Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent requested scope be empty on authorization request, handle and add description for invalid request error #1277
Prevent requested scope be empty on authorization request, handle and add description for invalid request error #1277
Changes from all commits
33b3dcd
a3c38cc
1bc786c
b996bc6
1b1aca0
9266d1e
b4b42f9
b4813ab
f5ed883
0fd5f3b
c703aaf
77aa134
3787001
467e60a
1cb64e9
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Introduce
InvalidRequestResponse
(error response) to handleinvalid_request
error.invalid_request
error by two following variable:missing_parameter
(for missing required parameter) andinvalid_request_reason
(for reason other thanmissing_parameter
: E.g.:request_not_authorized
attoken_introspection.rb
, or:not_support_pkce
atauthorization_code_request.rb
)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because with missing or invalid
client
andredirect_uri
param,AuthorizationsController
must not redirect client toredirect_uri
. So I change the order ofvalidate
: Firstly, checkedclient
andredirect_uri
param. This order makes sure that after these two validation, ErrorResponse is always redirectableThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the reason to change this class? 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I describe at PR's description:
3. When refresh_token is revoked
because
refresh_token
is revoked, so we should returninvalid_grant
error as rfc's error response definitionwe can see that Errors::InvalidGrantReuse returns
invalid_grant
, while InvalidTokenReuse returnsinvalid_request
.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ahh, sorry man, too much I need to check and do after vacation 🙇♂️
👍