We have been working on a OAuth 2.0 IDP implementation, and during the implementation of the authorize endpoint, i couldnt find in the RFC 6749, what should happen if the client_id is not passed in the request or is invalid, and there is no redirect_uri in the request also. Should the server return a 400, with no body, a 400 with json? Or is there a better approach?
Asked
Active
Viewed 109 times
2 Answers
1
Everything is well explained in the request for change you pointed:
The authorization server responds with an HTTP 400 (Bad Request)
status code (unless specified otherwise) and includes the following
parameters with the response:invalid_request
The request is missing a required parameter, includes an unsupported parameter value (other than grant type), repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed.
And this is typically the case you described, if the request is missing the client_id or the redirect_uri you should return an HTTP/400 Bad Request as described in section-5.2 of the RFC:
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"error":"invalid_request"
}
Soufiane Tahiri
- 2,667
- 12
- 27
-
I completely missed it. Thanks for that. – RicardoDuarte Jun 13 '19 at 10:01
1
If I read Your question correctly You are asking about authorize endpoint and this is an endpoint that is opened in browser by the end user.
As You have no valid client_id nor redirect_uri you can not redirect the user back to the OAuth client application with appropriate error. In this case I strongly suggest sending human-friendly html error page.
4.1.2.1. Error Response
If the request fails due to a missing, invalid, or mismatching
redirection URI, or if the client identifier is missing or invalid,
the authorization server SHOULD inform the resource owner of the
error and MUST NOT automatically redirect the user-agent to the
invalid redirection URI.
AGrzes
- 526
- 4
- 10