OAuth2: How do I send a "deny" request to the OAuth2 server?

When a user needs to approve an OAuth2 authentication request, they are usually presented with an Approve and Cancel buttons.

What should I send when users click Cancel?

As a developer, what am I sending to the OAuth server so that it rejects the request when the user clicks Cancel?

I tried to use the grant

"deny" type , but it didn't work. I know what to send to get approved, but I don't seem to see what I have to send to get the OAuth server to respond redirect_uri

with an error in the event the user cancels.

I looked through the spec and this nice OAuth2 article simplified but couldn't see it.


NOTE. I don't see this clearly in detail. Is my application supposed to manage this by itself? For example, instead of sending to the OAuth2 server in this case, my app just adds its own to it redirect_uri

?

{redirect-url}?error=access_denied&error_description=The+user+clicked+deny

      

If so, it seems a little odd, as all the executors will have to do the job to build the url with the error code and reason.

+3


source to share


2 answers


I don't think this is part of the standard from what I see. I think it was left to every OAuth2 service developer to determine how they want to do this.

For example, oauth2orize is a well used OAuth2 library used by the super popular Passport node and does it like this:

NOTE. These links may point to older versions of the code. They are canonical links to make sure they point to the right place in your code:



https://github.com/jaredhanson/oauth2orize/blob/c59aefd14b0fb98f97e3419b8d611c0fb4255c69/lib/middleware/decision.js#L46

https://github.com/jaredhanson/oauth2orize/blob/c59aefd14b0fb98f97e3419b8d611c0fb4255c69/test/middleware/decision.test.js#L75-L83

+2


source


See https://tools.ietf.org/html/rfc6749#section-4.1.2.1

If the resource owner denies the access request, or if the request fails for reasons other than a missing or invalid redirect URI, the authorization server informs the client by adding the following parameters to the redirect URI request component using "app / x-www-form-urlencoded"

Example:



HTTP/1.1 302 Found
Location: https://client.example.com/cb?error=access_denied&state=xyz

      

To redirect to PHP:

<?php
http_redirect("https://client.example.com/cb", array("error" => "access_denied", "state" => "xyz", "error_description" => "The user clicked deny"), true, HTTP_REDIRECT_FOUND);
?>

      

+4


source







All Articles