OIDC error code & RFC6750
Concerned version
Version: 2.0.5
Platform: Nginx
Summary
Error code returned by token endpoint are not according to RFC6750
Logs
All the use cases bellow return (try on /oauth2/userinfo endpoint):
HTTP 401 Unauthorized WWW-Authenticate: error=invalid_request, error_description=Access token not found in request
1/ Authorization header absent
2/ Authorization header without AT
3/ Authorization header with invalid token
4/ Authorization header with expired token
5/ Authorization header with revoked consents (and session closed on WebUI cf #1894 => if session not closed on webui with revocated consent the response is 200 OK).
6/ Use of a wrong verb (PUT, DELETE, OPTIONS, HEAD), it should normally returned a HTTP 405 Method Not Allowed.
Backends used
file
Possible fixes
Follow RFC error code : https://tools.ietf.org/html/rfc6750#section-3.1
When a request fails, the resource server responds using the appropriate HTTP status code (typically, 400, 401, 403, or 405) and includes one of the following error codes in the response:
invalid_request The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed. The resource server SHOULD respond with the HTTP 400 (Bad Request) status code.
invalid_token The access token provided is expired, revoked, malformed, or invalid for other reasons. The resource SHOULD respond with the HTTP 401 (Unauthorized) status code. The client MAY request a new access token and retry the protected resource request.
insufficient_scope The request requires higher privileges than provided by the access token. The resource server SHOULD respond with the HTTP 403 (Forbidden) status code and MAY include the "scope" attribute with the scope necessary to access the protected resource.
If the request lacks any authentication information (e.g., the client was unaware that authentication is necessary or attempted using an unsupported authentication method), the resource server SHOULD NOT include an error code or other error information.