Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

State parameter not preserved in authentication error response #1642

Closed
tutman96 opened this issue Nov 21, 2019 · 6 comments
Closed

State parameter not preserved in authentication error response #1642

tutman96 opened this issue Nov 21, 2019 · 6 comments
Labels
bug Something is not working.

Comments

@tutman96
Copy link
Contributor

Describe the bug

When a client is requesting authentication with invalid scopes, the invalid_scope error is triggered and returned to the client in an authentication error response. However, if a state parameter is passed in the authentication request, is is not passed back in the response as described in https://openid.net/specs/openid-connect-core-1_0.html#AuthError.

This was actually found on accident when using oidc-client and requesting an invalid scope. The requests looked like as follows:

OAuth Authentication Request:

http://hydra:4444/oauth2/auth?
	client_id=client1&
	redirect_uri=http%3A%2F%2Flocalhost%3A9020%2Fcallback&
	response_type=code&
	scope=openid%20offline%20fake&
	state=2142791b8b11401ea4925e904a47e5d3&
	response_mode=query

Authentication Response:

http://localhost:9020/callback?
	error=invalid_scope&
	error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed&
	error_hint=The+OAuth+2.0+Client+is+not+allowed+to+request+scope+%22fake%22.&
	state=

Notice that the state parameter is empty, however the error is correct.

Environment

  • Version: tested with v1.0.0 and v1.0.9
  • Environment: Docker

I will poke around to see if I can pinpoint the issue, just wanted to open an issue to track it.

Thanks for the great service. Honestly this is the first issue I have come across, and it is a small one at that. With Hydra, we (who shall not be named) are processing over 20,000 authorization requests a week, serving close to 1,000 users.
@tutman96
Copy link
Contributor Author

It seems to me like there is a slight error in fosite (https://github.com/ory/fosite/blob/master/authorize_request_handler.go#L265) where the state parameter doesn't even get read until all of the other parameters are validated. Does this seem like the cause?

@aeneasr
Copy link
Member

aeneasr commented Nov 21, 2019

Yes, looks like that could be the cause!

@aeneasr aeneasr added the bug Something is not working. label Nov 21, 2019
@aeneasr
Copy link
Member

aeneasr commented Nov 21, 2019

Would you be up for a PR in Fosite? :)

@tutman96
Copy link
Contributor Author

Opening one now :)

@tutman96 tutman96 mentioned this issue Nov 21, 2019
Merged
5 tasks
@tutman96
Copy link
Contributor Author

PR opened. Sorry for the crudity. This is my first PR with Go, so I might have missed some style points.

aeneasr pushed a commit to ory/fosite that referenced this issue Nov 21, 2019
@tutman96 @aeneasr
Return state parameter in authorization error conditions (#388)
3ece795 
Related to ory/hydra#1642
@aeneasr
Copy link
Member

aeneasr commented Nov 21, 2019

Awesome - thanks! By bumping ory/fosite in go.mod to v0.30.2 this patch will be ingested here!

@tutman96 tutman96 mentioned this issue Nov 21, 2019
Merged
6 tasks
@github-actions github-actions bot mentioned this issue Oct 2, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aeneasr @tutman96