During the authorisation code grant flow, the resource owner is invited to authenticate and authorise the request. If everything goes correctly, an authorisation code is issued to the OIDC client.
The issue is happening on error handling from the resource owner:
The OP (it's AM) should handle potential 4xx errors and when appropriate, return the error:
- In the UI screen, by displaying the error to the resource owner
- to the OIDC client via the redirect uri using the fragment. ie: redirect_uri#error_code=$errorCode&error_description=$error_description.
When the Resource owner failed to authenticate or reject the consent, the OP should redirect the error to the OIDC client via the fragment.
Currently, AM is returning the error to the resource owner.
In different part of the spec, it says that:
Unless the Redirection URI is invalid, the Authorization Server returns the Client to the Redirection URI specified in the Authorization Request with the appropriate error and state parameters.
If the resource owner denies the access request or if the request
fails for reasons other than a missing or invalid redirection URI,
the authorization server informs the client by adding the following
parameters to the query component of the redirection URI using the
"application/x-www-form-urlencoded" format, per
First start by setting up a successful authorisation code grant flow
- First start by setting up a successful authorisation code grant flow
- Setup a basic tree as the default authentication service. (just a login/password tree would do the job)
- Once you managed to get an authorisation code return to the RP, you can consider you have the success scenario done.
To reproduce the authentication failure handling scenario
- Restart the authorisation code grant flow but this time, enter a wrong password.
To reproduce the authorisation failure handling scenario
- Restart the authorisation code grant flow
- Enter the right credential. You will be redirected to the consent page
- Deny the consent
It's not easy to identify which error code you should use in those error scenarios.
The one that seems to be the closest that we can use:
@James suggested that, as this is a major change of behaviour, this fix should be switch in by the config.
ie: enabled by default on a vanilla AM installation. Disabled if it's an AM upgrade.