Skip to content

Incorrect handling of user "denial" in AuthorizeHandler.prototype.handle #456

Description

@kryysler

According to https://tools.ietf.org/html/rfc6749#section-4.1.2.1, the access_denied scenario should produce a redirect_uri (if valid) with appropriate "error" params set. Currently, however, the access ("request.query.allowed") is checked before validating the input params, including the redirect_uri, and throws an exception instead.

https://github.com/oauthjs/node-oauth2-server/blob/master/lib/handlers/authorize-handler.js#L81

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions