Skip to content

Commit 0e83ab8

Browse files
hickfordhickford
authored
Improve error descriptions for unauthorized_client (#21292)
Fixes #21282 As suggested by the [OAuth RFC](https://www.rfc-editor.org/rfc/rfc6749) (quoted below), it's helpful to give more detail in the description > error_description OPTIONAL. Human-readable ASCII [[USASCII](https://www.rfc-editor.org/rfc/rfc6749#ref-USASCII)] text providing **additional information, used to assist the client developer in understanding the error that occurred.** Values for the "error_description" parameter MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.
1 parent 677a09e commit 0e83ab8

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

routers/web/auth/oauth.go

+4-4
Original file line numberDiff line numberDiff line change
@@ -645,7 +645,7 @@ func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, server
645645
if err != nil {
646646
handleAccessTokenError(ctx, AccessTokenError{
647647
ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
648-
ErrorDescription: "client is not authorized",
648+
ErrorDescription: "unable to parse refresh token",
649649
})
650650
return
651651
}
@@ -688,14 +688,14 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s
688688
if !app.ValidateClientSecret([]byte(form.ClientSecret)) {
689689
handleAccessTokenError(ctx, AccessTokenError{
690690
ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
691-
ErrorDescription: "client is not authorized",
691+
ErrorDescription: "invalid client secret",
692692
})
693693
return
694694
}
695695
if form.RedirectURI != "" && !app.ContainsRedirectURI(form.RedirectURI) {
696696
handleAccessTokenError(ctx, AccessTokenError{
697697
ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
698-
ErrorDescription: "client is not authorized",
698+
ErrorDescription: "unexpected redirect URI",
699699
})
700700
return
701701
}
@@ -711,7 +711,7 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s
711711
if !authorizationCode.ValidateCodeChallenge(form.CodeVerifier) {
712712
handleAccessTokenError(ctx, AccessTokenError{
713713
ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
714-
ErrorDescription: "client is not authorized",
714+
ErrorDescription: "failed PKCE code challenge",
715715
})
716716
return
717717
}

0 commit comments

Comments
 (0)