summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorM Hickford <mirth.hickford@gmail.com>2022-09-28 20:10:27 +0100
committerGitHub <noreply@github.com>2022-09-28 15:10:27 -0400
commit0e83ab8df7fb3eec9e8b6e614ad64397e22a09ba (patch)
treefa9f4ec2c3192fe38d4f24bd8a49910e421c8e7b
parent677a09eb745f405204a2cd8c87649b29e5478617 (diff)
downloadgitea-0e83ab8df7fb3eec9e8b6e614ad64397e22a09ba.tar.gz
gitea-0e83ab8df7fb3eec9e8b6e614ad64397e22a09ba.zip
Improve error descriptions for unauthorized_client (#21292)
Fixes #21282 As suggested by the [OAuth RFC](https://www.rfc-editor.org/rfc/rfc6749) (quoted below), it's helpful to give more detail in the description > error_description OPTIONAL. Human-readable ASCII [[USASCII](https://www.rfc-editor.org/rfc/rfc6749#ref-USASCII)] text providing **additional information, used to assist the client developer in understanding the error that occurred.** Values for the "error_description" parameter MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.
-rw-r--r--routers/web/auth/oauth.go8
1 files changed, 4 insertions, 4 deletions
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index b400fdac8c..d145150535 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -645,7 +645,7 @@ func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, server
if err != nil {
handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
- ErrorDescription: "client is not authorized",
+ ErrorDescription: "unable to parse refresh token",
})
return
}
@@ -688,14 +688,14 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s
if !app.ValidateClientSecret([]byte(form.ClientSecret)) {
handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
- ErrorDescription: "client is not authorized",
+ ErrorDescription: "invalid client secret",
})
return
}
if form.RedirectURI != "" && !app.ContainsRedirectURI(form.RedirectURI) {
handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
- ErrorDescription: "client is not authorized",
+ ErrorDescription: "unexpected redirect URI",
})
return
}
@@ -711,7 +711,7 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s
if !authorizationCode.ValidateCodeChallenge(form.CodeVerifier) {
handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
- ErrorDescription: "client is not authorized",
+ ErrorDescription: "failed PKCE code challenge",
})
return
}