Skip to content

Return OAuth authorize errors to redirect_uri per RFC 6749#72

Merged
eswan18 merged 1 commit into
mainfrom
fix/authorize-error-redirect
Mar 31, 2026
Merged

Return OAuth authorize errors to redirect_uri per RFC 6749#72
eswan18 merged 1 commit into
mainfrom
fix/authorize-error-redirect

Conversation

@eswan18
Copy link
Copy Markdown
Owner

@eswan18 eswan18 commented Mar 31, 2026

Summary

The authorize endpoint previously returned all errors as raw HTTP error pages. This broke client integrations — when a scope was invalid or PKCE was missing, the client application never received a callback and the user saw a plain text error.

Per RFC 6749 Section 4.1.2.1, errors should be returned to the client's redirect_uri as query parameters when the redirect_uri has been validated. This PR restructures the authorize handler into two validation phases:

  1. Direct errors (client_id/redirect_uri invalid): Shown to the user directly, since there's no trusted URI to redirect to.
  2. Redirected errors (bad response_type, missing PKCE, invalid scope): Sent back to the client as ?error=<code>&error_description=<msg>&state=<state> so the client can handle them.

Changes

  • Restructured HandleOauthAuthorize to validate client+redirect_uri first, then redirect subsequent errors
  • Added validateOAuthClientRedirect (validates client+redirect only, without scopes) for the early check
  • Moved scope validation into the authorize handler so it can use the redirect error path

Test plan

Five integration tests written red/green TDD, covering both error categories:

Errors redirected to client (with error, error_description, state query params):

  • Invalid scope → redirects error=invalid_scope
  • Missing PKCE → redirects error=invalid_request
  • Unsupported response_type → redirects error=unsupported_response_type

Errors shown directly (can't trust redirect_uri):

  • Unknown client_id → 400 Bad Request
  • Unregistered redirect_uri → 400 Bad Request

Full regression: All 55+ existing tests pass.

Closes #58.

🤖 Generated with Claude Code

@eswan18 @claude
Return OAuth authorize errors to redirect_uri per RFC 6749 4.1.2.1
eb27433 
Previously, all errors in the authorize endpoint were returned as raw
HTTP error pages directly to the browser. This meant client applications
never learned about errors like invalid scope or missing PKCE — the user
just saw a plain text error page and the client was left waiting.

Now the authorize handler validates in two phases:

1. Client identity and redirect_uri are validated first. If these fail,
   errors are still shown directly (can't safely redirect to an
   untrusted URI).

2. All other errors (unsupported response_type, missing PKCE, invalid
   scope) are redirected back to the client's redirect_uri as query
   parameters (error, error_description, state) so the client can handle
   them programmatically.

Added validateOAuthClientRedirect for the early client+redirect check,
and moved scope validation into the authorize handler so it can use the
redirect error path.

Closes #58.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@eswan18 eswan18 merged commit 2be0254 into main Mar 31, 2026
1 check passed
@eswan18 eswan18 deleted the fix/authorize-error-redirect branch March 31, 2026 01:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Return OAuth errors to redirect_uri per RFC 6749 4.1.2.1

1 participant

@eswan18