diff --git a/.changeset/forty-grapes-relax.md b/.changeset/forty-grapes-relax.md new file mode 100644 index 00000000000..1c0bdef0c67 --- /dev/null +++ b/.changeset/forty-grapes-relax.md @@ -0,0 +1,7 @@ +--- +'@logto/core': patch +--- + +Fix OIDC AccessDenied error code to 403. + +This error may happen when you try to grant an access token to a user lacking the required permissions, especially when granting for orgnization related resources. The error code should be 403 instead of 400. diff --git a/packages/core/src/oidc/grants/refresh-token.ts b/packages/core/src/oidc/grants/refresh-token.ts index 6a55ca21a81..ae3cc0da13f 100644 --- a/packages/core/src/oidc/grants/refresh-token.ts +++ b/packages/core/src/oidc/grants/refresh-token.ts @@ -229,7 +229,9 @@ export const buildHandler: ( if (organizationId) { // Check membership if (!(await queries.organizations.relations.users.exists(organizationId, account.accountId))) { - throw new AccessDenied('user is not a member of the organization'); + const error = new AccessDenied('user is not a member of the organization'); + error.statusCode = 403; + throw error; } // Check if the organization is granted (third-party application only) by the user @@ -242,7 +244,9 @@ export const buildHandler: ( organizationId )) ) { - throw new AccessDenied('organization access is not granted to the application'); + const error = new AccessDenied('organization access is not granted to the application'); + error.statusCode = 403; + throw error; } } /* === End RFC 0001 === */ diff --git a/packages/integration-tests/src/tests/api/oidc/refresh-token-grant.test.ts b/packages/integration-tests/src/tests/api/oidc/refresh-token-grant.test.ts index 6696d1f57c5..0577f4d3d1d 100644 --- a/packages/integration-tests/src/tests/api/oidc/refresh-token-grant.test.ts +++ b/packages/integration-tests/src/tests/api/oidc/refresh-token-grant.test.ts @@ -40,7 +40,7 @@ const grantErrorContaining = (code: string, description: string, status = 400) = const accessDeniedError = grantErrorContaining( 'oidc.access_denied', 'user is not a member of the organization', - 400 + 403 ); const issuer = defaultConfig.endpoint + '/oidc';