Skip to content

Commit 99cc6af

Browse files
rmmeansrmmeans
committed
Error Status code RFC alignment
According to RFC 6749 Section 5.2: https://tools.ietf.org/html/rfc6749#section-5.2: invalid_request: 400 invalid_grant: 400 unauthorized_client: 400 unsupported_grant_type: 400, invalid_scope: 400 invalid_client: 401 According to RFC 6750 Section 3.1: https://tools.ietf.org/html/rfc6750#section-3.1 invalid_request: 400 invalid_token: 401 insufficient_scope: 403 redirect_uri_mismatch was not in the standard RFC - but many other companies use it. Following the HTTP status code standard of 6749 Section 5.2 this should be a 400 - because it is a bad request and if corrected, the request would work. From the little I looked into this, it seems others are also returning a 400 here, not a 401.
1 parent 473592b commit 99cc6af

File tree

3 files changed

+58
-6
lines changed

3 files changed

+58
-6
lines changed

scala-oauth2-core/src/main/scala/scalaoauth2/provider/GrantHandler.scala

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,8 @@ case class GrantHandlerResult[U](
88
accessToken: String,
99
expiresIn: Option[Long],
1010
refreshToken: Option[String],
11-
scope: Option[String])
11+
scope: Option[String]
12+
)
1213

1314
trait GrantHandler {
1415
/**

scala-oauth2-core/src/main/scala/scalaoauth2/provider/OAuthException.scala

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -20,13 +20,13 @@ class InvalidClient(description: String = "") extends OAuthError(401, descriptio
2020

2121
}
2222

23-
class UnauthorizedClient(description: String = "") extends OAuthError(401, description) {
23+
class UnauthorizedClient(description: String = "") extends OAuthError(description) {
2424

2525
override val errorType = "unauthorized_client"
2626

2727
}
2828

29-
class RedirectUriMismatch(description: String = "") extends OAuthError(401, description) {
29+
class RedirectUriMismatch(description: String = "") extends OAuthError(description) {
3030

3131
override val errorType = "redirect_uri_mismatch"
3232

@@ -44,7 +44,7 @@ class UnsupportedResponseType(description: String = "") extends OAuthError(descr
4444

4545
}
4646

47-
class InvalidGrant(description: String = "") extends OAuthError(401, description) {
47+
class InvalidGrant(description: String = "") extends OAuthError(description) {
4848

4949
override val errorType = "invalid_grant"
5050

@@ -56,7 +56,7 @@ class UnsupportedGrantType(description: String = "") extends OAuthError(descript
5656

5757
}
5858

59-
class InvalidScope(description: String = "") extends OAuthError(401, description) {
59+
class InvalidScope(description: String = "") extends OAuthError(description) {
6060

6161
override val errorType = "invalid_scope"
6262

@@ -74,7 +74,7 @@ class ExpiredToken() extends OAuthError(401, "The access token expired") {
7474

7575
}
7676

77-
class InsufficientScope(description: String = "") extends OAuthError(401, description) {
77+
class InsufficientScope(description: String = "") extends OAuthError(403, description) {
7878

7979
override val errorType = "insufficient_scope"
8080

scala-oauth2-core/src/test/scala/scalaoauth2/provider/OAuthErrorsSpec.scala

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
package scalaoauth2.provider
2+
3+
import org.scalatest.Matchers._
4+
import org.scalatest._
5+
6+
class OAuthErrorsSpec extends FlatSpec {
7+
8+
behavior of "OAuth Error Handling RFC 6749 Section 5.2"
9+
10+
it should "produce a 400 status code for invalid_request" in {
11+
new InvalidRequest().statusCode should be(400)
12+
}
13+
14+
it should "produce a 401 status code for invalid_client" in {
15+
new InvalidClient().statusCode should be(401)
16+
}
17+
18+
it should "produce a 400 status code for invalid_grant" in {
19+
new InvalidGrant().statusCode should be(400)
20+
}
21+
22+
it should "produce a 400 status code for unauthorized_client" in {
23+
new UnauthorizedClient().statusCode should be(400)
24+
}
25+
26+
it should "produce a 400 status code for unsupported_grant_type" in {
27+
new UnsupportedGrantType().statusCode should be(400)
28+
}
29+
30+
it should "produce a 400 status code for invalid_scope" in {
31+
new InvalidScope().statusCode should be(400)
32+
}
33+
34+
it should "produce a 400 status code for redirect_uri_mismatch" in {
35+
new RedirectUriMismatch().statusCode should be(400)
36+
}
37+
38+
behavior of "OAuth Error Handling for Bearer Tokens RFC 6750 Section 3.1"
39+
40+
it should "produce a 400 status code for invalid_request" in {
41+
new InvalidRequest().statusCode should be(400)
42+
}
43+
44+
it should "produce a 401 status code for invalid_token" in {
45+
new InvalidToken().statusCode should be(401)
46+
}
47+
48+
it should "produce a 403 status code for insufficient_scope" in {
49+
new InsufficientScope().statusCode should be(403)
50+
}
51+
}

0 commit comments

Comments
 (0)