idp_oidc: fix erroneous exception-handling at client authn time (#73990)

src/authentic2_idp_oidc/views.py

@@ -599,7 +599,7 @@ def authenticate_client(request, ratelimit=False, client=None):
         raise InvalidClient(_('Empty client identifier'))
 
     if not client_secret:
-        raise InvalidRequest('missing client_secret', client=client_id)
+        raise InvalidRequest('missing client_secret', client=client)
 
     client = get_client(client_id)
     if not client:

tests/idp_oidc/test_misc.py

@@ -1959,3 +1959,42 @@ def test_token_endpoint_code_timeout(oidc_client, oidc_settings, simple_user, ap
     freezer.move_to(datetime.timedelta(seconds=1.1))
     response = resolve_code(status=400)
     assert 'access_token' not in response.json
+
+
+def test_authenticate_client_exception_handling(app, oidc_client, simple_user, rf):
+    from authentic2_idp_oidc.views import (
+        InvalidClient,
+        InvalidRequest,
+        WrongClientSecret,
+        authenticate_client,
+    )
+
+    request = rf.get('/')
+
+    # missing client id
+    with pytest.raises(InvalidRequest):
+        authenticate_client(request, client=oidc_client)
+
+    # empty client id
+    request.POST = {'client_id': '', 'client_secret': ''}
+    with pytest.raises(InvalidClient):
+        authenticate_client(request, client=oidc_client)
+
+    # empty client secret
+    request.POST['client_id'] = 'abc'
+    with pytest.raises(InvalidRequest):
+        authenticate_client(request, client=oidc_client)
+
+    # wrong client id
+    request.POST['client_secret'] = 'def'
+    with pytest.raises(InvalidClient):
+        authenticate_client(request, client=oidc_client)
+
+    # wrong client secret
+    request.POST['client_id'] = oidc_client.client_id
+    with pytest.raises(WrongClientSecret):
+        authenticate_client(request, client=oidc_client)
+
+    # OK
+    request.POST['client_secret'] = oidc_client.client_secret
+    assert authenticate_client(request, client=oidc_client) == oidc_client