TokenEndpoint.handleRequest throws empty InvalidClient

Question

TokenEndpoint.handleRequest throws empty InvalidClient

alboko opened this issue 9 years ago · comments

Hi,

Looks like TokenEndpoint.handleRequest throws empty InvalidClient() exception when an invalid client is detected. It causes some HTTP servers (Spray in my case) to choke on the response:

[WARN] [06/28/2015 11:08:30.668] [Oauth2FuncInMemorySpec-akka.actor.default-dispatcher-6] [akka://Oauth2FuncInMemorySpec/user/IO-HTTP/group-0/0] Illegal response header: Illegal 'WWW-Authenticate' header: Unexpected end of input, expected OptWS, Token or QuotedString (line 1, pos 58):
Bearer realm=test,error=invalid_client,error_description=
                                                         ^

Here is the whole response:

HttpResponse(401 Unauthorized,HttpEntity(application/json; charset=UTF-8,{"error":"invalid_client","error_description":""}),List(Server: spray-can/1.3.3, Date: Sun, 28 Jun 2015 15:08:30 GMT, WWW-Authenticate: Bearer realm=test,error=invalid_client,error_description=, Content-Type: application/json; charset=UTF-8, Content-Length: 49),HTTP/1.1)

Should it provide at least some minimalistic description like (lines 24-25 in

        if (!validClient) {
          Future.successful(Left(new InvalidClient("Invalid client is detected")))

Thanks,
Alex

Tsuyoshi Yoshizawa · Answer 1 · Mon Jun 29 2015 00:26:42 GMT+0800 (China Standard Time)

Thanks for the reporting.

As you report the error message is poor, we should improve other error messages too.
Would you send a PR?

Naftoli Gugenheim · Answer 2 · Fri Jul 24 2015 16:20:56 GMT+0800 (China Standard Time)

I think a proper fix would require AuthorizationHandler.validateClient to return something better than a Future[Boolean].