Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: return invalid_grant instead of invalid_request according to rfc6749#section-5.2 #426

Merged
merged 2 commits into from
Apr 16, 2020
Merged

fix: return invalid_grant instead of invalid_request according to rfc6749#section-5.2 #426

merged 2 commits into from
Apr 16, 2020

Conversation

damienbr
Copy link
Contributor

Related issue

#418

Proposed changes

Refresh token flow has been changed in order to return invalid_grant instead of invalid_request when there is a client mismatch or when the refresh token has not been found.

Authorization code flow has been changed in order to return invalid_grant instead of invalid_request when there is a client mismatch or the redirect uri doesn't match the one from the authorization request (or is empty).

Checklist

  • I have read the contributing guidelines
  • I have read the security policy
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got green light (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation within the code base (if appropriate)

@damienbr damienbr changed the title Issue 418 invalid grant Return invalid_grant instead of invalid_request according to rfc6749#section-5.2 Apr 14, 2020
@damienbr damienbr changed the title Return invalid_grant instead of invalid_request according to rfc6749#section-5.2 fix: return invalid_grant instead of invalid_request according to rfc6749#section-5.2 Apr 14, 2020
@damienbr
fix: return invalid_grant instead of invalid_request when a refresh t…
8b92540 
…oken is not found or does not belong to client.
@damienbr
fix: return invalid_grant instead of invalid_request when in authoriz…
0714d51 
…ation code flow when the user is not the owner of the authorization code or if the redirect uri doesn't match from the authorization request.
@pjcdawkins
Copy link
Contributor

I opened GitHub to search the fosite source for this bug, and your very timely PR was the first thing I saw 🎉

aeneasr
aeneasr reviewed Apr 16, 2020
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

handler/oauth2/flow_refresh.go
@@ -65,7 +65,7 @@ func (c *RefreshTokenGrantHandler) HandleTokenEndpointRequest(ctx context.Contex
signature := c.RefreshTokenStrategy.RefreshTokenSignature(refresh)
originalRequest, err := c.TokenRevocationStorage.GetRefreshTokenSession(ctx, signature, request.GetSession())
if errors.Cause(err) == fosite.ErrNotFound {
return errors.WithStack(fosite.ErrInvalidRequest.WithDebug(err.Error()))
return errors.WithStack(fosite.ErrInvalidGrant.WithHint("The refresh token has not been found."))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This information must not publicly be disclosed to make token scanning attacks harder:

Suggested change
return errors.WithStack(fosite.ErrInvalidGrant.WithHint("The refresh token has not been found."))
return errors.WithStack(fosite.ErrInvalidGrant.WithDebug("The refresh token has not been found: %s", err))

@aeneasr
Copy link
Member

aeneasr commented Apr 16, 2020

I cannot commit my suggested changes because you haven't enabled "allow edits by maintainers". Could you please apply the change, then this is ready to merge :)

@aeneasr aeneasr changed the base branch from master to fix-err April 16, 2020 10:13
@aeneasr aeneasr merged commit cb146bf into ory:fix-err Apr 16, 2020
@damienbr damienbr deleted the issue-418-invalid-grant branch April 16, 2020 10:19
@damienbr
Copy link
Contributor Author

damienbr commented Apr 16, 2020
edited
Loading

Yup, I saw your changes. 👍

@aeneasr
Copy link
Member

aeneasr commented Apr 16, 2020

I used another workflow to apply them :)

aeneasr added a commit to ory/hydra that referenced this pull request Apr 16, 2020
@aeneasr
fix: return proper error code in refresh and code flows
823c5f9 
Resolves a regression issue which sends an invalid error response
when a refresh token is being re-used, is not found, or the wrong
client is accessing it.

See https://community.ory.sh/t/refresh-token-endpoint-returns-invalid-request-error-expecting-invalid-grant/1637/2
See ory/fosite#426
See ory/fosite#418
@aeneasr aeneasr mentioned this pull request Apr 16, 2020
Merged
5 tasks
aeneasr added a commit to ory/hydra that referenced this pull request Apr 16, 2020
@aeneasr
fix: return proper error code in refresh and code flows (#1800)
9145e65 
Resolves a regression issue which sends an invalid error response
when a refresh token is being re-used, is not found, or the wrong
client is accessing it.

This patch also bumps jose-related tooling which introduces better
security measure against certain types of x509 attacks.

See https://community.ory.sh/t/refresh-token-endpoint-returns-invalid-request-error-expecting-invalid-grant/1637/2
See ory/fosite#426
See ory/fosite#418
@uhrm uhrm mentioned this pull request Jan 24, 2022
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@damienbr @pjcdawkins @aeneasr