If token authentication fails should set WWW-Authenticate header #553
Labels
Comments
ErrorsProperties related to oauth protocol flow
The instance of the errors described below are referred as InvalidRequestErrorSection 4.2.2.1 of RFC 6749 and Section 3.1 of RFC 6750 Status code SHOULD be InvalidTokenErrorSection 4.2.2.1 of RFC 6749 and Section 3.1 of RFC 6750 Status code SHOULD be InsufficientScopeErrorStatus code SHOULD be UnauthorizedRequestErrorStatus code SHOULD be I created a pull request with the code to write headers #555 |
|
Any news? |
sambacha
pushed a commit
to sambacha/node-oauth2-server
that referenced
this issue
Sep 27, 2020
* Compute the correct redirect_uri in case of resource over denies access According to https://tools.ietf.org/html/rfc6749#section-4.1.2.1 once the redirect_uri & client_id is correct authorization server should inform the clinet, that user denied access. The change is to move validation of resource owner approval after the redirect_uri & client identifier validation so the correct redirect url is computed * Remove commented code * Note we're now also seeking reviewers * Update readme with link to v5-dev branch * Add renovate.json * Add link to examples repo. Closes oauthjs#571 * Update dependency bluebird to v3.7.2 * Update dependency jshint to v2.11.0 * Update dependency mocha to v3.5.3 * Update dependency sinon to v2.4.1 * Update dependency statuses to v1.5.0 * Update dependency basic-auth to v2 * Update node versions * Bump lodash from 4.17.4 to 4.17.15 Bumps [lodash](https://github.com/lodash/lodash) from 4.17.4 to 4.17.15. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.4...4.17.15) Signed-off-by: dependabot[bot] <[email protected]> * Update dependency type-is to v1.6.18 * Update dependency should to v13 * add codecoverage and upgrade packages * Update dependency jshint to v2.11.1 * Drop support for node 4/6/8 and add tests for 14 * Update dependency sinon to v9 * Update dependency mocha to v7 * Release 3.0.2 🎉 * Release 3.0.2 🎉 * Revert "Drop support for node 4/6/8 and add tests for 14" This reverts commit b84778b. * Revert "Merge pull request oauthjs#596 from oauthjs/renovate/mocha-7.x" This reverts commit cb2bb88, reversing changes made to 6997303. * Revert "Merge pull request oauthjs#602 from oauthjs/renovate/sinon-9.x" This reverts commit 6997303, reversing changes made to b84778b. * Bump mocha and sinon to lastest versions supporting node v4 * Add testing for node v14 * Update readme with project status update * remove renovate in favour of dependabot * Add FUNDING.yml (oauthjs#630) * Updated .gitignore * Changed 'hasOwnProperty' call in Request * Changed 'hasOwnProperty' call in Response * set numArgs for promisify of generateAuthorizationCode * readme: Update Slack badge and link * fix: issue correct expiry dates for tokens oauthjs#444 related to a NodeJS (nodejs/node#7074) and furthermore V8 bug (https://bugs.chromium.org/p/v8/issues/detail?id=3637); replaced seconds calculation with milliseconds. * Merge pull request oauthjs#451 from razvanz/fix/validate-scope-on-authorize fix: validate requested scope on authorize request * Merge pull request oauthjs#491 from mattgrande/master docs: Ensure accessTokenExpiresAt is required * Merge pull request oauthjs#471 from smartrecruiters/fix-migration-documentaiton docs: Correct tokens time scale for 2.x to 3.x migration guide * Updated changelog * Tag 3.1.0-rc1 * 3.1.0 bump * Bump lodash from 4.17.15 to 4.17.19 Bumps [lodash](https://github.com/lodash/lodash) from 4.17.15 to 4.17.19. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.15...4.17.19) Signed-off-by: dependabot-preview[bot] <[email protected]> * v3.1.1 (oauthjs#636) * Bump jshint from 2.11.1 to 2.12.0 (oauthjs#640) Bumps [jshint](https://github.com/jshint/jshint) from 2.11.1 to 2.12.0. - [Release notes](https://github.com/jshint/jshint/releases) - [Changelog](https://github.com/jshint/jshint/blob/master/CHANGELOG.md) - [Commits](jshint/jshint@2.11.1...2.12.0) Signed-off-by: dependabot-preview[bot] <[email protected]> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * Set WWW-Authenticate header for invalid requests This adds the WWW-Authenticate header for InvalidRequestError, InvalidTokenError, and InsufficientScopeError, as specified in RFC 6750, Section 3 Fixes oauthjs#553 * cherry pick * rm lock * fix: lint erros * fix grant types * custom types init * Update .travis.yml * git merge artifact Co-authored-by: Igor Czechowski <[email protected]> Co-authored-by: Szymon Kiebzak <[email protected]> Co-authored-by: Thom Seddon <[email protected]> Co-authored-by: Renovate Bot <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Aras Abbasi <[email protected]> Co-authored-by: mjsalinger <[email protected]> Co-authored-by: Pritilender <[email protected]> Co-authored-by: nkzawa <[email protected]> Co-authored-by: Max Truxa <[email protected]> Co-authored-by: Razvan <[email protected]> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Jonas Hermsmeier <[email protected]>
joe1chen
pushed a commit
to dogomedia/node-oauth2-server
that referenced
this issue
Oct 10, 2020
…of RFC 6749 and Section 3.1 of RFC 6750. Fixes for oauthjs#553.
joe1chen
pushed a commit
to dogomedia/node-oauth2-server
that referenced
this issue
Oct 10, 2020
…of RFC 6749 and Section 3.1 of RFC 6750. Fixes for oauthjs#553.
joe1chen
pushed a commit
to dogomedia/node-oauth2-server
that referenced
this issue
Oct 12, 2020
…of RFC 6749 and Section 3.1 of RFC 6750. Fixes for oauthjs#553.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When the autentication for get a resource fails (so only when checking the Authorization header), the RFC 6750 says that a
WWW-Authenticateheader must be set in the response. This library doesn't do this. It's a wanted behaviour or a forgotten functionality to implement? Because I have seen some closed issues related to versions 1.x and 2.x, but then no one talked about it and it has not been implemented yet. Thank you all, you are doing a great work anyway.The text was updated successfully, but these errors were encountered: