From 8f1570b1798042e2df23444376a7efef8ef24f9a Mon Sep 17 00:00:00 2001 From: Wytse van der Velde Date: Tue, 4 Jun 2019 17:44:37 +0200 Subject: [PATCH 1/2] Modified response code 400 to 401 When passing invalid client credentials (either client_id or client_secret) when requesting an access token, instead of returning a 400 response code, it should be returning a 401 response code for unauthorized. Limited it to the case where all conditions (public/non public) are passed and its only about the credentials. TokenControllerTest modified accordingly. --- src/OAuth2/ClientAssertionType/HttpBasic.php | 2 +- test/OAuth2/Controller/TokenControllerTest.php | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/OAuth2/ClientAssertionType/HttpBasic.php b/src/OAuth2/ClientAssertionType/HttpBasic.php index ef6120300..ea68ce1b0 100644 --- a/src/OAuth2/ClientAssertionType/HttpBasic.php +++ b/src/OAuth2/ClientAssertionType/HttpBasic.php @@ -71,7 +71,7 @@ public function validateRequest(RequestInterface $request, ResponseInterface $re return false; } } elseif ($this->storage->checkClientCredentials($clientData['client_id'], $clientData['client_secret']) === false) { - $response->setError(400, 'invalid_client', 'The client credentials are invalid'); + $response->setError(401, 'invalid_client', 'The client credentials are invalid'); return false; } diff --git a/test/OAuth2/Controller/TokenControllerTest.php b/test/OAuth2/Controller/TokenControllerTest.php index d18eaa6d7..51df1ec8d 100644 --- a/test/OAuth2/Controller/TokenControllerTest.php +++ b/test/OAuth2/Controller/TokenControllerTest.php @@ -96,7 +96,7 @@ public function testInvalidClientId() )); $server->handleTokenRequest($request, $response = new Response()); - $this->assertEquals($response->getStatusCode(), 400); + $this->assertEquals($response->getStatusCode(), 401); $this->assertEquals($response->getParameter('error'), 'invalid_client'); $this->assertEquals($response->getParameter('error_description'), 'The client credentials are invalid'); } @@ -113,7 +113,7 @@ public function testInvalidClientSecret() )); $server->handleTokenRequest($request, $response = new Response()); - $this->assertEquals($response->getStatusCode(), 400); + $this->assertEquals($response->getStatusCode(), 401); $this->assertEquals($response->getParameter('error'), 'invalid_client'); $this->assertEquals($response->getParameter('error_description'), 'The client credentials are invalid'); } From b94f72b2e175dcd5cef87ad2f331e20696a1b637 Mon Sep 17 00:00:00 2001 From: Wytse van der Velde Date: Tue, 4 Jun 2019 18:00:06 +0200 Subject: [PATCH 2/2] Added missing test - added missing test for client credentials and the 400 -to 401 response code change --- test/OAuth2/GrantType/ClientCredentialsTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/OAuth2/GrantType/ClientCredentialsTest.php b/test/OAuth2/GrantType/ClientCredentialsTest.php index 2a7d0eb3d..246f96bbd 100644 --- a/test/OAuth2/GrantType/ClientCredentialsTest.php +++ b/test/OAuth2/GrantType/ClientCredentialsTest.php @@ -21,7 +21,7 @@ public function testInvalidCredentials() )); $server->handleTokenRequest($request, $response = new Response()); - $this->assertEquals($response->getStatusCode(), 400); + $this->assertEquals($response->getStatusCode(), 401); $this->assertEquals($response->getParameter('error'), 'invalid_client'); $this->assertEquals($response->getParameter('error_description'), 'The client credentials are invalid'); }