lepture / authlib

The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.
https://authlib.org/
BSD 3-Clause "New" or "Revised" License
4.55k stars 452 forks source link

Use InvalidGrantError for invalid code, redirect_uri, user #484

Closed chromakode closed 2 years ago

chromakode commented 2 years ago

Currently, when validating params of POST /token, if the code or redirect_uri is invalid authlib returns an "invalid_request" error type.

RFC 6749 specifies that the error value will be invalid_grant in these cases:

    invalid_grant
          The provided authorization grant (e.g., authorization
          code, resource owner credentials) or refresh token is
          invalid, expired, revoked, does not match the redirection
          URI used in the authorization request, or was issued to
          another client.

What kind of change does this PR introduce? (check at least one)

Does this PR introduce a breaking change? (check one)

Clients which depend on the current behavior of error could potentially be impacted by this change.


lepture commented 2 years ago

@chromakode some test cases are required to update.

chromakode commented 2 years ago

Tests updated!

lepture commented 2 years ago

@chromakode hi, there are still test cases failed.

chromakode commented 2 years ago

My apologies. 😣 I've fixed the tests and verified locally that the tests are passing:

image

I've also added one additional case which should return "invalid_grant": the missing user case when authenticate_user fails.

lepture commented 2 years ago

Thanks, I've merged it.

chromakode commented 2 years ago

Awesome, thank you!