-
-
Notifications
You must be signed in to change notification settings - Fork 932
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
If token authentication fails should set WWW-Authenticate header #553
Comments
ErrorsProperties related to oauth protocol flow
The instance of the errors described below are referred as InvalidRequestErrorSection 4.2.2.1 of RFC 6749 and Section 3.1 of RFC 6750 Status code SHOULD be InvalidTokenErrorSection 4.2.2.1 of RFC 6749 and Section 3.1 of RFC 6750 Status code SHOULD be InsufficientScopeErrorStatus code SHOULD be UnauthorizedRequestErrorStatus code SHOULD be I created a pull request with the code to write headers #555 |
Any news? |
* Compute the correct redirect_uri in case of resource over denies access According to https://tools.ietf.org/html/rfc6749#section-4.1.2.1 once the redirect_uri & client_id is correct authorization server should inform the clinet, that user denied access. The change is to move validation of resource owner approval after the redirect_uri & client identifier validation so the correct redirect url is computed * Remove commented code * Note we're now also seeking reviewers * Update readme with link to v5-dev branch * Add renovate.json * Add link to examples repo. Closes oauthjs#571 * Update dependency bluebird to v3.7.2 * Update dependency jshint to v2.11.0 * Update dependency mocha to v3.5.3 * Update dependency sinon to v2.4.1 * Update dependency statuses to v1.5.0 * Update dependency basic-auth to v2 * Update node versions * Bump lodash from 4.17.4 to 4.17.15 Bumps [lodash](https://github.com/lodash/lodash) from 4.17.4 to 4.17.15. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.4...4.17.15) Signed-off-by: dependabot[bot] <[email protected]> * Update dependency type-is to v1.6.18 * Update dependency should to v13 * add codecoverage and upgrade packages * Update dependency jshint to v2.11.1 * Drop support for node 4/6/8 and add tests for 14 * Update dependency sinon to v9 * Update dependency mocha to v7 * Release 3.0.2 🎉 * Release 3.0.2 🎉 * Revert "Drop support for node 4/6/8 and add tests for 14" This reverts commit b84778b. * Revert "Merge pull request oauthjs#596 from oauthjs/renovate/mocha-7.x" This reverts commit cb2bb88, reversing changes made to 6997303. * Revert "Merge pull request oauthjs#602 from oauthjs/renovate/sinon-9.x" This reverts commit 6997303, reversing changes made to b84778b. * Bump mocha and sinon to lastest versions supporting node v4 * Add testing for node v14 * Update readme with project status update * remove renovate in favour of dependabot * Add FUNDING.yml (oauthjs#630) * Updated .gitignore * Changed 'hasOwnProperty' call in Request * Changed 'hasOwnProperty' call in Response * set numArgs for promisify of generateAuthorizationCode * readme: Update Slack badge and link * fix: issue correct expiry dates for tokens oauthjs#444 related to a NodeJS (nodejs/node#7074) and furthermore V8 bug (https://bugs.chromium.org/p/v8/issues/detail?id=3637); replaced seconds calculation with milliseconds. * Merge pull request oauthjs#451 from razvanz/fix/validate-scope-on-authorize fix: validate requested scope on authorize request * Merge pull request oauthjs#491 from mattgrande/master docs: Ensure accessTokenExpiresAt is required * Merge pull request oauthjs#471 from smartrecruiters/fix-migration-documentaiton docs: Correct tokens time scale for 2.x to 3.x migration guide * Updated changelog * Tag 3.1.0-rc1 * 3.1.0 bump * Bump lodash from 4.17.15 to 4.17.19 Bumps [lodash](https://github.com/lodash/lodash) from 4.17.15 to 4.17.19. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.15...4.17.19) Signed-off-by: dependabot-preview[bot] <[email protected]> * v3.1.1 (oauthjs#636) * Bump jshint from 2.11.1 to 2.12.0 (oauthjs#640) Bumps [jshint](https://github.com/jshint/jshint) from 2.11.1 to 2.12.0. - [Release notes](https://github.com/jshint/jshint/releases) - [Changelog](https://github.com/jshint/jshint/blob/master/CHANGELOG.md) - [Commits](jshint/jshint@2.11.1...2.12.0) Signed-off-by: dependabot-preview[bot] <[email protected]> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * Set WWW-Authenticate header for invalid requests This adds the WWW-Authenticate header for InvalidRequestError, InvalidTokenError, and InsufficientScopeError, as specified in RFC 6750, Section 3 Fixes oauthjs#553 * cherry pick * rm lock * fix: lint erros * fix grant types * custom types init * Update .travis.yml * git merge artifact Co-authored-by: Igor Czechowski <[email protected]> Co-authored-by: Szymon Kiebzak <[email protected]> Co-authored-by: Thom Seddon <[email protected]> Co-authored-by: Renovate Bot <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Aras Abbasi <[email protected]> Co-authored-by: mjsalinger <[email protected]> Co-authored-by: Pritilender <[email protected]> Co-authored-by: nkzawa <[email protected]> Co-authored-by: Max Truxa <[email protected]> Co-authored-by: Razvan <[email protected]> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Jonas Hermsmeier <[email protected]>
…of RFC 6749 and Section 3.1 of RFC 6750. Fixes for oauthjs#553.
…of RFC 6749 and Section 3.1 of RFC 6750. Fixes for oauthjs#553.
…of RFC 6749 and Section 3.1 of RFC 6750. Fixes for oauthjs#553.
When the autentication for get a resource fails (so only when checking the Authorization header), the RFC 6750 says that a
WWW-Authenticate
header must be set in the response. This library doesn't do this. It's a wanted behaviour or a forgotten functionality to implement? Because I have seen some closed issues related to versions 1.x and 2.x, but then no one talked about it and it has not been implemented yet. Thank you all, you are doing a great work anyway.The text was updated successfully, but these errors were encountered: