Skip to content

Commit 7c95b21

Browse files
author
Ioannis Kakavas
committed
Adapted error handling
1. Make sure we always return an OIDC error to the requester 2. Reduce the attack surface for injections in a web context by not reflecting user input. 3. Log all errors with details on the provider side for ease of troubleshooting
1 parent fb5f1c7 commit 7c95b21

1 file changed

Lines changed: 10 additions & 7 deletions

File tree

src/pyop/request_validator.py

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -29,27 +29,29 @@ def client_id_is_known(provider, authentication_request):
2929
:raise InvalidAuthenticationRequest: if the client_id is unknown
3030
"""
3131
if authentication_request['client_id'] not in provider.clients:
32-
raise InvalidAuthenticationRequest('Unknown client_id \'{}\''.format(authentication_request['client_id']),
32+
logger.error('Unknown client_id \'{}\''.format(authentication_request['client_id']))
33+
raise InvalidAuthenticationRequest('Unknown client_id',
3334
authentication_request,
3435
oauth_error='unauthorized_client')
3536

36-
3737
def redirect_uri_is_in_registered_redirect_uris(provider, authentication_request):
3838
"""
3939
Verifies the redirect uri is registered for the client making the request.
4040
:param provider: provider instance
4141
:param authentication_request: authentication request to verify
4242
:raise InvalidAuthenticationRequest: if the redirect uri is not registered
4343
"""
44-
error = InvalidAuthenticationRequest('Redirect uri \'{}\' is not registered'.format(
45-
authentication_request['redirect_uri']), authentication_request)
44+
error = InvalidAuthenticationRequest('Redirect uri is not registered',
45+
authentication_request,
46+
oauth_error="invalid_request")
4647
try:
4748
allowed_redirect_uris = provider.clients[authentication_request['client_id']]['redirect_uris']
4849
except KeyError as e:
4950
logger.error('client metadata is missing redirect_uris')
5051
raise error
5152

5253
if authentication_request['redirect_uri'] not in allowed_redirect_uris:
54+
logger.error("Redirect uri \'{0}\' is not registered for this client".format(authentication_request['redirect_uri']))
5355
raise error
5456

5557

@@ -60,16 +62,17 @@ def response_type_is_in_registered_response_types(provider, authentication_reque
6062
:param authentication_request: authentication request to verify
6163
:raise InvalidAuthenticationRequest: if the response type is not allowed
6264
"""
63-
error = InvalidAuthenticationRequest('Response type \'{}\' is not registered'.format(
64-
' '.join(authentication_request['response_type'])),
65-
authentication_request, oauth_error='invalid_request')
65+
error = InvalidAuthenticationRequest('Response type is not registered',
66+
authentication_request,
67+
oauth_error='invalid_request')
6668
try:
6769
allowed_response_types = provider.clients[authentication_request['client_id']]['response_types']
6870
except KeyError as e:
6971
logger.error('client metadata is missing response_types')
7072
raise error
7173

7274
if not is_allowed_response_type(authentication_request['response_type'], allowed_response_types):
75+
logger.error('Response type \'{}\' is not registered'.format(' '.join(authentication_request['response_type'])))
7376
raise error
7477

7578

0 commit comments

Comments
 (0)