Error response code not compliant to RFC 6749 #2545
Comments
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/186262249 The labels on this github issue will be updated when the story is started. |
cf-foundation-community-automation
bot
moved this to Inbox
in Foundational Infrastructure Working Group
|
Is there any update on the same? |
|
Hi @neelalex Ok, I simply checked client credential agains some others. Others reply with 401 Azure tells a long story in error_description, but also invalid_client in error So yes, we should fix it in UAA. Are you able to create a fixing PR ? This would increase the time until we get the fix. |
|
@Tallicia FYI, BadCredential in UAA is not from OAuth2Exception , so we should move to own Exception . In spring-security-oauth2 library there would be an extra Exception -> BadClientCredentialsException, but this is depcrecated because the library is depcrecated... so we need to do it on our own |
|
Hi team, |
|
yes the PR is in review, it is small but we need some time. We will change only the error text, but if a client would use exsisting error text, it would fail |
return invalid_client in oauth2 error response body Fix for issue #2545
return invalid_client in oauth2 error response body Fix for issue #2545
|
created #2596 as alternative |
github-project-automation
bot
moved this from Inbox
to Done
in Foundational Infrastructure Working Group
return invalid_client in oauth2 error response body Fix for issue #2545
Starting on version 76.26.0 of UAA a change was made that changes the behavior more context in cloudfoundry/uaa#2545 Signed-off-by: João Pereira <[email protected]>
cf auth some-username some-password Returns before UAA 76.26.0 unauthorized, after invalid_client Reason is: cloudfoundry/uaa#2545
Starting on version 76.26.0 of UAA a change was made that changes the behavior more context in cloudfoundry/uaa#2545 Signed-off-by: João Pereira <[email protected]>
* Ensure correct pool is being used for PRs * Use integration workflow directly from unit tests * Provide secret directly instead of using env variable * Remove check for Server header in curl request tests Starting on version 1.181.0, capi will no longer report the version of the nginx server to ensure that no information is leaked. For more information check cloudfoundry/capi-release#406 * Change in response from UAA Starting on version 76.26.0 of UAA a change was made that changes the behavior more context in cloudfoundry/uaa#2545 Signed-off-by: João Pereira <[email protected]>
Starting on version 76.26.0 of UAA a change was made that changes the behavior more context in cloudfoundry/uaa#2545 Signed-off-by: João Pereira <[email protected]>
* Ensure correct pool is being used for PRs * Use integration workflow directly from unit tests * Provide secret directly instead of using env variable * Remove check for Server header in curl request tests Starting on version 1.181.0, capi will no longer report the version of the nginx server to ensure that no information is leaked. For more information check cloudfoundry/capi-release#406 * Change in response from UAA Starting on version 76.26.0 of UAA a change was made that changes the behavior more context in cloudfoundry/uaa#2545 Signed-off-by: João Pereira <[email protected]>
Starting on version 76.26.0 of UAA a change was made that changes the behavior more context in cloudfoundry/uaa#2545 Signed-off-by: João Pereira <[email protected]>
* Ensure correct pool is being used for PRs * Use integration workflow directly from unit tests * Provide secret directly instead of using env variable * Remove check for Server header in curl request tests Starting on version 1.181.0, capi will no longer report the version of the nginx server to ensure that no information is leaked. For more information check cloudfoundry/capi-release#406 * Change in response from UAA Starting on version 76.26.0 of UAA a change was made that changes the behavior more context in cloudfoundry/uaa#2545 * Revert min-capi tests introduction * Incorrect merge of cherry-pick Signed-off-by: João Pereira <[email protected]>
What version of UAA are you running?
76.22.0 (latest)
How are you deploying the UAA?
as part of a commercial Cloud Foundry distribution
What did you do?
I am trying to generate access tokens using the token endpoint -
{authenticationUrl}/oauth/tokenWhat did you expect to see? What goal are you trying to achieve with the UAA?
with invalid client credentials, the error response was expected to be as follows:
- “error”: “invalid_grant”
What did you see instead?
with invalid client credentials, the error response is as follows:
- “error”: “unauthorized”
Question 1: in RFC6749 section 5.2 - “unauthorized” is not in the list of allowed ‘error codes’. We should use an error response code from this available list of codes.
Question 2: in RFC6749 section 5.2 - suggests a 400 unless specified otherwise. Any reason why we use a 401?
The text was updated successfully, but these errors were encountered: