spring-authorization-server icon indicating copy to clipboard operation
spring-authorization-server copied to clipboard
verified publisher icon spring-projects

Consider enhancing OAuth2Error with specific error codes

Open Yneth opened this issue 2 years ago • 4 comments

Expected Behavior I want to have the option to override OAuth2 Error codes that are thrown from the spring-authorization-server source code.

Current Behavior I am not able to override default OAuth2 Error codes.

Context In our project, we want to provide more meaningful error codes to clients, as sometimes the standard OAuth2 error codes are too vague, such as invalid_grant. In our client's code, we want to have specific error codes for each problem so that they can handle each case differently.

We can currently map error codes by parsing the error_description, but we want to avoid that.

It would be amazing if we had either more (A) detailed error codes or (B) an additional internal list of error codes that would allow for more precise usage.

I understand it could violate RFC but we are ok with that.

Example Option A: instead of just invalid_request say missing_client_id

Option B: send both invalid_request and missing_client_id

Yneth avatar May 27 '23 11:05 Yneth

@Yneth The Protocol Endpoints provide hooks into customizing the error response (including error code) by configuring a custom AuthenticationFailureHandler. For example, the Token Endpoint provides authorizationServerConfigurer.tokenEndpoint.errorResponseHandler() for customizing the OAuth2Error response.

FYI, we're also planning on writing a How-to guide in gh-541.

I'll close this as customizing the error response is available.

jgrandja avatar May 30 '23 12:05 jgrandja

I will try to explain my issue better as in my case using AuthenticationFailureHandler is not enough. Let's consider the following lines of code:

  • https://github.com/spring-projects/spring-authorization-server/blob/main/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java#L147
  • https://github.com/spring-projects/spring-authorization-server/blob/main/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java#L152

in those two cases, it would be impossible to enrich the error code to something more granular, like invalid_client_id or invalid_redirect_uri. as in AuthenticationFailureHandler we are dealing with OAuth2AuthenticationException that holds no additional info.

  • https://github.com/spring-projects/spring-authorization-server/blob/main/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java#L108

in this case, we could potentially parse the error description but it is not something we would like to do in our code base, as it will be unstable between releases.

Yneth avatar May 30 '23 12:05 Yneth

@jgrandja

Yneth avatar May 30 '23 12:05 Yneth

Thanks for the explanation @Yneth. I've re-opened the issue and we'll give it some further thought.

jgrandja avatar May 30 '23 18:05 jgrandja