Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: return invalid_grant instead of invalid_request in refresh flow #427

Merged
merged 2 commits into from
Apr 16, 2020
Merged

fix: return invalid_grant instead of invalid_request in refresh flow #427

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cb146bf
fix: return invalid_grant instead of invalid_request in refresh flow …
damienbr Apr 16, 2020
9eec114
Update handler/oauth2/flow_refresh.go
aeneasr Apr 16, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions handler/oauth2/flow_authorize_code_token.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ func (c *AuthorizeExplicitGrantHandler) HandleTokenEndpointRequest(ctx context.C
// confidential client, or if the client is public, ensure that the
// code was issued to "client_id" in the request,
if authorizeRequest.GetClient().GetID() != request.GetClient().GetID() {
return errors.WithStack(fosite.ErrInvalidRequest.WithHint("The OAuth 2.0 Client ID from this request does not match the one from the authorize request."))
return errors.WithStack(fosite.ErrInvalidGrant.WithHint("The OAuth 2.0 Client ID from this request does not match the one from the authorize request."))
}

// ensure that the "redirect_uri" parameter is present if the
Expand All @@ -99,7 +99,7 @@ func (c *AuthorizeExplicitGrantHandler) HandleTokenEndpointRequest(ctx context.C
// their values are identical.
forcedRedirectURI := authorizeRequest.GetRequestForm().Get("redirect_uri")
if forcedRedirectURI != "" && forcedRedirectURI != request.GetRequestForm().Get("redirect_uri") {
return errors.WithStack(fosite.ErrInvalidRequest.WithHint("The \"redirect_uri\" from this request does not match the one from the authorize request."))
return errors.WithStack(fosite.ErrInvalidGrant.WithHint("The \"redirect_uri\" from this request does not match the one from the authorize request."))
}

// Checking of POST client_id skipped, because:
Expand Down
4 changes: 2 additions & 2 deletions handler/oauth2/flow_authorize_code_token_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -320,7 +320,7 @@ func TestAuthorizeCode_HandleTokenEndpointRequest(t *testing.T) {

require.NoError(t, store.CreateAuthorizeCodeSession(nil, signature, authreq))
},
expectErr: fosite.ErrInvalidRequest,
expectErr: fosite.ErrInvalidGrant,
},
{
areq: &fosite.AccessRequest{
Expand All @@ -346,7 +346,7 @@ func TestAuthorizeCode_HandleTokenEndpointRequest(t *testing.T) {

require.NoError(t, store.CreateAuthorizeCodeSession(nil, signature, authreq))
},
expectErr: fosite.ErrInvalidRequest,
expectErr: fosite.ErrInvalidGrant,
},
{
areq: &fosite.AccessRequest{
Expand Down
4 changes: 2 additions & 2 deletions handler/oauth2/flow_refresh.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ func (c *RefreshTokenGrantHandler) HandleTokenEndpointRequest(ctx context.Contex
signature := c.RefreshTokenStrategy.RefreshTokenSignature(refresh)
originalRequest, err := c.TokenRevocationStorage.GetRefreshTokenSession(ctx, signature, request.GetSession())
if errors.Cause(err) == fosite.ErrNotFound {
return errors.WithStack(fosite.ErrInvalidRequest.WithDebug(err.Error()))
return errors.WithStack(fosite.ErrInvalidGrant.WithDebug("The refresh token has not been found: %s", err))
} else if err != nil {
return errors.WithStack(fosite.ErrServerError.WithDebug(err.Error()))
} else if err := c.RefreshTokenStrategy.ValidateRefreshToken(ctx, originalRequest, refresh); err != nil {
Expand All @@ -83,7 +83,7 @@ func (c *RefreshTokenGrantHandler) HandleTokenEndpointRequest(ctx context.Contex

// The authorization server MUST ... and ensure that the refresh token was issued to the authenticated client
if originalRequest.GetClient().GetID() != request.GetClient().GetID() {
return errors.WithStack(fosite.ErrInvalidRequest.WithHint("The OAuth 2.0 Client ID from this request does not match the ID during the initial token issuance."))
return errors.WithStack(fosite.ErrInvalidGrant.WithHint("The OAuth 2.0 Client ID from this request does not match the ID during the initial token issuance."))
}

request.SetSession(originalRequest.GetSession().Clone())
Expand Down
6 changes: 3 additions & 3 deletions handler/oauth2/flow_refresh_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {

areq.Form.Add("refresh_token", "some.refreshtokensig")
},
expectErr: fosite.ErrInvalidRequest,
expectErr: fosite.ErrInvalidGrant,
},
{
description: "should fail because token is valid but does not exist",
Expand All @@ -85,7 +85,7 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {
require.NoError(t, err)
areq.Form.Add("refresh_token", token)
},
expectErr: fosite.ErrInvalidRequest,
expectErr: fosite.ErrInvalidGrant,
},
{
description: "should fail because client mismatches",
Expand All @@ -107,7 +107,7 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {
})
require.NoError(t, err)
},
expectErr: fosite.ErrInvalidRequest,
expectErr: fosite.ErrInvalidGrant,
},
{
description: "should fail because offline scope has been granted but client no longer allowed to request it",
Expand Down