-
Notifications
You must be signed in to change notification settings - Fork 258
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client.parse_response misinterprets success as failure #879
Comments
Eh, this looks like a grey area to me... The response you have posted is definitely not a valid The specs do say to ignore extra fields that are not recognised, but Also, the specs suggest (I think) to omit fields that are empty (in this case the @schlenk Your opinion? |
The OAuth2 RFC 6749 is clear in this case, at least for the code flow, it gets murky for the implicit flow: As the standard also requires error responses to have HTTP status code 400, those can be distinguished from successful responses with the HTTP 200 status, even if both include all required fields for both case. So the code should use the HTTP status code to distinguish if this is a success or error response and handle them accordingly. In the implicit flow i think the case is ambiguous. The reading in 4.2.2 and 4.2.21 make it indistingushable. A response could be either a failure or a success message, as there is no HTTP status code to make the final decision from. But if it contains a non null access_token, and a null error code, i would still think it is a success. If both are set, i would opt for error, as something is obviously broken. So i think this should work and should result in a valid AccessTokenResponse, if it is sent with a HTTP status code of 200 and as a broken ErrorResponse if received with a status code 400. @tpazderka The implementation decision of Keycloak is still weird, as it just wastes bandwith to include useless null values. |
Yeah, you are correct about the omitting of empty claims... That's what I remember... We could test for presence of non-empty |
Should work good enough, yes. |
I am attempting to do an access token request:
The request proceeds, gets to the openid server, and gets back this response from Keycloak. This is a successful response - and what I expect to receive back
Once parse_response is executed:
It does these steps:
Both of these evaluate to true. There's an "error" key that's equal to
None
, and resp is a perfectly valid AccessTokenResponse.ResponseError("Missing or faulty response")
despite a non-missing, non-faulty responseLooking at the RFC, it seems like Keycloak isn't doing anything wrong. https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2
The text was updated successfully, but these errors were encountered: