Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
According to https://www.drupal.org/node/2835573#comment-11829914 we need better error messages for 401, 403 errors, etc.
Proposed resolution
Return meaningful HTTP status codes per the RFC.
Remaining tasks
Change record.
User interface changes
None
API changes
Invalid Bearer tokens now throw an error, where previously it meant the anonymous user would be used, instead.
Data model changes
None.
Comment | File | Size | Author |
---|---|---|---|
#16 | descriptive-exceptions-2840205-16.patch | 4.38 KB | bradjones1 |
| |||
#16 | interdiff-15-16.txt | 649 bytes | bradjones1 |
#15 | descriptive-exceptions-2840205-15.patch | 3.64 KB | bradjones1 |
#15 | interdiff-13-15.txt | 1.73 KB | bradjones1 |
#9 | descriptive-exceptions-2840205-9.patch | 1.02 KB | mediabounds |
Comments
Comment #2
mediabounds CreditAttribution: mediabounds commentedHere's a basic pass at resolving this issue. The underlying OAuth library does have decent error messages (and varying status codes) for the various cases when an access or refresh token is not valid. Instead of eating the exception and only logging to watchdog, this rethrows as a symphony HttpException which allows the underlying error to be passed all the way back to the response.
Comment #3
e0ipsoComment #5
mediabounds CreditAttribution: mediabounds commentedReapplies patch against 8.x-3.x branch and fixes formatting issues.
Comment #6
mediabounds CreditAttribution: mediabounds commentedComment #7
e0ipsoI'm closing this as part of issue queue cleanup. Please reopen if necessary.
Comment #8
mediabounds CreditAttribution: mediabounds commentedIMHO, I think this is still applicable--I still use this patch anywhere I'm using Simple OAuth.
I want for the client application(s) of our service to be able to understand why a request was rejected. Without this patch, the server responds with a generic access denied status code. With this patch, the response body will indicate if the request was rejected due to an access token or refresh token being expired or revoked.
Comment #9
mediabounds CreditAttribution: mediabounds commentedAdjusting the patch to avoid sending the exception headers--it seems that has an unintended side effect of changing the response format.
Comment #10
bradjones1To put a bit of a finer point on it, certain client implementations (e.g., https://github.com/shoutem/fetch-token-intercept) use the HTTP status code to more directly map the error to the spec and its recovery/refresh strategy.
Comment #11
bradjones1Comment #12
bradjones1Adding related issue that pertains to 401 responses prompting a retry on the client-side and a Drupal core bug poisoning the route matching cache.
Comment #13
bradjones1Found another spot where this needed to be applied; also updated the previous patch to pass along the previous exception and break up the lines to under 80 chars.
Comment #14
bradjones1Comment #15
bradjones1Actually... the test failures point to an interesting angle, which should have been more clear to me earlier on: this is a change in behaviour in so far as the authentication provider throws an error when the provided Bearer token is invalid; the tests rely on the previous behaviour, where the provider returned NULL, meaning no user was found and thus the anonymous user would be loaded. (More on why this is bad, below.)
For the reasons already explored above, this is undesirable in the context of OAuth. I don't think the current behaviour is strictly inconsistent with RFC 6750, but it also makes a SHOULD recommendation regarding invalid access tokens:
Sending a 401/other compliant response helps clients choose what to do next; a 200 response with the anonymous user's access reflected in the content is indecipherable from a failed authentication via Bearer token.
Updated patch enclosed with the tests updated to reflect this; as it's a change in behaviour, I think it also requires a change record. I'm happy to draft one up.
Comment #16
bradjones1Telling Guzzle not to throw an exception on errors.
Comment #17
e0ipsoI believe the proposed changes make sense.
Thanks for contributing @mediabounds and @bradjones1! This module is better and more useful thanks to you. Open source maintainers need contributions to keep up. ❤️
If you think it's worth it, I would appreciate if contacted your employer about sponsoring some of my contribution time.
Comment #18
e0ipsoComment #20
bradjones1