Skip to content

OAuth2 invalid registrationId request to modify BAD_REQUEST status to respond #5564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mhyeon-lee opened this issue Jul 24, 2018 · 5 comments
Closed

OAuth2 invalid registrationId request to modify BAD_REQUEST status to respond #5564

mhyeon-lee opened this issue Jul 24, 2018 · 5 comments
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)

Comments

@mhyeon-lee
Copy link
Contributor

Summary

When an OAuth2 Authorization request encounters a ClientRegistration request that does not exist, it is responding with an InternalServerError.
TestCase

Since the client has made an undefined request, it would be better to modify it in the BAD_REQUEST response.

Does this make sense?
@jgrandja jgrandja added the in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) label Jul 26, 2018
@jgrandja
Copy link
Contributor

@mhyeon-lee As per spec, if the Authorization Request contains invalid parameters or missing parameters than the status should be 400.

However, if an incorrect clientRegistrationId is sent than a status of 500 is returned. The reason for this is because at this point the Authorization Request has not been triggered by the client and the client is unable to resolve the requested ClientRegistration because the clientRegistrationId does not exist in the ClientRegistrationRepository. IMO this use case is likely a configuration/setup error by the user so it signals to the user to correct the configuration.

@jgrandja
Copy link
Contributor

Related #4641

@mhyeon-lee
Copy link
Contributor Author

mhyeon-lee commented Jul 26, 2018
edited
Loading

I understood what it means.
Thank you for your explanation.

And I think #4641 is a good feature.

@jgrandja
Copy link
Contributor

Thanks @mhyeon-lee. I'm going to close this issue since we're on the same page :)

@eleftherias eleftherias mentioned this issue Sep 13, 2021
Closed
@dennisaj
Copy link

dennisaj commented Jun 7, 2023

I feel this should be re-visited, I now have to implement a filter in the chain to customize this outcome to my specific requirements. This is a bad code smell:

.addFilterBefore(validator, OAuth2AuthorizationRequestRedirectFilter::class.java)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dennisaj @mhyeon-lee @jgrandja