diff options
author | M Hickford <mirth.hickford@gmail.com> | 2022-09-28 20:10:27 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-09-28 15:10:27 -0400 |
commit | 0e83ab8df7fb3eec9e8b6e614ad64397e22a09ba (patch) | |
tree | fa9f4ec2c3192fe38d4f24bd8a49910e421c8e7b | |
parent | 677a09eb745f405204a2cd8c87649b29e5478617 (diff) | |
download | gitea-0e83ab8df7fb3eec9e8b6e614ad64397e22a09ba.tar.gz gitea-0e83ab8df7fb3eec9e8b6e614ad64397e22a09ba.zip |
Improve error descriptions for unauthorized_client (#21292)
Fixes #21282
As suggested by the [OAuth RFC](https://www.rfc-editor.org/rfc/rfc6749)
(quoted below), it's helpful to give more detail in the description
> error_description
OPTIONAL. Human-readable ASCII
[[USASCII](https://www.rfc-editor.org/rfc/rfc6749#ref-USASCII)] text
providing **additional information, used to assist the client developer
in understanding the error that occurred.**
Values for the "error_description" parameter MUST NOT include characters
outside the set %x20-21 / %x23-5B / %x5D-7E.
-rw-r--r-- | routers/web/auth/oauth.go | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go index b400fdac8c..d145150535 100644 --- a/routers/web/auth/oauth.go +++ b/routers/web/auth/oauth.go @@ -645,7 +645,7 @@ func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, server if err != nil { handleAccessTokenError(ctx, AccessTokenError{ ErrorCode: AccessTokenErrorCodeUnauthorizedClient, - ErrorDescription: "client is not authorized", + ErrorDescription: "unable to parse refresh token", }) return } @@ -688,14 +688,14 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s if !app.ValidateClientSecret([]byte(form.ClientSecret)) { handleAccessTokenError(ctx, AccessTokenError{ ErrorCode: AccessTokenErrorCodeUnauthorizedClient, - ErrorDescription: "client is not authorized", + ErrorDescription: "invalid client secret", }) return } if form.RedirectURI != "" && !app.ContainsRedirectURI(form.RedirectURI) { handleAccessTokenError(ctx, AccessTokenError{ ErrorCode: AccessTokenErrorCodeUnauthorizedClient, - ErrorDescription: "client is not authorized", + ErrorDescription: "unexpected redirect URI", }) return } @@ -711,7 +711,7 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s if !authorizationCode.ValidateCodeChallenge(form.CodeVerifier) { handleAccessTokenError(ctx, AccessTokenError{ ErrorCode: AccessTokenErrorCodeUnauthorizedClient, - ErrorDescription: "client is not authorized", + ErrorDescription: "failed PKCE code challenge", }) return } |