Merge pull request #164 from dahlia/fix/163

ThisIsMissEm · web-flow · commit 41670f18fac1 · 2025-06-05T13:30:32.000+02:00
Allow extra parameters in `POST /oauth/token`
diff --git a/CHANGES.md b/CHANGES.md
@@ -6,6 +6,16 @@ Version 0.6.1
 
 To be released.
 
+ -  Fixed `POST /oauth/token` endpoint rejecting requests with additional
+    parameters not required by RFC 6749 but commonly sent by clients.
+    The endpoint now gracefully ignores extra parameters like `scope` in
+    `authorization_code` requests and `redirect_uri` in `client_credentials`
+    requests instead of returning validation errors.
+    [[#163], [#164] by Hong Minhee]
+
+[#163]: https://github.com/fedify-dev/hollo/issues/163
+[#164]: https://github.com/fedify-dev/hollo/pull/164
+
 
 Version 0.6.0
 -------------
diff --git a/src/oauth.test.ts b/src/oauth.test.ts
@@ -1368,12 +1368,21 @@ describe.sequential("OAuth", () => {
       expect(responseBody.error).toBe("unsupported_grant_type");
     });
 
-    // Invalid request
-    it("cannot use unknown parameters", async () => {
-      expect.assertions(4);
+    it("can accept scope for authorization_code requests", async () => {
+      expect.assertions(7);
+
+      const accessGrant = await createAccessGrant(
+        application.id,
+        account.id,
+        ["read:accounts"],
+        OOB_REDIRECT_URI,
+      );
+
       const body = new FormData();
-      body.set("grant_type", "client_credentials");
+      body.set("grant_type", "authorization_code");
       body.set("redirect_uri", OOB_REDIRECT_URI);
+      body.set("code", accessGrant.code);
+      body.set("scope", "follow");
 
       const response = await app.request("/oauth/token", {
         method: "POST",
@@ -1383,13 +1392,44 @@ describe.sequential("OAuth", () => {
         body,
       });
 
-      expect(response.status).toBe(400);
-      expect(response.headers.get("content-type")).toBe("application/json");
+      expect(response.status).toBe(200);
+      expect(response.headers.get("Content-Type")).toBe("application/json");
 
       const responseBody = await response.json();
+      expect(typeof responseBody).toBe("object");
+      expect(responseBody).toHaveProperty("access_token");
+      expect(responseBody).toHaveProperty("created_at");
+      expect(responseBody.scope).toBe("read:accounts");
+      expect(responseBody.token_type).toBe("Bearer");
+    });
 
+    it("can accept redirect_uri for client_credentials requests", async () => {
+      expect.assertions(7);
+
+      const body = new FormData();
+      body.set("grant_type", "client_credentials");
+      body.set("scope", "read:accounts");
+      body.set("redirect_uri", OOB_REDIRECT_URI);
+
+      const response = await app.request("/oauth/token", {
+        method: "POST",
+        headers: {
+          authorization: basicAuthorization(application),
+        },
+        body,
+      });
+
+      // No redirection happens here, since redirect_uri is not used in
+      // client_credentials flow, so we expect a 200 OK response:
+      expect(response.status).toBe(200);
+      expect(response.headers.get("Content-Type")).toBe("application/json");
+
+      const responseBody = await response.json();
       expect(typeof responseBody).toBe("object");
-      expect(responseBody.error).toBe("invalid_request");
+      expect(responseBody).toHaveProperty("access_token");
+      expect(responseBody).toHaveProperty("created_at");
+      expect(responseBody.scope).toBe("read:accounts");
+      expect(responseBody.token_type).toBe("Bearer");
     });
   });
 
diff --git a/src/oauth.tsx b/src/oauth.tsx
@@ -213,15 +213,23 @@ const INVALID_GRANT_ERROR = {
 };
 
 const tokenRequestSchema = z.discriminatedUnion("grant_type", [
-  z.strictObject({
+  // Use z.object() instead of z.strictObject() to allow clients to send
+  // additional parameters like 'redirect_uri' which are commonly sent but not
+  // required by RFC 6749 for client_credentials grant type.
+  // See also <https://github.com/fedify-dev/hollo/issues/163>:
+  z.object({
     grant_type: z.literal("client_credentials"),
     scope: scopesSchema.optional(),
     // client_id and client_secret are present but consumed by the
     // clientAuthentication middleware:
     client_id: z.string().optional(),
     client_secret: z.string().optional(),
   }),
-  z.strictObject({
+  // Use z.object() instead of z.strictObject() to allow clients to send
+  // additional parameters like 'scope' which are commonly sent but not
+  // required by RFC 6749 for authorization_code grant type.
+  // See also <https://github.com/fedify-dev/hollo/issues/163>:
+  z.object({
     grant_type: z.literal("authorization_code"),
     redirect_uri: z.string().url(),
     code: z.string(),
