From 7947d87206dbf3b9b1d5cce1946066fc9bc2b896 Mon Sep 17 00:00:00 2001 From: Filip Skokan Date: Sat, 20 May 2023 22:54:24 +0200 Subject: [PATCH] refactor: use invalid_request instead of unauthorized_client --- lib/actions/authorization/check_client_grant_type.js | 4 ++-- lib/actions/authorization/check_response_mode.js | 4 ++-- lib/actions/authorization/check_response_type.js | 6 +++--- lib/actions/token.js | 4 ++-- test/ciba/ciba.test.js | 2 +- test/core/basic/code.authorization.test.js | 2 +- test/device_code/device_authorization_endpoint.test.js | 2 +- test/fapi/fapi-final.test.js | 4 ++-- test/fapi/fapi-id2.test.js | 4 ++-- 9 files changed, 16 insertions(+), 16 deletions(-) diff --git a/lib/actions/authorization/check_client_grant_type.js b/lib/actions/authorization/check_client_grant_type.js index bd112be52..d90430d16 100644 --- a/lib/actions/authorization/check_client_grant_type.js +++ b/lib/actions/authorization/check_client_grant_type.js @@ -1,4 +1,4 @@ -import { UnauthorizedClient } from '../../helpers/errors.js'; +import { InvalidRequest } from '../../helpers/errors.js'; export default function checkClientGrantType({ oidc: { route, client } }, next) { let grantType; @@ -14,7 +14,7 @@ export default function checkClientGrantType({ oidc: { route, client } }, next) } if (!client.grantTypeAllowed(grantType)) { - throw new UnauthorizedClient(`${grantType} is not allowed for this client`); + throw new InvalidRequest(`${grantType} is not allowed for this client`); } return next(); diff --git a/lib/actions/authorization/check_response_mode.js b/lib/actions/authorization/check_response_mode.js index f1dfd6532..c93a1f842 100644 --- a/lib/actions/authorization/check_response_mode.js +++ b/lib/actions/authorization/check_response_mode.js @@ -1,4 +1,4 @@ -import { InvalidRequest, UnauthorizedClient, UnsupportedResponseMode } from '../../helpers/errors.js'; +import { InvalidRequest, UnsupportedResponseMode } from '../../helpers/errors.js'; import instance from '../../helpers/weak_cache.js'; import { isFrontChannel } from '../../helpers/resolve_response_mode.js'; @@ -24,7 +24,7 @@ export default function checkResponseMode(ctx, next) { } if (!ctx.oidc.client.responseModeAllowed(mode, params.response_type, ctx.oidc.fapiProfile)) { - throw new UnauthorizedClient('requested response_mode is not allowed for this client or request'); + throw new InvalidRequest('requested response_mode is not allowed for this client or request'); } const JWT = /jwt/.test(mode); diff --git a/lib/actions/authorization/check_response_type.js b/lib/actions/authorization/check_response_type.js index fc1f9c773..2204ca6ab 100644 --- a/lib/actions/authorization/check_response_type.js +++ b/lib/actions/authorization/check_response_type.js @@ -1,7 +1,7 @@ import instance from '../../helpers/weak_cache.js'; import { UnsupportedResponseType, - UnauthorizedClient, + InvalidRequest, } from '../../helpers/errors.js'; /* @@ -9,7 +9,7 @@ import { * configuration * * @throws: unsupported_response_type - * @throws: unauthorized_client + * @throws: invalid_request */ export default function checkResponseType(ctx, next) { const { params } = ctx.oidc; @@ -22,7 +22,7 @@ export default function checkResponseType(ctx, next) { } if (!ctx.oidc.client.responseTypeAllowed(params.response_type)) { - throw new UnauthorizedClient('requested response_type is not allowed for this client'); + throw new InvalidRequest('requested response_type is not allowed for this client'); } return next(); diff --git a/lib/actions/token.js b/lib/actions/token.js index d01cf2194..811376156 100644 --- a/lib/actions/token.js +++ b/lib/actions/token.js @@ -1,6 +1,6 @@ import presence from '../helpers/validate_presence.js'; import instance from '../helpers/weak_cache.js'; -import { UnsupportedGrantType, UnauthorizedClient } from '../helpers/errors.js'; +import { UnsupportedGrantType, InvalidRequest } from '../helpers/errors.js'; import noCache from '../shared/no_cache.js'; import getTokenAuth from '../shared/token_auth.js'; import { urlencoded as parseBody } from '../shared/selective_body.js'; @@ -47,7 +47,7 @@ export default function tokenAction(provider) { async function allowedGrantTypeCheck(ctx, next) { if (!ctx.oidc.client.grantTypeAllowed(ctx.oidc.params.grant_type)) { - throw new UnauthorizedClient('requested grant type is not allowed for this client'); + throw new InvalidRequest('requested grant type is not allowed for this client'); } await next(); diff --git a/test/ciba/ciba.test.js b/test/ciba/ciba.test.js index 0c68de304..2846e6f16 100644 --- a/test/ciba/ciba.test.js +++ b/test/ciba/ciba.test.js @@ -272,7 +272,7 @@ describe('features.ciba', () => { .expect(400) .expect('content-type', /application\/json/) .expect({ - error: 'unauthorized_client', + error: 'invalid_request', error_description: 'urn:openid:params:grant-type:ciba is not allowed for this client', }) .expect(() => { diff --git a/test/core/basic/code.authorization.test.js b/test/core/basic/code.authorization.test.js index 81943d7fe..669dff7d1 100644 --- a/test/core/basic/code.authorization.test.js +++ b/test/core/basic/code.authorization.test.js @@ -907,7 +907,7 @@ describe('BASIC code', () => { .expect(auth.validatePresence(['error', 'error_description', 'state'])) .expect(auth.validateState) .expect(auth.validateClientLocation) - .expect(auth.validateError('unauthorized_client')) + .expect(auth.validateError('invalid_request')) .expect(auth.validateErrorDescription('requested response_type is not allowed for this client')); }); diff --git a/test/device_code/device_authorization_endpoint.test.js b/test/device_code/device_authorization_endpoint.test.js index 9ff8711fb..c49b10a1e 100644 --- a/test/device_code/device_authorization_endpoint.test.js +++ b/test/device_code/device_authorization_endpoint.test.js @@ -42,7 +42,7 @@ describe('device_authorization_endpoint', () => { .expect(400) .expect('content-type', /application\/json/) .expect({ - error: 'unauthorized_client', + error: 'invalid_request', error_description: 'urn:ietf:params:oauth:grant-type:device_code is not allowed for this client', }) .expect(() => { diff --git a/test/fapi/fapi-final.test.js b/test/fapi/fapi-final.test.js index 6b3e8ecbe..3e309ce54 100644 --- a/test/fapi/fapi-final.test.js +++ b/test/fapi/fapi-final.test.js @@ -56,7 +56,7 @@ describe('Financial-grade API Security Profile 1.0 - Part 2: Advanced (FINAL) be }) .expect(303) .expect(auth.validateClientLocation) - .expect(auth.validateError('unauthorized_client')) + .expect(auth.validateError('invalid_request')) .expect(auth.validateErrorDescription('requested response_mode is not allowed for this client or request')); }); @@ -85,7 +85,7 @@ describe('Financial-grade API Security Profile 1.0 - Part 2: Advanced (FINAL) be }) .expect(303) .expect(auth.validateClientLocation) - .expect(auth.validateError('unauthorized_client')) + .expect(auth.validateError('invalid_request')) .expect(auth.validateErrorDescription('requested response_mode is not allowed for this client or request')); }); }); diff --git a/test/fapi/fapi-id2.test.js b/test/fapi/fapi-id2.test.js index 27ed761a9..8a151ac5d 100644 --- a/test/fapi/fapi-id2.test.js +++ b/test/fapi/fapi-id2.test.js @@ -56,7 +56,7 @@ describe('Financial-grade API - Part 2: Read and Write API Security Profile (ID2 }) .expect(303) .expect(auth.validateClientLocation) - .expect(auth.validateError('unauthorized_client')) + .expect(auth.validateError('invalid_request')) .expect(auth.validateErrorDescription('requested response_mode is not allowed for this client or request')); }); @@ -84,7 +84,7 @@ describe('Financial-grade API - Part 2: Read and Write API Security Profile (ID2 }) .expect(303) .expect(auth.validateClientLocation) - .expect(auth.validateError('unauthorized_client')) + .expect(auth.validateError('invalid_request')) .expect(auth.validateErrorDescription('requested response_mode is not allowed for this client or request')); }); });