Check for errors in authorization code response #680
Conversation
|
Hi @MrkGrgsn ! This looks a good change to me. However, before approving it, and in order to add a little bit of context, could you tell which library are you using and/or how do you use this library ? (sample of code) Thanks ! |
|
I'm working on an ORCID integration with a Django app using requests_oauthlib. The goal is to link the local user account with their ORCID record and later query and retrieve some resources. I'm using the 'Web Application Flow' aka Authorisation Code Grant Type. I can't link to the source code but the code pre-PR is similar to this simplified example showing the view that handles the redirect from the authorisation server: class FetchAccessTokenView():
def get():
try:
token = session.fetch_token()
except MissingCodeError:
error = request.GET.get('error', None)
if error:
if error == 'access_denied':
# ask user to reconsider
elif error == 'temporarily_unavailable':
# ask user to try again later
else:
# unexpected, log and provide feedbackWhich will break post-PR. On the other hand, you could check the error param prior to calling With the attached PR, I can simply use the try/except without any extra handling of the error param: class FetchAccessTokenView():
def get():
try:
token = session.fetch_token()
except AccessDeniedError:
# ask user to reconsider
except TemporarilyUnavailableError
# ask user to try again later
except MissingCodeError:
# unexpected, log and provide feedback |
Fixes #290 by adding error checking to
parse_authorization_code_response()before any validation of thecodeparam is done.Note that I also shifted the
statecheck before both the error and code checks -stateis required in the response and if it isn't correct, why would we trust any of the other params? This is a little out-of-scope so let me know if you'd prefer I revert that bit.Also note that this is a breaking change as I mentioned in #290 (comment) because client error handling behaviour will need to change.