TokenEndpoint.handleRequest throws empty InvalidClient
alboko opened this issue · comments
Alex Kogan commented
Hi,
Looks like TokenEndpoint.handleRequest
throws empty InvalidClient()
exception when an invalid client is detected. It causes some HTTP servers (Spray in my case) to choke on the response:
[WARN] [06/28/2015 11:08:30.668] [Oauth2FuncInMemorySpec-akka.actor.default-dispatcher-6] [akka://Oauth2FuncInMemorySpec/user/IO-HTTP/group-0/0] Illegal response header: Illegal 'WWW-Authenticate' header: Unexpected end of input, expected OptWS, Token or QuotedString (line 1, pos 58):
Bearer realm=test,error=invalid_client,error_description=
^
Here is the whole response:
HttpResponse(401 Unauthorized,HttpEntity(application/json; charset=UTF-8,{"error":"invalid_client","error_description":""}),List(Server: spray-can/1.3.3, Date: Sun, 28 Jun 2015 15:08:30 GMT, WWW-Authenticate: Bearer realm=test,error=invalid_client,error_description=, Content-Type: application/json; charset=UTF-8, Content-Length: 49),HTTP/1.1)
Should it provide at least some minimalistic description like (lines 24-25 in
if (!validClient) {
Future.successful(Left(new InvalidClient("Invalid client is detected")))
Thanks,
Alex
Tsuyoshi Yoshizawa commented
Thanks for the reporting.
As you report the error message is poor, we should improve other error messages too.
Would you send a PR?
Naftoli Gugenheim commented
I think a proper fix would require AuthorizationHandler.validateClient to return something better than a Future[Boolean].