mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9516 Commits
17 Branches
Tree: v1.13.0-de
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'v1.13.0-de'
${ noResults }
gitea/routers/user/oauth.go

oauth.go 17KB
Raw Permalink Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package user

  6. 

  7. import (

  8. 	"encoding/base64"

  9. 	"fmt"

  10. 	"net/url"

  11. 	"strings"

  12. 

  13. 	"code.gitea.io/gitea/models"

  14. 	"code.gitea.io/gitea/modules/auth"

  15. 	"code.gitea.io/gitea/modules/base"

  16. 	"code.gitea.io/gitea/modules/context"

  17. 	"code.gitea.io/gitea/modules/log"

  18. 	"code.gitea.io/gitea/modules/setting"

  19. 	"code.gitea.io/gitea/modules/timeutil"

  20. 

  21. 	"gitea.com/macaron/binding"

  22. 	"github.com/dgrijalva/jwt-go"

  23. )

  24. 

  25. const (

  26. 	tplGrantAccess base.TplName = "user/auth/grant"

  27. 	tplGrantError  base.TplName = "user/auth/grant_error"

  28. )

  29. 

  30. // TODO move error and responses to SDK or models

  31. 

  32. // AuthorizeErrorCode represents an error code specified in RFC 6749

  33. type AuthorizeErrorCode string

  34. 

  35. const (

  36. 	// ErrorCodeInvalidRequest represents the according error in RFC 6749

  37. 	ErrorCodeInvalidRequest AuthorizeErrorCode = "invalid_request"

  38. 	// ErrorCodeUnauthorizedClient represents the according error in RFC 6749

  39. 	ErrorCodeUnauthorizedClient AuthorizeErrorCode = "unauthorized_client"

  40. 	// ErrorCodeAccessDenied represents the according error in RFC 6749

  41. 	ErrorCodeAccessDenied AuthorizeErrorCode = "access_denied"

  42. 	// ErrorCodeUnsupportedResponseType represents the according error in RFC 6749

  43. 	ErrorCodeUnsupportedResponseType AuthorizeErrorCode = "unsupported_response_type"

  44. 	// ErrorCodeInvalidScope represents the according error in RFC 6749

  45. 	ErrorCodeInvalidScope AuthorizeErrorCode = "invalid_scope"

  46. 	// ErrorCodeServerError represents the according error in RFC 6749

  47. 	ErrorCodeServerError AuthorizeErrorCode = "server_error"

  48. 	// ErrorCodeTemporaryUnavailable represents the according error in RFC 6749

  49. 	ErrorCodeTemporaryUnavailable AuthorizeErrorCode = "temporarily_unavailable"

  50. )

  51. 

  52. // AuthorizeError represents an error type specified in RFC 6749

  53. type AuthorizeError struct {

  54. 	ErrorCode        AuthorizeErrorCode `json:"error" form:"error"`

  55. 	ErrorDescription string

  56. 	State            string

  57. }

  58. 

  59. // Error returns the error message

  60. func (err AuthorizeError) Error() string {

  61. 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)

  62. }

  63. 

  64. // AccessTokenErrorCode represents an error code specified in RFC 6749

  65. type AccessTokenErrorCode string

  66. 

  67. const (

  68. 	// AccessTokenErrorCodeInvalidRequest represents an error code specified in RFC 6749

  69. 	AccessTokenErrorCodeInvalidRequest AccessTokenErrorCode = "invalid_request"

  70. 	// AccessTokenErrorCodeInvalidClient represents an error code specified in RFC 6749

  71. 	AccessTokenErrorCodeInvalidClient = "invalid_client"

  72. 	// AccessTokenErrorCodeInvalidGrant represents an error code specified in RFC 6749

  73. 	AccessTokenErrorCodeInvalidGrant = "invalid_grant"

  74. 	// AccessTokenErrorCodeUnauthorizedClient represents an error code specified in RFC 6749

  75. 	AccessTokenErrorCodeUnauthorizedClient = "unauthorized_client"

  76. 	// AccessTokenErrorCodeUnsupportedGrantType represents an error code specified in RFC 6749

  77. 	AccessTokenErrorCodeUnsupportedGrantType = "unsupported_grant_type"

  78. 	// AccessTokenErrorCodeInvalidScope represents an error code specified in RFC 6749

  79. 	AccessTokenErrorCodeInvalidScope = "invalid_scope"

  80. )

  81. 

  82. // AccessTokenError represents an error response specified in RFC 6749

  83. type AccessTokenError struct {

  84. 	ErrorCode        AccessTokenErrorCode `json:"error" form:"error"`

  85. 	ErrorDescription string               `json:"error_description"`

  86. }

  87. 

  88. // Error returns the error message

  89. func (err AccessTokenError) Error() string {

  90. 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)

  91. }

  92. 

  93. // TokenType specifies the kind of token

  94. type TokenType string

  95. 

  96. const (

  97. 	// TokenTypeBearer represents a token type specified in RFC 6749

  98. 	TokenTypeBearer TokenType = "bearer"

  99. 	// TokenTypeMAC represents a token type specified in RFC 6749

  100. 	TokenTypeMAC = "mac"

  101. )

  102. 

  103. // AccessTokenResponse represents a successful access token response

  104. type AccessTokenResponse struct {

  105. 	AccessToken  string    `json:"access_token"`

  106. 	TokenType    TokenType `json:"token_type"`

  107. 	ExpiresIn    int64     `json:"expires_in"`

  108. 	RefreshToken string    `json:"refresh_token"`

  109. }

  110. 

  111. func newAccessTokenResponse(grant *models.OAuth2Grant) (*AccessTokenResponse, *AccessTokenError) {

  112. 	if setting.OAuth2.InvalidateRefreshTokens {

  113. 		if err := grant.IncreaseCounter(); err != nil {

  114. 			return nil, &AccessTokenError{

  115. 				ErrorCode:        AccessTokenErrorCodeInvalidGrant,

  116. 				ErrorDescription: "cannot increase the grant counter",

  117. 			}

  118. 		}

  119. 	}

  120. 	// generate access token to access the API

  121. 	expirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.AccessTokenExpirationTime)

  122. 	accessToken := &models.OAuth2Token{

  123. 		GrantID: grant.ID,

  124. 		Type:    models.TypeAccessToken,

  125. 		StandardClaims: jwt.StandardClaims{

  126. 			ExpiresAt: expirationDate.AsTime().Unix(),

  127. 		},

  128. 	}

  129. 	signedAccessToken, err := accessToken.SignToken()

  130. 	if err != nil {

  131. 		return nil, &AccessTokenError{

  132. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  133. 			ErrorDescription: "cannot sign token",

  134. 		}

  135. 	}

  136. 

  137. 	// generate refresh token to request an access token after it expired later

  138. 	refreshExpirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.RefreshTokenExpirationTime * 60 * 60).AsTime().Unix()

  139. 	refreshToken := &models.OAuth2Token{

  140. 		GrantID: grant.ID,

  141. 		Counter: grant.Counter,

  142. 		Type:    models.TypeRefreshToken,

  143. 		StandardClaims: jwt.StandardClaims{

  144. 			ExpiresAt: refreshExpirationDate,

  145. 		},

  146. 	}

  147. 	signedRefreshToken, err := refreshToken.SignToken()

  148. 	if err != nil {

  149. 		return nil, &AccessTokenError{

  150. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  151. 			ErrorDescription: "cannot sign token",

  152. 		}

  153. 	}

  154. 

  155. 	return &AccessTokenResponse{

  156. 		AccessToken:  signedAccessToken,

  157. 		TokenType:    TokenTypeBearer,

  158. 		ExpiresIn:    setting.OAuth2.AccessTokenExpirationTime,

  159. 		RefreshToken: signedRefreshToken,

  160. 	}, nil

  161. }

  162. 

  163. // AuthorizeOAuth manages authorize requests

  164. func AuthorizeOAuth(ctx *context.Context, form auth.AuthorizationForm) {

  165. 	errs := binding.Errors{}

  166. 	errs = form.Validate(ctx.Context, errs)

  167. 	if len(errs) > 0 {

  168. 		errstring := ""

  169. 		for _, e := range errs {

  170. 			errstring += e.Error() + "\n"

  171. 		}

  172. 		ctx.ServerError("AuthorizeOAuth: Validate: ", fmt.Errorf("errors occurred during validation: %s", errstring))

  173. 		return

  174. 	}

  175. 

  176. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)

  177. 	if err != nil {

  178. 		if models.IsErrOauthClientIDInvalid(err) {

  179. 			handleAuthorizeError(ctx, AuthorizeError{

  180. 				ErrorCode:        ErrorCodeUnauthorizedClient,

  181. 				ErrorDescription: "Client ID not registered",

  182. 				State:            form.State,

  183. 			}, "")

  184. 			return

  185. 		}

  186. 		ctx.ServerError("GetOAuth2ApplicationByClientID", err)

  187. 		return

  188. 	}

  189. 	if err := app.LoadUser(); err != nil {

  190. 		ctx.ServerError("LoadUser", err)

  191. 		return

  192. 	}

  193. 

  194. 	if !app.ContainsRedirectURI(form.RedirectURI) {

  195. 		handleAuthorizeError(ctx, AuthorizeError{

  196. 			ErrorCode:        ErrorCodeInvalidRequest,

  197. 			ErrorDescription: "Unregistered Redirect URI",

  198. 			State:            form.State,

  199. 		}, "")

  200. 		return

  201. 	}

  202. 

  203. 	if form.ResponseType != "code" {

  204. 		handleAuthorizeError(ctx, AuthorizeError{

  205. 			ErrorCode:        ErrorCodeUnsupportedResponseType,

  206. 			ErrorDescription: "Only code response type is supported.",

  207. 			State:            form.State,

  208. 		}, form.RedirectURI)

  209. 		return

  210. 	}

  211. 

  212. 	// pkce support

  213. 	switch form.CodeChallengeMethod {

  214. 	case "S256":

  215. 	case "plain":

  216. 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallengeMethod); err != nil {

  217. 			handleAuthorizeError(ctx, AuthorizeError{

  218. 				ErrorCode:        ErrorCodeServerError,

  219. 				ErrorDescription: "cannot set code challenge method",

  220. 				State:            form.State,

  221. 			}, form.RedirectURI)

  222. 			return

  223. 		}

  224. 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallenge); err != nil {

  225. 			handleAuthorizeError(ctx, AuthorizeError{

  226. 				ErrorCode:        ErrorCodeServerError,

  227. 				ErrorDescription: "cannot set code challenge",

  228. 				State:            form.State,

  229. 			}, form.RedirectURI)

  230. 			return

  231. 		}

  232. 		// Here we're just going to try to release the session early

  233. 		if err := ctx.Session.Release(); err != nil {

  234. 			// we'll tolerate errors here as they *should* get saved elsewhere

  235. 			log.Error("Unable to save changes to the session: %v", err)

  236. 		}

  237. 	case "":

  238. 		break

  239. 	default:

  240. 		handleAuthorizeError(ctx, AuthorizeError{

  241. 			ErrorCode:        ErrorCodeInvalidRequest,

  242. 			ErrorDescription: "unsupported code challenge method",

  243. 			State:            form.State,

  244. 		}, form.RedirectURI)

  245. 		return

  246. 	}

  247. 

  248. 	grant, err := app.GetGrantByUserID(ctx.User.ID)

  249. 	if err != nil {

  250. 		handleServerError(ctx, form.State, form.RedirectURI)

  251. 		return

  252. 	}

  253. 

  254. 	// Redirect if user already granted access

  255. 	if grant != nil {

  256. 		code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod)

  257. 		if err != nil {

  258. 			handleServerError(ctx, form.State, form.RedirectURI)

  259. 			return

  260. 		}

  261. 		redirect, err := code.GenerateRedirectURI(form.State)

  262. 		if err != nil {

  263. 			handleServerError(ctx, form.State, form.RedirectURI)

  264. 			return

  265. 		}

  266. 		ctx.Redirect(redirect.String(), 302)

  267. 		return

  268. 	}

  269. 

  270. 	// show authorize page to grant access

  271. 	ctx.Data["Application"] = app

  272. 	ctx.Data["RedirectURI"] = form.RedirectURI

  273. 	ctx.Data["State"] = form.State

  274. 	ctx.Data["ApplicationUserLink"] = "<a href=\"" + setting.AppURL + app.User.LowerName + "\">@" + app.User.Name + "</a>"

  275. 	ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + form.RedirectURI + "</strong>"

  276. 	// TODO document SESSION <=> FORM

  277. 	err = ctx.Session.Set("client_id", app.ClientID)

  278. 	if err != nil {

  279. 		handleServerError(ctx, form.State, form.RedirectURI)

  280. 		log.Error(err.Error())

  281. 		return

  282. 	}

  283. 	err = ctx.Session.Set("redirect_uri", form.RedirectURI)

  284. 	if err != nil {

  285. 		handleServerError(ctx, form.State, form.RedirectURI)

  286. 		log.Error(err.Error())

  287. 		return

  288. 	}

  289. 	err = ctx.Session.Set("state", form.State)

  290. 	if err != nil {

  291. 		handleServerError(ctx, form.State, form.RedirectURI)

  292. 		log.Error(err.Error())

  293. 		return

  294. 	}

  295. 	// Here we're just going to try to release the session early

  296. 	if err := ctx.Session.Release(); err != nil {

  297. 		// we'll tolerate errors here as they *should* get saved elsewhere

  298. 		log.Error("Unable to save changes to the session: %v", err)

  299. 	}

  300. 	ctx.HTML(200, tplGrantAccess)

  301. }

  302. 

  303. // GrantApplicationOAuth manages the post request submitted when a user grants access to an application

  304. func GrantApplicationOAuth(ctx *context.Context, form auth.GrantApplicationForm) {

  305. 	if ctx.Session.Get("client_id") != form.ClientID || ctx.Session.Get("state") != form.State ||

  306. 		ctx.Session.Get("redirect_uri") != form.RedirectURI {

  307. 		ctx.Error(400)

  308. 		return

  309. 	}

  310. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)

  311. 	if err != nil {

  312. 		ctx.ServerError("GetOAuth2ApplicationByClientID", err)

  313. 		return

  314. 	}

  315. 	grant, err := app.CreateGrant(ctx.User.ID)

  316. 	if err != nil {

  317. 		handleAuthorizeError(ctx, AuthorizeError{

  318. 			State:            form.State,

  319. 			ErrorDescription: "cannot create grant for user",

  320. 			ErrorCode:        ErrorCodeServerError,

  321. 		}, form.RedirectURI)

  322. 		return

  323. 	}

  324. 

  325. 	var codeChallenge, codeChallengeMethod string

  326. 	codeChallenge, _ = ctx.Session.Get("CodeChallenge").(string)

  327. 	codeChallengeMethod, _ = ctx.Session.Get("CodeChallengeMethod").(string)

  328. 

  329. 	code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, codeChallenge, codeChallengeMethod)

  330. 	if err != nil {

  331. 		handleServerError(ctx, form.State, form.RedirectURI)

  332. 		return

  333. 	}

  334. 	redirect, err := code.GenerateRedirectURI(form.State)

  335. 	if err != nil {

  336. 		handleServerError(ctx, form.State, form.RedirectURI)

  337. 		return

  338. 	}

  339. 	ctx.Redirect(redirect.String(), 302)

  340. }

  341. 

  342. // AccessTokenOAuth manages all access token requests by the client

  343. func AccessTokenOAuth(ctx *context.Context, form auth.AccessTokenForm) {

  344. 	if form.ClientID == "" {

  345. 		authHeader := ctx.Req.Header.Get("Authorization")

  346. 		authContent := strings.SplitN(authHeader, " ", 2)

  347. 		if len(authContent) == 2 && authContent[0] == "Basic" {

  348. 			payload, err := base64.StdEncoding.DecodeString(authContent[1])

  349. 			if err != nil {

  350. 				handleAccessTokenError(ctx, AccessTokenError{

  351. 					ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  352. 					ErrorDescription: "cannot parse basic auth header",

  353. 				})

  354. 				return

  355. 			}

  356. 			pair := strings.SplitN(string(payload), ":", 2)

  357. 			if len(pair) != 2 {

  358. 				handleAccessTokenError(ctx, AccessTokenError{

  359. 					ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  360. 					ErrorDescription: "cannot parse basic auth header",

  361. 				})

  362. 				return

  363. 			}

  364. 			form.ClientID = pair[0]

  365. 			form.ClientSecret = pair[1]

  366. 		}

  367. 	}

  368. 	switch form.GrantType {

  369. 	case "refresh_token":

  370. 		handleRefreshToken(ctx, form)

  371. 		return

  372. 	case "authorization_code":

  373. 		handleAuthorizationCode(ctx, form)

  374. 		return

  375. 	default:

  376. 		handleAccessTokenError(ctx, AccessTokenError{

  377. 			ErrorCode:        AccessTokenErrorCodeUnsupportedGrantType,

  378. 			ErrorDescription: "Only refresh_token or authorization_code grant type is supported",

  379. 		})

  380. 	}

  381. }

  382. 

  383. func handleRefreshToken(ctx *context.Context, form auth.AccessTokenForm) {

  384. 	token, err := models.ParseOAuth2Token(form.RefreshToken)

  385. 	if err != nil {

  386. 		handleAccessTokenError(ctx, AccessTokenError{

  387. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  388. 			ErrorDescription: "client is not authorized",

  389. 		})

  390. 		return

  391. 	}

  392. 	// get grant before increasing counter

  393. 	grant, err := models.GetOAuth2GrantByID(token.GrantID)

  394. 	if err != nil || grant == nil {

  395. 		handleAccessTokenError(ctx, AccessTokenError{

  396. 			ErrorCode:        AccessTokenErrorCodeInvalidGrant,

  397. 			ErrorDescription: "grant does not exist",

  398. 		})

  399. 		return

  400. 	}

  401. 

  402. 	// check if token got already used

  403. 	if setting.OAuth2.InvalidateRefreshTokens && (grant.Counter != token.Counter || token.Counter == 0) {

  404. 		handleAccessTokenError(ctx, AccessTokenError{

  405. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  406. 			ErrorDescription: "token was already used",

  407. 		})

  408. 		log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID)

  409. 		return

  410. 	}

  411. 	accessToken, tokenErr := newAccessTokenResponse(grant)

  412. 	if tokenErr != nil {

  413. 		handleAccessTokenError(ctx, *tokenErr)

  414. 		return

  415. 	}

  416. 	ctx.JSON(200, accessToken)

  417. }

  418. 

  419. func handleAuthorizationCode(ctx *context.Context, form auth.AccessTokenForm) {

  420. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)

  421. 	if err != nil {

  422. 		handleAccessTokenError(ctx, AccessTokenError{

  423. 			ErrorCode:        AccessTokenErrorCodeInvalidClient,

  424. 			ErrorDescription: fmt.Sprintf("cannot load client with client id: '%s'", form.ClientID),

  425. 		})

  426. 		return

  427. 	}

  428. 	if !app.ValidateClientSecret([]byte(form.ClientSecret)) {

  429. 		handleAccessTokenError(ctx, AccessTokenError{

  430. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  431. 			ErrorDescription: "client is not authorized",

  432. 		})

  433. 		return

  434. 	}

  435. 	if form.RedirectURI != "" && !app.ContainsRedirectURI(form.RedirectURI) {

  436. 		handleAccessTokenError(ctx, AccessTokenError{

  437. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  438. 			ErrorDescription: "client is not authorized",

  439. 		})

  440. 		return

  441. 	}

  442. 	authorizationCode, err := models.GetOAuth2AuthorizationByCode(form.Code)

  443. 	if err != nil || authorizationCode == nil {

  444. 		handleAccessTokenError(ctx, AccessTokenError{

  445. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  446. 			ErrorDescription: "client is not authorized",

  447. 		})

  448. 		return

  449. 	}

  450. 	// check if code verifier authorizes the client, PKCE support

  451. 	if !authorizationCode.ValidateCodeChallenge(form.CodeVerifier) {

  452. 		handleAccessTokenError(ctx, AccessTokenError{

  453. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  454. 			ErrorDescription: "client is not authorized",

  455. 		})

  456. 		return

  457. 	}

  458. 	// check if granted for this application

  459. 	if authorizationCode.Grant.ApplicationID != app.ID {

  460. 		handleAccessTokenError(ctx, AccessTokenError{

  461. 			ErrorCode:        AccessTokenErrorCodeInvalidGrant,

  462. 			ErrorDescription: "invalid grant",

  463. 		})

  464. 		return

  465. 	}

  466. 	// remove token from database to deny duplicate usage

  467. 	if err := authorizationCode.Invalidate(); err != nil {

  468. 		handleAccessTokenError(ctx, AccessTokenError{

  469. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  470. 			ErrorDescription: "cannot proceed your request",

  471. 		})

  472. 	}

  473. 	resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant)

  474. 	if tokenErr != nil {

  475. 		handleAccessTokenError(ctx, *tokenErr)

  476. 		return

  477. 	}

  478. 	// send successful response

  479. 	ctx.JSON(200, resp)

  480. }

  481. 

  482. func handleAccessTokenError(ctx *context.Context, acErr AccessTokenError) {

  483. 	ctx.JSON(400, acErr)

  484. }

  485. 

  486. func handleServerError(ctx *context.Context, state string, redirectURI string) {

  487. 	handleAuthorizeError(ctx, AuthorizeError{

  488. 		ErrorCode:        ErrorCodeServerError,

  489. 		ErrorDescription: "A server error occurred",

  490. 		State:            state,

  491. 	}, redirectURI)

  492. }

  493. 

  494. func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirectURI string) {

  495. 	if redirectURI == "" {

  496. 		log.Warn("Authorization failed: %v", authErr.ErrorDescription)

  497. 		ctx.Data["Error"] = authErr

  498. 		ctx.HTML(400, tplGrantError)

  499. 		return

  500. 	}

  501. 	redirect, err := url.Parse(redirectURI)

  502. 	if err != nil {

  503. 		ctx.ServerError("url.Parse", err)

  504. 		return

  505. 	}

  506. 	q := redirect.Query()

  507. 	q.Set("error", string(authErr.ErrorCode))

  508. 	q.Set("error_description", authErr.ErrorDescription)

  509. 	q.Set("state", authErr.State)

  510. 	redirect.RawQuery = q.Encode()

  511. 	ctx.Redirect(redirect.String(), 302)

  512. }