Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth token endpoint returns 500 instead of 400 when authorization_code is missing code #538

Open
MagicShoebox opened this issue Sep 9, 2024 · 2 comments

Comments

@MagicShoebox
Copy link

app.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions { TokenEndpointPath = "/token" });
irm -Method POST -Body @{ grant_type = "authorization_code" } https://localhost:8080/token

This returns 500 instead of 400.

OAuthAuthorizationServerHandler.InvokeTokenEndpointAuthorizationCodeGrantAsync() triggers an ArgumentNullException on line 489 when it tries to construct an AuthenticationTokenReceiveContext with a null token (tokenEndpointRequest.AuthorizationCodeGrant.Code).

I'm not quite sure why AuthenticationTokenReceiveContext throws this exception. I think it (and its consumers) should probably handle the case where token is null. Alternatively, InvokeTokenEndpointAuthorizationCodeGrantAsync() should check that a code was provided. Happy to open a PR given guidance on which approach to take.

@MagicShoebox
Copy link
Author

I believe this also affects grant_type refresh_token when no token is provided.

@Tratcher
Copy link
Member

Tratcher commented Sep 9, 2024

UseOAuthAuthorizationServer has been considered obsolete for many years, you should find another auth server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants