oauth2-client icon indicating copy to clipboard operation
oauth2-client copied to clipboard
verified publisher icon badgateway

Potential loss of information when failing to get a token

Open paul-hicks-nz opened this issue 1 year ago • 2 comments

I've come across a response from a request('tokenEndpoint') which includes a property in the response body that OAuth2Client is ignoring. I've checked the RFC, and there's no "MUST NOT" or similar forbidding extra properties. And at least for this OAuth server, the ignored property would have been very useful to see earlier!

{
  error: "invalid_request",
  error_description: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.",
  hint: "Authorization code has expired",
  message: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.",
}

I'd like to request that the responseBody be included in the thrown OAuth2Error at the end of request(), so that non-standard properties like hint can be found by developers.

paul-hicks-nz avatar Jun 10 '24 22:06 paul-hicks-nz

worth looking into. Got any information about what is producing this?

evert avatar Jun 10 '24 22:06 evert

In my case, it was the API at oauth.workflowmax2.com/oauth/. A quick search has found that "hint" header elsewhere:

  • https://github.com/supabase/auth-helpers/issues/388
  • https://github.com/ppy/osu-web/pull/8177

paul-hicks-nz avatar Jun 18 '24 02:06 paul-hicks-nz