OAuth2 invalid registrationId request to modify BAD_REQUEST status to respond

[mhyeon-lee]

Summary

When an OAuth2 Authorization request encounters a ClientRegistration request that does not exist, it is responding with an InternalServerError.
TestCase

Since the client has made an undefined request, it would be better to modify it in the BAD_REQUEST response.

Does this make sense?

[jgrandja]

@mhyeon-lee As per spec, if the Authorization Request contains invalid parameters or missing parameters than the status should be 400.

However, if an incorrect clientRegistrationId is sent than a status of 500 is returned. The reason for this is because at this point the Authorization Request has not been triggered by the client and the client is unable to resolve the requested ClientRegistration because the clientRegistrationId does not exist in the ClientRegistrationRepository. IMO this use case is likely a configuration/setup error by the user so it signals to the user to correct the configuration.

[jgrandja]

Related #4641

[mhyeon-lee]

I understood what it means.
Thank you for your explanation.

And I think #4641 is a good feature.

[jgrandja]

Thanks @mhyeon-lee. I'm going to close this issue since we're on the same page :)

[dennisaj]

I feel this should be re-visited, I now have to implement a filter in the chain to customize this outcome to my specific requirements. This is a bad code smell:

.addFilterBefore(validator, OAuth2AuthorizationRequestRedirectFilter::class.java)