Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oauth2 implicit grant does not seem to properly return the error in uri fragment when client is unauthorized to use response_type token #814

Open
bennr01 opened this issue Apr 23, 2022 · 1 comment
Open

oauth2 implicit grant does not seem to properly return the error in uri fragment when client is unauthorized to use response_type token #814

bennr01 opened this issue Apr 23, 2022 · 1 comment
Labels
Bug Contributor Friendly OAuth2-Provider This impact the provider part of OAuth2

Comments

@bennr01
Copy link

bennr01 commented Apr 23, 2022

Describe the bug

Disclaimer: I am not entirely sure if this is a bug in oauthlib or if I messed something up in my test cases, but my code analysis makes me believe this is caused by oauthlib.

When using the oauth2 implicit grant and the client is not authorized to use the response_type token, the error message is returned in the query but should be returned in the fragment (See RFC6749). The implicit grant correctly returns most of the other errors in the fragment, so this seems to only be an issue when calling .validate_authorization_request() manually as shown in the provider tutorial.

How to reproduce

The bug was encountered while using a (slightly modified) version of the example code in section 5 of the provider tutorial. The bug should occur when performing an authorization with the implicit grant using a client not authorized to use response_type token (e.g. RequestValidator.validate_response_type() returns False). The resulting redirect contains the error in the query, not the fragment.

Expected behavior

As stated in the RFC6749, section 4.2.2.1, the error message should be be added to the uri fragment, not the uri query.

Additional context

  • python 3.9.2, oauthlib.__version__ == 3.2.0
  • using bottle-oauthlib for the integration with the webserver
  • the bug occurs as part of the oauth2 protocol, but I am technically already using the OIDC versions of the endpoints as I am currently upgrading.

Code analysis

The bug occurs because request.response_mode is not properly set by ImplicitGrant.create_token_response() (called via .validate_authorization_request() and AuthorizationEndpoint.validate_authorization_request()). In comparison, ImplicitGrant.create_token_response() seems to correctly set the response_mode in Line 230.
@JonathanHuot JonathanHuot added Bug Contributor Friendly OAuth2-Provider This impact the provider part of OAuth2 labels Sep 2, 2022
@JonathanHuot
Copy link
Member

Hi @bennr01, thanks for the report, it is a good analysis and it seems you're right => even though the client is not authorized to use the implicit grant, the error should use the implicit grant response mode.

Any PRs to fix this one by chance ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Contributor Friendly OAuth2-Provider This impact the provider part of OAuth2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JonathanHuot @bennr01