Skip to content

Commit

Permalink
fix: return invalid_grant instead of invalid_request when in authoriz…
Browse files Browse the repository at this point in the history
…ation code flow when the user is not the owner of the authorization code or if the redirect uri doesn't match from the authorization request.
  • Loading branch information
damienbr committed Apr 14, 2020
1 parent 8b92540 commit 0714d51
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 4 deletions.
4 changes: 2 additions & 2 deletions handler/oauth2/flow_authorize_code_token.go
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ func (c *AuthorizeExplicitGrantHandler) HandleTokenEndpointRequest(ctx context.C
// confidential client, or if the client is public, ensure that the
// code was issued to "client_id" in the request,
if authorizeRequest.GetClient().GetID() != request.GetClient().GetID() {
return errors.WithStack(fosite.ErrInvalidRequest.WithHint("The OAuth 2.0 Client ID from this request does not match the one from the authorize request."))
return errors.WithStack(fosite.ErrInvalidGrant.WithHint("The OAuth 2.0 Client ID from this request does not match the one from the authorize request."))
}

// ensure that the "redirect_uri" parameter is present if the
Expand All @@ -99,7 +99,7 @@ func (c *AuthorizeExplicitGrantHandler) HandleTokenEndpointRequest(ctx context.C
// their values are identical.
forcedRedirectURI := authorizeRequest.GetRequestForm().Get("redirect_uri")
if forcedRedirectURI != "" && forcedRedirectURI != request.GetRequestForm().Get("redirect_uri") {
return errors.WithStack(fosite.ErrInvalidRequest.WithHint("The \"redirect_uri\" from this request does not match the one from the authorize request."))
return errors.WithStack(fosite.ErrInvalidGrant.WithHint("The \"redirect_uri\" from this request does not match the one from the authorize request."))
}

// Checking of POST client_id skipped, because:
Expand Down
4 changes: 2 additions & 2 deletions handler/oauth2/flow_authorize_code_token_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -320,7 +320,7 @@ func TestAuthorizeCode_HandleTokenEndpointRequest(t *testing.T) {

require.NoError(t, store.CreateAuthorizeCodeSession(nil, signature, authreq))
},
expectErr: fosite.ErrInvalidRequest,
expectErr: fosite.ErrInvalidGrant,
},
{
areq: &fosite.AccessRequest{
Expand All @@ -346,7 +346,7 @@ func TestAuthorizeCode_HandleTokenEndpointRequest(t *testing.T) {

require.NoError(t, store.CreateAuthorizeCodeSession(nil, signature, authreq))
},
expectErr: fosite.ErrInvalidRequest,
expectErr: fosite.ErrInvalidGrant,
},
{
areq: &fosite.AccessRequest{
Expand Down

0 comments on commit 0714d51

Please sign in to comment.