When the authorization request is faulty in some way return a error response. Code flow or implicit depending on response_type. If the error has something to do with the return_uri return the response to the user not the RP.

2014-12-16 11:23:40 +01:00 · 2014-12-16 11:23:40 +01:00 · b4d82db3a1
parent 6ee5fb368c
commit b4d82db3a1
2 changed files with 22 additions and 5 deletions
--- a/src/oic/oauth2/provider.py
+++ b/src/oic/oauth2/provider.py
@ -292,11 +292,17 @@ class Provider(object):
                        status="400 Bad Request")

    @staticmethod
-    def _redirect_authz_error(error, redirect_uri, descr=None):
-        err = ErrorResponse(error=error)
+    def _redirect_authz_error(error, redirect_uri, descr=None, state="",
+                              return_type=None):
+        err = AuthorizationErrorResponse(error=error)
        if descr:
            err["error_description"] = descr
-        location = err.request(redirect_uri)
+        if state:
+            err["state"] = state
+        if return_type is None or return_type == ["code"]:
+            location = err.request(redirect_uri)
+        else:
+            location = err.request(redirect_uri, True)
        return Redirect(location)

    def _verify_redirect_uri(self, areq):
--- a/src/oic/oic/provider.py
+++ b/src/oic/oic/provider.py
@ -581,7 +581,18 @@ class Provider(AProvider):
            areq = self.server.parse_authorization_request(query=request)
        except MissingRequiredAttribute, err:
            logger.debug("%s" % err)
-            return self._error("invalid_request", "%s" % err)
+            areq = AuthorizationRequest().deserialize(request, "urlencoded")
+            try:
+                redirect_uri = self.get_redirect_uri(areq)
+            except (RedirectURIError, ParameterError), err:
+                return self._error("invalid_request", "%s" % err)
+            try:
+                _rtype = areq["response_type"]
+            except:
+                _rtype = ["code"]
+            return self._redirect_authz_error("invalid_request", redirect_uri,
+                                              "%s" % err, areq["state"],
+                                              _rtype)
        except KeyError:
            areq = AuthorizationRequest().deserialize(request, "urlencoded")
            # verify the redirect_uri
@ -597,7 +608,7 @@ class Provider(AProvider):

        if not areq:
            logger.debug("No AuthzRequest")
-            return self._error("invalid_request", "No parsable AuthzRequest")
+            return self._error("invalid_request", "Can not parse AuthzRequest")

        logger.debug("AuthzRequest: %s" % (areq.to_dict(),))
        try: