCode(client, user, scope);
        })
        .then(function(authorizationCode) {
          state = this.getState(request); // **<-------move this to first then()**
          ResponseType = this.getResponseType(request);

          return this.saveAuthorizationCode(authorizationCode, expiresAt, scope, client, uri, user);
        })
        .then(function(code) {
          var responseType = new ResponseType(code.authorizationCode);
          var redirectUri = this.buildSuccessRedirectUri(uri, responseType);

          this.updateResponse(response, redirectUri, state);

          return code;
        })

I suggest moving the state assignment to the first then.

best regards

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

State missing in location header request in cas of invalid scope #667

State missing in location header request in cas of invalid scope #667

lemagicien00 commented Nov 6, 2020

State missing in location header request in cas of invalid scope #667

State missing in location header request in cas of invalid scope #667

Comments

lemagicien00 commented Nov 6, 2020