Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why invalid_client & unauthorized_client are non-redirectable? #1578

Open
nov opened this issue Jun 28, 2022 · 6 comments
Open

Why invalid_client & unauthorized_client are non-redirectable? #1578

nov opened this issue Jun 28, 2022 · 6 comments
Labels
wontfix

Comments

@nov
Copy link

nov commented Jun 28, 2022

In unauthorized_client case, the combination of client_id & redirect_uri should be valid but the client isn't allowed to use the response_type.

and invalid_client is error token response, not error authorization response.

Why those two are defined as "un-redirectable"?

ref.)

doorkeeper/lib/doorkeeper/oauth/error_response.rb

Line 8 in 15ebd33

NON_REDIRECTABLE_STATES = %i[invalid_redirect_uri invalid_client unauthorized_client].freeze

@stale
Copy link

stale bot commented Sep 21, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Sep 21, 2022
@stale stale bot closed this as completed Jan 8, 2023
@nbulaj nbulaj reopened this Jan 12, 2023
@stale stale bot removed the wontfix label Jan 12, 2023
@nbulaj
Copy link
Member

nbulaj commented Jan 12, 2023

Hey @nov

We have to check git history and find changes author, I don't remember the reasons. Do we know what RFC says about such case(s)?

@nov
Copy link
Author

nov commented Jan 12, 2023
edited

Since error_code for authorization request is defined to return error to RP's redirect_uri, RFC6749 (4.1.2.1. Error Response) doesn't define invalid_redirect_uri at all, and say

If the request fails due to a missing, invalid, or mismatching
redirection URI, or if the client identifier is missing or invalid,
the authorization server SHOULD inform the resource owner of the
error and MUST NOT automatically redirect the user-agent to the
invalid redirection URI.

unauthorized_client is defined as error_code for authorization request, thus it's expected to be returned to RP's redirect_uri.
RFC6749 (4.1.2.1. Error Response) also says this.

If the resource owner denies the access request or if the request
fails for reasons other than a missing or invalid redirection URI,
the authorization server informs the client by adding the following
parameters to the query component of the redirection URI using the
"application/x-www-form-urlencoded" format, per Appendix B:

and invalid_client is defined as error_code for token request in RFC6749 5.2.
it's not defined as error_code for authorization request.
so it's totally unrelated to redirect vs not-redirect discussion.

@stale
Copy link

stale bot commented May 21, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label May 21, 2023
@nbulaj
Copy link
Member

nbulaj commented Sep 26, 2023

Hey @nov , does original PR answers your question? #1435
It has pretty good description I think

@nov
Copy link
Author

nov commented Sep 26, 2023

no

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nov @nbulaj