Update the client stack to normalize authorization error responses

3 years ago · 2b333272bf
5 changed files with 109 additions and 27 deletions
--- a/src/OpenIddict.Abstractions/OpenIddictResources.resx
+++ b/src/OpenIddict.Abstractions/OpenIddictResources.resx
@ -1280,12 +1280,6 @@ Alternatively, you can disable the token storage feature by calling 'services.Ad
  Error description: {1}
  Error URI: {2}</value>
  </data>
-  <data name="ID0328" xml:space="preserve">
-    <value>A generic error was returned by the remote authorization server.</value>
-  </data>
-  <data name="ID0329" xml:space="preserve">
-    <value>An unsupported response was returned by the remote authorization server.</value>
-  </data>
  <data name="ID0330" xml:space="preserve">
    <value>The provider name cannot be null or empty.</value>
  </data>
@ -1790,6 +1784,48 @@ Alternatively, you can disable the token storage feature by calling 'services.Ad
  <data name="ID2148" xml:space="preserve">
    <value>The userinfo request was rejected by the remote server.</value>
  </data>
+  <data name="ID2149" xml:space="preserve">
+    <value>The authorization demand was denied by the user or by the identity provider.</value>
+  </data>
+  <data name="ID2150" xml:space="preserve">
+    <value>The authorization request was rejected due to a missing or invalid parameter.</value>
+  </data>
+  <data name="ID2151" xml:space="preserve">
+    <value>The authorization request was rejected due to an invalid scope.</value>
+  </data>
+  <data name="ID2152" xml:space="preserve">
+    <value>The authorization request was rejected due to a remote server error.</value>
+  </data>
+  <data name="ID2153" xml:space="preserve">
+    <value>The authorization request was rejected due to a transient error.</value>
+  </data>
+  <data name="ID2154" xml:space="preserve">
+    <value>The authorization request was rejected due to the use of an incorrect or unauthorized grant type.</value>
+  </data>
+  <data name="ID2155" xml:space="preserve">
+    <value>The authorization request was rejected due to an unsupported response type.</value>
+  </data>
+  <data name="ID2156" xml:space="preserve">
+    <value>The authorization request was rejected because the user didn't select a user account.</value>
+  </data>
+  <data name="ID2157" xml:space="preserve">
+    <value>The authorization request was rejected because user consent was required to proceed the request.</value>
+  </data>
+  <data name="ID2158" xml:space="preserve">
+    <value>The authorization request was rejected because user interaction was required to proceed the request.</value>
+  </data>
+  <data name="ID2159" xml:space="preserve">
+    <value>The authorization request was rejected because user (re-)authentication was required to proceed the request.</value>
+  </data>
+  <data name="ID2160" xml:space="preserve">
+    <value>The authorization request was rejected by the identity provider.</value>
+  </data>
+  <data name="ID2161" xml:space="preserve">
+    <value>A generic {StatusCode} error was returned by the remote authorization server.</value>
+  </data>
+  <data name="ID2162" xml:space="preserve">
+    <value>An unsupported response was returned by the remote authorization server.</value>
+  </data>
  <data name="ID4000" xml:space="preserve">
    <value>The '{0}' parameter shouldn't be null or empty at this point.</value>
  </data>
@ -2422,6 +2458,9 @@ This may indicate that the hashed entry is corrupted or malformed.</value>
  <data name="ID6207" xml:space="preserve">
    <value>The userinfo request was rejected by the remote authorization server: {Response}.</value>
  </data>
+  <data name="ID6208" xml:space="preserve">
+    <value>The authorization request was rejected by the remote authorization server: {Response}.</value>
+  </data>
  <data name="ID8000" xml:space="preserve">
    <value>https://documentation.openiddict.com/errors/{0}</value>
  </data>
--- a/src/OpenIddict.Client.SystemNetHttp/OpenIddictClientSystemNetHttpHandlers.cs
+++ b/src/OpenIddict.Client.SystemNetHttp/OpenIddictClientSystemNetHttpHandlers.cs
@ -749,8 +749,8 @@ public static partial class OpenIddictClientSystemNetHttpHandlers
                        503 => Errors.TemporarilyUnavailable,
                        _   => Errors.ServerError
                    },
-                    description: SR.GetResourceString(SR.ID0328),
-                    uri: SR.FormatID8000(SR.ID0328));
+                    description: SR.FormatID2161((int) response.StatusCode),
+                    uri: SR.FormatID8000(SR.ID2161));

                return;
            }
@ -764,8 +764,8 @@ public static partial class OpenIddictClientSystemNetHttpHandlers

                context.Reject(
                    error: Errors.ServerError,
-                    description: SR.GetResourceString(SR.ID0329),
-                    uri: SR.FormatID8000(SR.ID0329));
+                    description: SR.GetResourceString(SR.ID2162),
+                    uri: SR.FormatID8000(SR.ID2162));

                return;
            }
--- a/src/OpenIddict.Client/OpenIddictClientHandlers.Userinfo.cs
+++ b/src/OpenIddict.Client/OpenIddictClientHandlers.Userinfo.cs
@ -121,7 +121,7 @@ public static partial class OpenIddictClientHandlers
                        error: context.Response.Error switch
                        {
                            Errors.InsufficientScope => Errors.InsufficientScope,
-                            Errors.InvalidRequest    => Errors.InvalidToken,
+                            Errors.InvalidRequest    => Errors.InvalidRequest,
                            Errors.InvalidToken      => Errors.InvalidToken,
                            _                        => Errors.ServerError
                        },
--- a/src/OpenIddict.Client/OpenIddictClientHandlers.cs
+++ b/src/OpenIddict.Client/OpenIddictClientHandlers.cs
@ -36,7 +36,7 @@ public static partial class OpenIddictClientHandlers
        ValidateStateTokenEndpointType.Descriptor,
        ResolveClientRegistrationFromStateToken.Descriptor,
        ValidateIssuerParameter.Descriptor,
-        ValidateFrontchannelErrorParameters.Descriptor,
+        HandleFrontchannelErrorResponse.Descriptor,
        ResolveGrantTypeFromStateToken.Descriptor,
        ResolveResponseTypeFromStateToken.Descriptor,

@ -663,7 +663,7 @@ public static partial class OpenIddictClientHandlers
    /// <summary>
    /// Contains the logic responsible for rejecting errored authorization responses.
    /// </summary>
-    public class ValidateFrontchannelErrorParameters : IOpenIddictClientHandler<ProcessAuthenticationContext>
+    public class HandleFrontchannelErrorResponse : IOpenIddictClientHandler<ProcessAuthenticationContext>
    {
        /// <summary>
        /// Gets the default descriptor definition assigned to this handler.
@ -671,7 +671,7 @@ public static partial class OpenIddictClientHandlers
        public static OpenIddictClientHandlerDescriptor Descriptor { get; }
            = OpenIddictClientHandlerDescriptor.CreateBuilder<ProcessAuthenticationContext>()
                .AddFilter<RequireRedirectionRequest>()
-                .UseSingletonHandler<ValidateFrontchannelErrorParameters>()
+                .UseSingletonHandler<HandleFrontchannelErrorResponse>()
                .SetOrder(ValidateIssuerParameter.Descriptor.Order + 1_000)
                .Build();

@ -683,17 +683,60 @@ public static partial class OpenIddictClientHandlers
                throw new ArgumentNullException(nameof(context));
            }

-            var (error, description, uri) = (
-                (string?) context.Request[Parameters.Error],
-                (string?) context.Request[Parameters.ErrorDescription],
-                (string?) context.Request[Parameters.ErrorUri]);
-
+            // Note: for more information about the standard error codes,
+            // see https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2.1 and
+            // https://openid.net/specs/openid-connect-core-1_0.html#AuthError.
+            var error = (string?) context.Request[Parameters.Error];
            if (!string.IsNullOrEmpty(error))
            {
+                context.Logger.LogInformation(SR.GetResourceString(SR.ID6208), context.Request);
+
                context.Reject(
-                    error: error ?? Errors.InvalidRequest,
-                    description: description,
-                    uri: uri);
+                    error: error switch
+                    {
+                        Errors.AccessDenied             => Errors.AccessDenied,
+                        Errors.AccountSelectionRequired => Errors.AccountSelectionRequired,
+                        Errors.ConsentRequired          => Errors.ConsentRequired,
+                        Errors.InteractionRequired      => Errors.InteractionRequired,
+                        Errors.InvalidRequest           => Errors.InvalidRequest,
+                        Errors.InvalidScope             => Errors.InvalidScope,
+                        Errors.LoginRequired            => Errors.LoginRequired,
+                        Errors.ServerError              => Errors.ServerError,
+                        Errors.TemporarilyUnavailable   => Errors.TemporarilyUnavailable,
+                        Errors.UnauthorizedClient       => Errors.UnauthorizedClient,
+                        Errors.UnsupportedResponseType  => Errors.UnsupportedResponseType,
+                        _                               => Errors.InvalidRequest
+                    },
+                    description: error switch
+                    {
+                        Errors.AccessDenied             => SR.GetResourceString(SR.ID2149),
+                        Errors.AccountSelectionRequired => SR.GetResourceString(SR.ID2156),
+                        Errors.ConsentRequired          => SR.GetResourceString(SR.ID2157),
+                        Errors.InteractionRequired      => SR.GetResourceString(SR.ID2158),
+                        Errors.InvalidRequest           => SR.GetResourceString(SR.ID2150),
+                        Errors.InvalidScope             => SR.GetResourceString(SR.ID2151),
+                        Errors.LoginRequired            => SR.GetResourceString(SR.ID2159),
+                        Errors.ServerError              => SR.GetResourceString(SR.ID2152),
+                        Errors.TemporarilyUnavailable   => SR.GetResourceString(SR.ID2153),
+                        Errors.UnauthorizedClient       => SR.GetResourceString(SR.ID2154),
+                        Errors.UnsupportedResponseType  => SR.GetResourceString(SR.ID2155),
+                        _                               => SR.GetResourceString(SR.ID2160)
+                    },
+                    uri: error switch
+                    {
+                        Errors.AccessDenied             => SR.FormatID8000(SR.ID2149),
+                        Errors.AccountSelectionRequired => SR.FormatID8000(SR.ID2156),
+                        Errors.ConsentRequired          => SR.FormatID8000(SR.ID2157),
+                        Errors.InteractionRequired      => SR.FormatID8000(SR.ID2158),
+                        Errors.InvalidRequest           => SR.FormatID8000(SR.ID2150),
+                        Errors.InvalidScope             => SR.FormatID8000(SR.ID2151),
+                        Errors.LoginRequired            => SR.FormatID8000(SR.ID2159),
+                        Errors.ServerError              => SR.FormatID8000(SR.ID2152),
+                        Errors.TemporarilyUnavailable   => SR.FormatID8000(SR.ID2153),
+                        Errors.UnauthorizedClient       => SR.FormatID8000(SR.ID2154),
+                        Errors.UnsupportedResponseType  => SR.FormatID8000(SR.ID2155),
+                        _                               => SR.FormatID8000(SR.ID2160)
+                    });

                return default;
            }
@ -716,7 +759,7 @@ public static partial class OpenIddictClientHandlers
                .AddFilter<RequireRedirectionRequest>()
                .AddFilter<RequireStateTokenPrincipal>()
                .UseSingletonHandler<ResolveGrantTypeFromStateToken>()
-                .SetOrder(ValidateFrontchannelErrorParameters.Descriptor.Order + 1_000)
+                .SetOrder(HandleFrontchannelErrorResponse.Descriptor.Order + 1_000)
                .SetType(OpenIddictClientHandlerType.BuiltIn)
                .Build();

--- a/src/OpenIddict.Validation.SystemNetHttp/OpenIddictValidationSystemNetHttpHandlers.cs
+++ b/src/OpenIddict.Validation.SystemNetHttp/OpenIddictValidationSystemNetHttpHandlers.cs
@ -750,8 +750,8 @@ public static partial class OpenIddictValidationSystemNetHttpHandlers
                        503 => Errors.TemporarilyUnavailable,
                        _   => Errors.ServerError
                    },
-                    description: SR.GetResourceString(SR.ID0328),
-                    uri: SR.FormatID8000(SR.ID0328));
+                    description: SR.FormatID2161((int) response.StatusCode),
+                    uri: SR.FormatID8000(SR.ID2161));

                return;
            }
@ -765,8 +765,8 @@ public static partial class OpenIddictValidationSystemNetHttpHandlers

                context.Reject(
                    error: Errors.ServerError,
-                    description: SR.GetResourceString(SR.ID0329),
-                    uri: SR.FormatID8000(SR.ID0329));
+                    description: SR.GetResourceString(SR.ID2162),
+                    uri: SR.FormatID8000(SR.ID2162));

                return;
            }