Thanks to visit codestin.com
Credit goes to github.com

Skip to content

OAuth2 invalid_client error must be a Fatal error. #606

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
JonathanHuot opened this issue Oct 30, 2018 · 1 comment
Closed

OAuth2 invalid_client error must be a Fatal error. #606

JonathanHuot opened this issue Oct 30, 2018 · 1 comment
Assignees
@JonathanHuot
Labels
Breaking Breaking change, to go in the next major release. Bug OAuth2-Provider This impact the provider part of OAuth2
Milestone
3.0.0

Comments

@JonathanHuot
Copy link
Member

Describe the bug

oauthlib raises a wrong exception base class for invalid_client errors.

How to reproduce

Return False from any of the validator.authenticate_client() in auth code, client_credentials, refresh, password, introspect or revocation flows.

Expected behavior

When client are unknown or invalid (return False), oauthlib should raise a FatalClientError exception.:

class InvalidClientError(FatalClientError)

and not:

class InvalidClientError(OAuth2Error)

Additional context

The subtle differences between the two base classes are described in errors.py as below:

class OAuth2Error(Exception):
   (..base class of all exceptions..)

class FatalClientError(OAuth2Error):
    """
    Errors during authorization where user should not be redirected back.

    If the request fails due to a missing, invalid, or mismatching
    redirection URI, or if the client identifier is missing or invalid,
    the authorization server SHOULD inform the resource owner of the
    error and MUST NOT automatically redirect the user-agent to the
    invalid redirection URI.

    Instead the user should be informed of the error by the provider itself.
    """
    pass

This FatalClientError base class is used in web framework to make a distinction between errors to be redirected to the client or to the user.

It could lead to break the implementation's tests, but it's an important bug fix.

See current try/except for few web frameworks:

https://github.com/lepture/flask-oauthlib/blob/3735210211ac0e50c4d32b887bbd61722dd175c7/flask_oauthlib/provider/oauth2.py#L396-L398

https://github.com/jazzband/django-oauth-toolkit/blob/99b47636835b5255e002fd878e88dc810bcb78b1/oauth2_provider/views/mixins.py#L169-L172

https://github.com/thomsonreuters/bottle-oauthlib/blob/master/bottle_oauthlib/oauth2.py#L219-L223
@JonathanHuot JonathanHuot added Bug Breaking Breaking change, to go in the next major release. OAuth2-Provider This impact the provider part of OAuth2 labels Oct 30, 2018
@JonathanHuot JonathanHuot added this to the 3.0.0 milestone Oct 30, 2018
@JonathanHuot JonathanHuot self-assigned this Oct 30, 2018
@JonathanHuot JonathanHuot changed the title OAuth2 invalid_client error should be a Fatal error. OAuth2 invalid_client error must be a Fatal error. Oct 30, 2018
@JonathanHuot JonathanHuot mentioned this issue Oct 31, 2018
Merged
@skion
Copy link
Member

skion commented Nov 1, 2018

One thing I don't yet understand is that invalid_client isn't listed as a valid error code for the authorization request. Hence, should this code be used at all there?

It is listed for the token endpoint, but there's no redirecting involved there.

@JonathanHuot JonathanHuot mentioned this issue Dec 3, 2018
Closed
23 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JonathanHuot JonathanHuot

Labels
Breaking Breaking change, to go in the next major release. Bug OAuth2-Provider This impact the provider part of OAuth2
Projects
None yet
Milestone
3.0.0
Development

No branches or pull requests
2 participants
@skion @JonathanHuot