Description
Describe the bug
oauthlib raises a wrong exception base class for invalid_client errors.
How to reproduce
Return False from any of the validator.authenticate_client() in auth code, client_credentials, refresh, password, introspect or revocation flows.
Expected behavior
When client are unknown or invalid (return False), oauthlib should raise a FatalClientError exception.:
class InvalidClientError(FatalClientError)and not:
class InvalidClientError(OAuth2Error)Additional context
The subtle differences between the two base classes are described in errors.py as below:
class OAuth2Error(Exception):
(..base class of all exceptions..)
class FatalClientError(OAuth2Error):
"""
Errors during authorization where user should not be redirected back.
If the request fails due to a missing, invalid, or mismatching
redirection URI, or if the client identifier is missing or invalid,
the authorization server SHOULD inform the resource owner of the
error and MUST NOT automatically redirect the user-agent to the
invalid redirection URI.
Instead the user should be informed of the error by the provider itself.
"""
passThis FatalClientError base class is used in web framework to make a distinction between errors to be redirected to the client or to the user.
It could lead to break the implementation's tests, but it's an important bug fix.
See current try/except for few web frameworks:
https://github.com/thomsonreuters/bottle-oauthlib/blob/master/bottle_oauthlib/oauth2.py#L219-L223