Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: return invalid_grant error for invalid or expired auth codes #1952

Merged
merged 2 commits into from
Feb 10, 2021

Conversation

nabokihms
Copy link
Member

Signed-off-by: m.nabokikh maksim.nabokikh@flant.com

Overview

Change returning error for invalid auth codes.

What this PR does / why we need it

The https://tools.ietf.org/html/rfc6749#section-5.2 says that we MUST return invalid_grant error for invalid auth codes.

Special notes for your reviewer

Returning correct (according to RFC) errors is required to pass OpenID certification tests.

Does this PR introduce a user-facing change?

Return invalid_grant error if auth code is invalid or expired.

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
@@ -811,7 +811,7 @@ func (s *Server) handleAuthCode(w http.ResponseWriter, r *http.Request, client s
s.logger.Errorf("failed to get auth code: %v", err)
s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
} else {
s.tokenErrHelper(w, errInvalidRequest, "Invalid or expired code parameter.", http.StatusBadRequest)
s.tokenErrHelper(w, errInvalidGrant, "Invalid or expired code parameter.", http.StatusBadRequest)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should check if the code is missing/empty first (and return invalid_request if so). WDYT?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like your assumption is right, but I need to check it first.

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Copy link
Member

@sagikazarmark sagikazarmark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@sagikazarmark sagikazarmark added this to the v2.28.0 milestone Feb 10, 2021
@sagikazarmark sagikazarmark merged commit 9b1ecac into dexidp:master Feb 10, 2021
xtremerui pushed a commit to concourse/dex that referenced this pull request Mar 16, 2021
The official docker release for this release can be pulled from

```
ghcr.io/dexidp/dex:v2.28.0
```

**Features:**

- Add c_hash to id_token, issued on /auth endpoint, when in hybrid flow (dexidp#1773, @HEllRZA)
- Allow configuration of returned auth proxy header (dexidp#1839, @seuf)
- Allow to disable os.ExpandEnv for storage + connector configs by env variable DEX_EXPAND_ENV = false (dexidp#1902, @heidemn-faro)
- Added the possibility to activate lowercase for UPN-Strings (dexidp#1888, @VF-mbrauer)
- Add "Cache-control: no-store" and "Pragma: no-cache" headers to token responses (dexidp#1948, @nabokihms)
- Add gomplate to the docker image (dexidp#1893, @nabokihms)
- Graceful shutdown (dexidp#1963, @nabokihms)
- Allow public clients created with API to have no client_secret (dexidp#1871, @spohner)

**Bugfixes:**

- Fix the etcd PKCE AuthCode deserialization (dexidp#1908, @bnu0)
- Fix garbage collection logging of device codes and device request (dexidp#1918, @nabokihms)
- Discovery endpoint contains updated claims and auth methods (dexidp#1951, @nabokihms)
- Return invalid_grant error if auth code is invalid or expired (dexidp#1952, @nabokihms)
- Return an error to auth requests with the "request" parameter (dexidp#1956, @nabokihms)

**Minor changes:**

- Change default themes to light/dark (dexidp#1858, @nabokihms)
- Various developer experience improvements
- Dependency upgrades
- Tons of small fixes and changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants