fix(core): set oidc access denied error code to 403 (#5725)

.changeset/forty-grapes-relax.md

@@ -0,0 +1,7 @@
+---
+'@logto/core': patch
+---
+
+Fix OIDC AccessDenied error code to 403.
+
+This error may happen when you try to grant an access token to a user lacking the required permissions, especially when granting for orgnization related resources. The error code should be 403 instead of 400.

packages/core/src/oidc/grants/refresh-token.ts

@@ -229,7 +229,9 @@ export const buildHandler: (
   if (organizationId) {
     // Check membership
     if (!(await queries.organizations.relations.users.exists(organizationId, account.accountId))) {
-      throw new AccessDenied('user is not a member of the organization');
+      const error = new AccessDenied('user is not a member of the organization');
+      error.statusCode = 403;
+      throw error;
     }
 
     // Check if the organization is granted (third-party application only) by the user
@@ -242,7 +244,9 @@ export const buildHandler: (
         organizationId
       ))
     ) {
-      throw new AccessDenied('organization access is not granted to the application');
+      const error = new AccessDenied('organization access is not granted to the application');
+      error.statusCode = 403;
+      throw error;
     }
   }
   /* === End RFC 0001 === */

packages/integration-tests/src/tests/api/oidc/refresh-token-grant.test.ts

@@ -40,7 +40,7 @@ const grantErrorContaining = (code: string, description: string, status = 400) =
 const accessDeniedError = grantErrorContaining(
   'oidc.access_denied',
   'user is not a member of the organization',
-  400
+  403
 );
 
 const issuer = defaultConfig.endpoint + '/oidc';