jaredhanson / passport-oauth2

OAuth 2.0 authentication strategy for Passport and Node.js.
https://www.passportjs.org/packages/passport-oauth2/?utm_source=github&utm_medium=referral&utm_campaign=passport-oauth2&utm_content=about
MIT License
607 stars 343 forks source link

Don't swallow error if error and error_description are provided #172

Open mvakula opened 2 years ago

mvakula commented 2 years ago

The OAuth2 spec states the authorization server should respond with a HTTP 400 if there is an error in the access token response. The details of the error are conveyed in the error, error_description, and error_uri fields in the response.

GitHub OAuth does not follow this spec exactly and can return an error response (examples) with HTTP code 200. In this case, the error from GitHub is swallowed and instead we return a generic error. This makes it difficult to debug exactly what went wrong when GitHub returns an access token response error.