From 0e83ab8df7fb3eec9e8b6e614ad64397e22a09ba Mon Sep 17 00:00:00 2001 From: M Hickford Date: Wed, 28 Sep 2022 20:10:27 +0100 Subject: [PATCH] Improve error descriptions for unauthorized_client (#21292) Fixes #21282 As suggested by the [OAuth RFC](https://www.rfc-editor.org/rfc/rfc6749) (quoted below), it's helpful to give more detail in the description > error_description OPTIONAL. Human-readable ASCII [[USASCII](https://www.rfc-editor.org/rfc/rfc6749#ref-USASCII)] text providing **additional information, used to assist the client developer in understanding the error that occurred.** Values for the "error_description" parameter MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E. --- routers/web/auth/oauth.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go index b400fdac8..d14515053 100644 --- a/routers/web/auth/oauth.go +++ b/routers/web/auth/oauth.go @@ -645,7 +645,7 @@ func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, server if err != nil { handleAccessTokenError(ctx, AccessTokenError{ ErrorCode: AccessTokenErrorCodeUnauthorizedClient, - ErrorDescription: "client is not authorized", + ErrorDescription: "unable to parse refresh token", }) return } @@ -688,14 +688,14 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s if !app.ValidateClientSecret([]byte(form.ClientSecret)) { handleAccessTokenError(ctx, AccessTokenError{ ErrorCode: AccessTokenErrorCodeUnauthorizedClient, - ErrorDescription: "client is not authorized", + ErrorDescription: "invalid client secret", }) return } if form.RedirectURI != "" && !app.ContainsRedirectURI(form.RedirectURI) { handleAccessTokenError(ctx, AccessTokenError{ ErrorCode: AccessTokenErrorCodeUnauthorizedClient, - ErrorDescription: "client is not authorized", + ErrorDescription: "unexpected redirect URI", }) return } @@ -711,7 +711,7 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s if !authorizationCode.ValidateCodeChallenge(form.CodeVerifier) { handleAccessTokenError(ctx, AccessTokenError{ ErrorCode: AccessTokenErrorCodeUnauthorizedClient, - ErrorDescription: "client is not authorized", + ErrorDescription: "failed PKCE code challenge", }) return }