From b4d82db3a13a37e4f68f44905d7d0958f1f3a5d1 Mon Sep 17 00:00:00 2001
From: Roland Hedberg <roland.hedberg@adm.umu.se>
Date: Tue, 16 Dec 2014 11:23:40 +0100
Subject: [PATCH] When the authorization request is faulty in some way return a
 error response. Code flow or implicit depending on response_type. If the
 error has something to do with the return_uri return the response to the user
 not the RP.

---
 src/oic/oauth2/provider.py | 12 +++++++++---
 src/oic/oic/provider.py    | 15 +++++++++++++--
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/src/oic/oauth2/provider.py b/src/oic/oauth2/provider.py
index 9e36aa7..6ee3f09 100644
--- a/src/oic/oauth2/provider.py
+++ b/src/oic/oauth2/provider.py
@@ -292,11 +292,17 @@ class Provider(object):
                         status="400 Bad Request")
 
     @staticmethod
-    def _redirect_authz_error(error, redirect_uri, descr=None):
-        err = ErrorResponse(error=error)
+    def _redirect_authz_error(error, redirect_uri, descr=None, state="",
+                              return_type=None):
+        err = AuthorizationErrorResponse(error=error)
         if descr:
             err["error_description"] = descr
-        location = err.request(redirect_uri)
+        if state:
+            err["state"] = state
+        if return_type is None or return_type == ["code"]:
+            location = err.request(redirect_uri)
+        else:
+            location = err.request(redirect_uri, True)
         return Redirect(location)
 
     def _verify_redirect_uri(self, areq):
diff --git a/src/oic/oic/provider.py b/src/oic/oic/provider.py
index d097409..f47e24a 100644
--- a/src/oic/oic/provider.py
+++ b/src/oic/oic/provider.py
@@ -581,7 +581,18 @@ class Provider(AProvider):
             areq = self.server.parse_authorization_request(query=request)
         except MissingRequiredAttribute, err:
             logger.debug("%s" % err)
-            return self._error("invalid_request", "%s" % err)
+            areq = AuthorizationRequest().deserialize(request, "urlencoded")
+            try:
+                redirect_uri = self.get_redirect_uri(areq)
+            except (RedirectURIError, ParameterError), err:
+                return self._error("invalid_request", "%s" % err)
+            try:
+                _rtype = areq["response_type"]
+            except:
+                _rtype = ["code"]
+            return self._redirect_authz_error("invalid_request", redirect_uri,
+                                              "%s" % err, areq["state"],
+                                              _rtype)
         except KeyError:
             areq = AuthorizationRequest().deserialize(request, "urlencoded")
             # verify the redirect_uri
@@ -597,7 +608,7 @@ class Provider(AProvider):
 
         if not areq:
             logger.debug("No AuthzRequest")
-            return self._error("invalid_request", "No parsable AuthzRequest")
+            return self._error("invalid_request", "Can not parse AuthzRequest")
 
         logger.debug("AuthzRequest: %s" % (areq.to_dict(),))
         try: