Change: More descriptive exceptions on /user/token endpoint #83
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Sadly, this is default security measures for OAuth endpoint. This has to do that otherwise people can (relatively easy) sniff out secrets; which should be avoided. I understand that this might be annoying when implementing a client, but this is exactly why a reference implementation is supplied. Best way to implement this locally, is run a local setup and code against that. That does allow you to get a more fine-grained information about any issues and hurdles you hit. So, in conclusion, sadly, I will not accept this PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I'm developing a CLI and have been quite overwhelmed with the 404s and 500 exceptions. With this, I think the errors should be easier to handle for any developer trying to authenticate. If the user cannot be found by code, it still throws a 404 exception.
One could technically just put a 403 for the code_verifier exception, as that would fit more than a 404.