Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No redirect for some AuthCodeGrant::validateAuthorizationRequest errors #1039

Open
davispuh opened this issue Jul 24, 2019 · 4 comments
Open

Comments

@davispuh
Copy link

Most error cases in AuthCodeGrant::validateAuthorizationRequest doesn't redirect back to client even when client_id is specified.

For example when using "Authorization code grant" and client sends query with
response_type=code&client_id=existing&redirect_uri=https://... I would expect that it would get redirected back with error so client would know they're doing something wrong.

But for most errors there are no redirects, also even with response_type=invalid&client_id=existing I would want it to be redirected back.

See https://www.oauth.com/oauth2-servers/server-side-apps/possible-errors/

@Sephster
Copy link
Member

There are only certain instances where we would use the redirect uri in an error state. If the client issues an invalid, missing, or mismatching redirect uri, we do not use it. Similarly if the client ID is missing or invalid, we again ignore the redirect URI. This is a security precaution.

If you know of any specific instances where you believe we are not adhering to the spec, please let me know and I will reopen this ticket. Thanks for getting in touch.

@davispuh
Copy link
Author

If the client issues an invalid, missing, or mismatching redirect uri, we do not use it. Similarly if the client ID is missing or invalid, we again ignore the redirect URI. This is a security precaution.

That is correct but this library doesn't redirect in some cases even when that's not true.

If you know of any specific instances where you believe we are not adhering to the spec, please let me know and I will reopen this ticket. Thanks for getting in touch.

That's why I created this issue, because there are such cases, which can be seen by looking at code.

Examples I noticed

  • When is_confidential=false GET /authorize?response_type=code&client_id=valid&redirect_uri=https://example.com/valid_uri (no code_challenge)
  • GET /authorize?response_type=invalid&client_id=valid&redirect_uri=https://example.com/valid_uri (invalid response_type)

Maybe there's others but these 2 I just checked.

Based from that article, it doesn't follow this

If one or more parameters are invalid, such as a required value is missing, or the response_type parameter is wrong, the server will redirect to the redirect URL and include query string parameters describing the problem.

@Sephster
Copy link
Member

Thanks. I will take a look at this over the weekend.

@Sephster Sephster reopened this Jul 25, 2019
@Sephster
Copy link
Member

Confirmed as an issue for at least the first scenario. Needs resolving.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants