refactor: use invalid_request instead of unauthorized_client

panva · May 20, 2023 · 7947d87 · 7947d87
1 parent e60ad2b
commit 7947d87
Show file tree

Hide file tree

Showing 9 changed files with 16 additions and 16 deletions.
diff --git a/lib/actions/authorization/check_client_grant_type.js b/lib/actions/authorization/check_client_grant_type.js
@@ -1,4 +1,4 @@
-import { UnauthorizedClient } from '../../helpers/errors.js';
+import { InvalidRequest } from '../../helpers/errors.js';
 
 export default function checkClientGrantType({ oidc: { route, client } }, next) {
   let grantType;
@@ -14,7 +14,7 @@ export default function checkClientGrantType({ oidc: { route, client } }, next)
   }
 
   if (!client.grantTypeAllowed(grantType)) {
-    throw new UnauthorizedClient(`${grantType} is not allowed for this client`);
+    throw new InvalidRequest(`${grantType} is not allowed for this client`);
   }
 
   return next();

diff --git a/lib/actions/authorization/check_response_mode.js b/lib/actions/authorization/check_response_mode.js
@@ -1,4 +1,4 @@
-import { InvalidRequest, UnauthorizedClient, UnsupportedResponseMode } from '../../helpers/errors.js';
+import { InvalidRequest, UnsupportedResponseMode } from '../../helpers/errors.js';
 import instance from '../../helpers/weak_cache.js';
 import { isFrontChannel } from '../../helpers/resolve_response_mode.js';
 
@@ -24,7 +24,7 @@ export default function checkResponseMode(ctx, next) {
   }
 
   if (!ctx.oidc.client.responseModeAllowed(mode, params.response_type, ctx.oidc.fapiProfile)) {
-    throw new UnauthorizedClient('requested response_mode is not allowed for this client or request');
+    throw new InvalidRequest('requested response_mode is not allowed for this client or request');
   }
 
   const JWT = /jwt/.test(mode);

diff --git a/lib/actions/authorization/check_response_type.js b/lib/actions/authorization/check_response_type.js
@@ -1,15 +1,15 @@
 import instance from '../../helpers/weak_cache.js';
 import {
   UnsupportedResponseType,
-  UnauthorizedClient,
+  InvalidRequest,
 } from '../../helpers/errors.js';
 
 /*
  * Validates requested response_type is supported by the provided and allowed in the client
  * configuration
  *
  * @throws: unsupported_response_type
- * @throws: unauthorized_client
+ * @throws: invalid_request
  */
 export default function checkResponseType(ctx, next) {
   const { params } = ctx.oidc;
@@ -22,7 +22,7 @@ export default function checkResponseType(ctx, next) {
   }
 
   if (!ctx.oidc.client.responseTypeAllowed(params.response_type)) {
-    throw new UnauthorizedClient('requested response_type is not allowed for this client');
+    throw new InvalidRequest('requested response_type is not allowed for this client');
   }
 
   return next();

diff --git a/lib/actions/token.js b/lib/actions/token.js
@@ -1,6 +1,6 @@
 import presence from '../helpers/validate_presence.js';
 import instance from '../helpers/weak_cache.js';
-import { UnsupportedGrantType, UnauthorizedClient } from '../helpers/errors.js';
+import { UnsupportedGrantType, InvalidRequest } from '../helpers/errors.js';
 import noCache from '../shared/no_cache.js';
 import getTokenAuth from '../shared/token_auth.js';
 import { urlencoded as parseBody } from '../shared/selective_body.js';
@@ -47,7 +47,7 @@ export default function tokenAction(provider) {
 
     async function allowedGrantTypeCheck(ctx, next) {
       if (!ctx.oidc.client.grantTypeAllowed(ctx.oidc.params.grant_type)) {
-        throw new UnauthorizedClient('requested grant type is not allowed for this client');
+        throw new InvalidRequest('requested grant type is not allowed for this client');
       }
 
       await next();

diff --git a/test/ciba/ciba.test.js b/test/ciba/ciba.test.js
@@ -272,7 +272,7 @@ describe('features.ciba', () => {
             .expect(400)
             .expect('content-type', /application\/json/)
             .expect({
-              error: 'unauthorized_client',
+              error: 'invalid_request',
               error_description: 'urn:openid:params:grant-type:ciba is not allowed for this client',
             })
             .expect(() => {

diff --git a/test/core/basic/code.authorization.test.js b/test/core/basic/code.authorization.test.js
@@ -907,7 +907,7 @@ describe('BASIC code', () => {
           .expect(auth.validatePresence(['error', 'error_description', 'state']))
           .expect(auth.validateState)
           .expect(auth.validateClientLocation)
-          .expect(auth.validateError('unauthorized_client'))
+          .expect(auth.validateError('invalid_request'))
           .expect(auth.validateErrorDescription('requested response_type is not allowed for this client'));
       });
 

diff --git a/test/device_code/device_authorization_endpoint.test.js b/test/device_code/device_authorization_endpoint.test.js
@@ -42,7 +42,7 @@ describe('device_authorization_endpoint', () => {
         .expect(400)
         .expect('content-type', /application\/json/)
         .expect({
-          error: 'unauthorized_client',
+          error: 'invalid_request',
           error_description: 'urn:ietf:params:oauth:grant-type:device_code is not allowed for this client',
         })
         .expect(() => {

diff --git a/test/fapi/fapi-final.test.js b/test/fapi/fapi-final.test.js
@@ -56,7 +56,7 @@ describe('Financial-grade API Security Profile 1.0 - Part 2: Advanced (FINAL) be
       })
         .expect(303)
         .expect(auth.validateClientLocation)
-        .expect(auth.validateError('unauthorized_client'))
+        .expect(auth.validateError('invalid_request'))
         .expect(auth.validateErrorDescription('requested response_mode is not allowed for this client or request'));
     });
 
@@ -85,7 +85,7 @@ describe('Financial-grade API Security Profile 1.0 - Part 2: Advanced (FINAL) be
       })
         .expect(303)
         .expect(auth.validateClientLocation)
-        .expect(auth.validateError('unauthorized_client'))
+        .expect(auth.validateError('invalid_request'))
         .expect(auth.validateErrorDescription('requested response_mode is not allowed for this client or request'));
     });
   });

diff --git a/test/fapi/fapi-id2.test.js b/test/fapi/fapi-id2.test.js
@@ -56,7 +56,7 @@ describe('Financial-grade API - Part 2: Read and Write API Security Profile (ID2
       })
         .expect(303)
         .expect(auth.validateClientLocation)
-        .expect(auth.validateError('unauthorized_client'))
+        .expect(auth.validateError('invalid_request'))
         .expect(auth.validateErrorDescription('requested response_mode is not allowed for this client or request'));
     });
 
@@ -84,7 +84,7 @@ describe('Financial-grade API - Part 2: Read and Write API Security Profile (ID2
       })
         .expect(303)
         .expect(auth.validateClientLocation)
-        .expect(auth.validateError('unauthorized_client'))
+        .expect(auth.validateError('invalid_request'))
         .expect(auth.validateErrorDescription('requested response_mode is not allowed for this client or request'));
     });
   });