Skip to content

Commit eb87013

Browse files
hickfordhickford
committed
Correct return
1 parent e10a04e commit eb87013

File tree

2 files changed

+17
-6
lines changed

2 files changed

+17
-6
lines changed

routers/web/auth/oauth.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -437,11 +437,11 @@ func AuthorizeOAuth(ctx *context.Context) {
437437
// https://datatracker.ietf.org/doc/html/rfc7636#section-4.4.1
438438
handleAuthorizeError(ctx, AuthorizeError{
439439
ErrorCode: ErrorCodeInvalidRequest,
440-
ErrorDescription: "",
440+
ErrorDescription: "PKCE is required for public clients",
441441
State: form.State,
442442
}, form.RedirectURI)
443+
return
443444
}
444-
return
445445
default:
446446
// "If the server supporting PKCE does not support the requested transformation, the authorization endpoint MUST return the authorization error response with "error" value set to "invalid_request"."
447447
// https://www.rfc-editor.org/rfc/rfc7636#section-4.4.1

tests/integration/oauth_test.go

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -171,15 +171,26 @@ func TestAccessTokenExchangeWithInvalidCredentials(t *testing.T) {
171171
func TestAccessTokenExchangeForPublicClient(t *testing.T) {
172172
defer tests.PrepareTestEnv(t)()
173173
req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
174-
"grant_type": "authorization_code",
175-
"client_id": "ce5a1322-42a7-11ed-b878-0242ac120002",
176-
// client_secret not required for public client
174+
"grant_type": "authorization_code",
175+
"client_id": "ce5a1322-42a7-11ed-b878-0242ac120002",
176+
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
177177
// redirect port may vary
178178
"redirect_uri": "http://127.0.0.1:3456",
179179
"code": "authcodepublic",
180-
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt", // test PKCE additionally
180+
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
181181
})
182182
MakeRequest(t, req, http.StatusOK)
183+
184+
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
185+
"grant_type": "authorization_code",
186+
"client_id": "ce5a1322-42a7-11ed-b878-0242ac120002",
187+
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
188+
// redirect port may vary
189+
"redirect_uri": "http://127.0.0.1:3456",
190+
"code": "authcodepublic",
191+
// omit PKCE
192+
})
193+
MakeRequest(t, req, http.StatusBadRequest)
183194
}
184195

185196
func TestAccessTokenExchangeWithBasicAuth(t *testing.T) {

0 commit comments

Comments
 (0)