Spring Security OAuth
  1. Spring Security OAuth
  2. SECOAUTH-314

Authorization Code error response slightly off spec

    Details

    • Type: Defect Defect
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: 1.0.0.RC1
    • Fix Version/s: 1.0.0
    • Component/s: OAuth 2
    • Labels:

      Description

      When attempting to access $

      {APP_ROOT}

      /$

      {AUTH_ENDPOINT_URL}

      without providing any parameters, e.g., http://localhost:8080/sparklr2/oauth/authorize, one receives a 405 error response stating "Request method 'GET' not supported" with an Allow header of POST only.

      However, the spec seems to indicate otherwise: http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-4.1.2.1

      "If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirection URI, the authorization server informs the client by adding the following parameters to the query component of the redirection URI using the "application/x-www-form-urlencoded" format, per Appendix B:

      error
      REQUIRED. A single ASCII [USASCII] error code from the
      following:
      invalid_request
      The request is missing a required parameter, includes an
      invalid parameter value, includes a parameter more than
      once, or is otherwise malformed.
      "

      Compare the response of:
      http://localhost:8080/sparklr2/oauth/authorize

      to:
      http://localhost:8080/sparklr2/oauth/authorize?response_type=foo
      http://localhost:8080/sparklr2/oauth/authorize?response_type=code
      http://localhost:8080/sparklr2/oauth/authorize?response_type=code&client_id=foo
      http://localhost:8080/sparklr2/oauth/authorize?response_type=code&client_id=tonr

      for further illustration.

        Activity

        Hide
        Dave Syer added a comment -

        I removed the requirement to have a response_type parameter on the controller and so the error is dealt with in the error handler (of the controller). The result should be a 400 with an error message indicating the response_type is required. If you send a client_id (but no response_type) and a redirect_uri then you will get a 302 with the same error message encoded in the location. I think that covers it.

        Show
        Dave Syer added a comment - I removed the requirement to have a response_type parameter on the controller and so the error is dealt with in the error handler (of the controller). The result should be a 400 with an error message indicating the response_type is required. If you send a client_id (but no response_type) and a redirect_uri then you will get a 302 with the same error message encoded in the location. I think that covers it.

          People

          • Assignee:
            Dave Syer
            Reporter:
            John Rodriguez
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: