You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Disclaimer: I am not entirely sure if this is a bug in oauthlib or if I messed something up in my test cases, but my code analysis makes me believe this is caused by oauthlib.
When using the oauth2 implicit grant and the client is not authorized to use the response_type token, the error message is returned in the query but should be returned in the fragment (See RFC6749). The implicit grant correctly returns most of the other errors in the fragment, so this seems to only be an issue when calling .validate_authorization_request() manually as shown in the provider tutorial.
How to reproduce
The bug was encountered while using a (slightly modified) version of the example code in section 5 of the provider tutorial. The bug should occur when performing an authorization with the implicit grant using a client not authorized to use response_type token (e.g. RequestValidator.validate_response_type() returns False). The resulting redirect contains the error in the query, not the fragment.
Expected behavior
As stated in the RFC6749, section 4.2.2.1, the error message should be be added to the uri fragment, not the uri query.
Additional context
python 3.9.2, oauthlib.__version__ == 3.2.0
using bottle-oauthlib for the integration with the webserver
the bug occurs as part of the oauth2 protocol, but I am technically already using the OIDC versions of the endpoints as I am currently upgrading.
Code analysis
The bug occurs because request.response_mode is not properly set by ImplicitGrant.create_token_response() (called via .validate_authorization_request() and AuthorizationEndpoint.validate_authorization_request()). In comparison, ImplicitGrant.create_token_response() seems to correctly set the response_mode in Line 230.
The text was updated successfully, but these errors were encountered:
Hi @bennr01, thanks for the report, it is a good analysis and it seems you're right => even though the client is not authorized to use the implicit grant, the error should use the implicit grant response mode.
Describe the bug
Disclaimer: I am not entirely sure if this is a bug in oauthlib or if I messed something up in my test cases, but my code analysis makes me believe this is caused by oauthlib.
When using the oauth2 implicit grant and the client is not authorized to use the response_type
token
, the error message is returned in the query but should be returned in the fragment (See RFC6749). The implicit grant correctly returns most of the other errors in the fragment, so this seems to only be an issue when calling.validate_authorization_request()
manually as shown in the provider tutorial.How to reproduce
The bug was encountered while using a (slightly modified) version of the example code in section 5 of the provider tutorial. The bug should occur when performing an authorization with the implicit grant using a client not authorized to use response_type
token
(e.g.RequestValidator.validate_response_type()
returnsFalse
). The resulting redirect contains the error in the query, not the fragment.Expected behavior
As stated in the RFC6749, section 4.2.2.1, the error message should be be added to the uri fragment, not the uri query.
Additional context
oauthlib.__version__ == 3.2.0
bottle-oauthlib
for the integration with the webserverCode analysis
The bug occurs because
request.response_mode
is not properly set byImplicitGrant.create_token_response()
(called via.validate_authorization_request()
andAuthorizationEndpoint.validate_authorization_request()
). In comparison,ImplicitGrant.create_token_response()
seems to correctly set the response_mode in Line 230.The text was updated successfully, but these errors were encountered: