Details
Defect
Minor
Description
When attempting to access $
{APP_ROOT}/$
{AUTH_ENDPOINT_URL}without providing any parameters, e.g., http://localhost:8080/sparklr2/oauth/authorize, one receives a 405 error response stating "Request method 'GET' not supported" with an Allow header of POST only.
However, the spec seems to indicate otherwise: http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-4.1.2.1
"If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirection URI, the authorization server informs the client by adding the following parameters to the query component of the redirection URI using the "application/x-www-form-urlencoded" format, per Appendix B:
error
REQUIRED. A single ASCII [USASCII] error code from the
following:
invalid_request
The request is missing a required parameter, includes an
invalid parameter value, includes a parameter more than
once, or is otherwise malformed.
"
Compare the response of:
http://localhost:8080/sparklr2/oauth/authorize
to:
http://localhost:8080/sparklr2/oauth/authorize?response_type=foo
http://localhost:8080/sparklr2/oauth/authorize?response_type=code
http://localhost:8080/sparklr2/oauth/authorize?response_type=code&client_id=foo
http://localhost:8080/sparklr2/oauth/authorize?response_type=code&client_id=tonr
for further illustration.
I removed the requirement to have a response_type parameter on the controller and so the error is dealt with in the error handler (of the controller). The result should be a 400 with an error message indicating the response_type is required. If you send a client_id (but no response_type) and a redirect_uri then you will get a 302 with the same error message encoded in the location. I think that covers it.