Include reason for rejecting token if the route expects a service-level token, and a user-level was provided (and vice versa)

Brightspace / D2L.Security.OAuth2

Brightspace OAuth 2.0 for C#

Apache License 2.0

7 stars 16 forks source link

Include reason for rejecting token if the route expects a service-level token, and a user-level was provided (and vice versa) #40

Open mtseD2L opened 8 years ago

mtseD2L commented 8 years ago

If a controller / route(?) is marked with [Authentication( users: true )], but a service-level token is provided, the client is presented with `{"Message":"Authorization has been denied for this request."} in the response.

(Not sure if there are any security concerns with explaining why).

Versions used:

<package id="D2L.Security.OAuth2" version="4.4.3.0" targetFramework="net452" />
<package id="D2L.Security.OAuth2.WebApi" version="3.3.1.0" targetFramework="net452" />

j3parker commented 8 years ago

Nah we can definitely do better than that. There may also be OAuth 2.0 mandated errors for those scenarios (see also #39 )

I think we need to figure out a strategy for how to deal with exceptions across services and libraries. I'm gonna write a little proposal.