Merge pull request #728 from azmeuk/720-error-description

Fix invalid characters in 'error_description'

Author: lepture

authlib/jose/errors.py

@@ -59,46 +59,46 @@ class KeyMismatchError(JoseError):
 
 class MissingEncryptionAlgorithmError(JoseError):
     error = "missing_encryption_algorithm"
-    description = 'Missing "enc" in header'
+    description = "Missing 'enc' in header"
 
 
 class UnsupportedEncryptionAlgorithmError(JoseError):
     error = "unsupported_encryption_algorithm"
-    description = 'Unsupported "enc" value in header'
+    description = "Unsupported 'enc' value in header"
 
 
 class UnsupportedCompressionAlgorithmError(JoseError):
     error = "unsupported_compression_algorithm"
-    description = 'Unsupported "zip" value in header'
+    description = "Unsupported 'zip' value in header"
 
 
 class InvalidUseError(JoseError):
     error = "invalid_use"
-    description = 'Key "use" is not valid for your usage'
+    description = "Key 'use' is not valid for your usage"
 
 
 class InvalidClaimError(JoseError):
     error = "invalid_claim"
 
     def __init__(self, claim):
         self.claim_name = claim
-        description = f'Invalid claim "{claim}"'
+        description = f"Invalid claim '{claim}'"
         super().__init__(description=description)
 
 
 class MissingClaimError(JoseError):
     error = "missing_claim"
 
     def __init__(self, claim):
-        description = f'Missing "{claim}" claim'
+        description = f"Missing '{claim}' claim"
         super().__init__(description=description)
 
 
 class InsecureClaimError(JoseError):
     error = "insecure_claim"
 
     def __init__(self, claim):
-        description = f'Insecure claim "{claim}"'
+        description = f"Insecure claim '{claim}'"
         super().__init__(description=description)
 
 

authlib/oauth2/base.py

@@ -2,6 +2,24 @@
 from authlib.common.urls import add_params_to_uri
 
 
+def invalid_error_characters(text: str) -> list[str]:
+    """Check whether the string only contains characters from the restricted ASCII set defined in RFC6749 for errors.
+
+    https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
+    """
+    valid_ranges = [
+        (0x20, 0x21),
+        (0x23, 0x5B),
+        (0x5D, 0x7E),
+    ]
+
+    return [
+        char
+        for char in set(text)
+        if not any(start <= ord(char) <= end for start, end in valid_ranges)
+    ]
+
+
 class OAuth2Error(AuthlibHTTPError):
     def __init__(
         self,
@@ -13,6 +31,17 @@ def __init__(
         redirect_fragment=False,
         error=None,
     ):
+        # Human-readable ASCII [USASCII] text providing
+        # additional information, used to assist the client developer in
+        # understanding the error that occurred.
+        # Values for the "error_description" parameter MUST NOT include
+        # characters outside the set %x20-21 / %x23-5B / %x5D-7E.
+        if description:
+            if chars := invalid_error_characters(description):
+                raise ValueError(
+                    f"Error description contains forbidden characters: {', '.join(chars)}."
+                )
+
         super().__init__(error, description, uri, status_code)
         self.state = state
         self.redirect_uri = redirect_uri

authlib/oauth2/rfc6749/authorization_server.py

@@ -264,7 +264,7 @@ def create_endpoint_response(self, name, request=None):
         :return: Response
         """
         if name not in self._endpoints:
-            raise RuntimeError(f'There is no "{name}" endpoint.')
+            raise RuntimeError(f"There is no '{name}' endpoint.")
 
         endpoints = self._endpoints[name]
         for endpoint in endpoints:

authlib/oauth2/rfc6749/errors.py

@@ -217,7 +217,7 @@ def get_headers(self):
 
 class MissingAuthorizationError(ForbiddenError):
     error = "missing_authorization"
-    description = 'Missing "Authorization" in headers.'
+    description = "Missing 'Authorization' in headers."
 
 
 class UnsupportedTokenTypeError(ForbiddenError):
@@ -229,17 +229,17 @@ class UnsupportedTokenTypeError(ForbiddenError):
 
 class MissingCodeException(OAuth2Error):
     error = "missing_code"
-    description = 'Missing "code" in response.'
+    description = "Missing 'code' in response."
 
 
 class MissingTokenException(OAuth2Error):
     error = "missing_token"
-    description = 'Missing "access_token" in response.'
+    description = "Missing 'access_token' in response."
 
 
 class MissingTokenTypeException(OAuth2Error):
     error = "missing_token_type"
-    description = 'Missing "token_type" in response.'
+    description = "Missing 'token_type' in response."
 
 
 class MismatchingStateException(OAuth2Error):

authlib/oauth2/rfc6749/grants/authorization_code.py

@@ -213,26 +213,26 @@ def validate_token_request(self):
         log.debug("Validate token request of %r", client)
         if not client.check_grant_type(self.GRANT_TYPE):
             raise UnauthorizedClientError(
-                f'The client is not authorized to use "grant_type={self.GRANT_TYPE}"'
+                f"The client is not authorized to use 'grant_type={self.GRANT_TYPE}'"
             )
 
         code = self.request.form.get("code")
         if code is None:
-            raise InvalidRequestError('Missing "code" in request.')
+            raise InvalidRequestError("Missing 'code' in request.")
 
         # ensure that the authorization code was issued to the authenticated
         # confidential client, or if the client is public, ensure that the
         # code was issued to "client_id" in the request
         authorization_code = self.query_authorization_code(code, client)
         if not authorization_code:
-            raise InvalidGrantError('Invalid "code" in request.')
+            raise InvalidGrantError("Invalid 'code' in request.")
 
         # validate redirect_uri parameter
         log.debug("Validate token redirect_uri of %r", client)
         redirect_uri = self.request.redirect_uri
         original_redirect_uri = authorization_code.get_redirect_uri()
         if original_redirect_uri and redirect_uri != original_redirect_uri:
-            raise InvalidGrantError('Invalid "redirect_uri" in request.')
+            raise InvalidGrantError("Invalid 'redirect_uri' in request.")
 
         # save for create_token_response
         self.request.client = client
@@ -272,7 +272,7 @@ def create_token_response(self):
 
         user = self.authenticate_user(authorization_code)
         if not user:
-            raise InvalidGrantError('There is no "user" for this code.')
+            raise InvalidGrantError("There is no 'user' for this code.")
         self.request.user = user
 
         scope = authorization_code.get_scope()
@@ -373,7 +373,7 @@ def validate_code_authorization_request(grant):
     response_type = request.response_type
     if not client.check_response_type(response_type):
         raise UnauthorizedClientError(
-            f'The client is not authorized to use "response_type={response_type}"',
+            f"The client is not authorized to use 'response_type={response_type}'",
             state=grant.request.state,
             redirect_uri=redirect_uri,
         )

authlib/oauth2/rfc6749/grants/base.py

@@ -141,7 +141,7 @@ def validate_authorization_redirect_uri(request: OAuth2Request, client):
             redirect_uri = client.get_default_redirect_uri()
             if not redirect_uri:
                 raise InvalidRequestError(
-                    'Missing "redirect_uri" in request.', state=request.state
+                    "Missing 'redirect_uri' in request.", state=request.state
                 )
             return redirect_uri
 
@@ -157,7 +157,7 @@ def validate_no_multiple_request_parameter(request: OAuth2Request):
         for param in parameters:
             if len(datalist.get(param, [])) > 1:
                 raise InvalidRequestError(
-                    f'Multiple "{param}" in request.', state=request.state
+                    f"Multiple '{param}' in request.", state=request.state
                 )
 
     def validate_consent_request(self):

authlib/oauth2/rfc6749/grants/client_credentials.py

@@ -68,7 +68,7 @@ def validate_token_request(self):
 
         if not client.check_grant_type(self.GRANT_TYPE):
             raise UnauthorizedClientError(
-                f'The client is not authorized to use "grant_type={self.GRANT_TYPE}"'
+                f"The client is not authorized to use 'grant_type={self.GRANT_TYPE}'"
             )
 
         self.request.client = client

authlib/oauth2/rfc6749/grants/implicit.py

@@ -130,7 +130,7 @@ def validate_authorization_request(self):
         response_type = self.request.response_type
         if not client.check_response_type(response_type):
             raise UnauthorizedClientError(
-                f'The client is not authorized to use "response_type={response_type}"',
+                f"The client is not authorized to use 'response_type={response_type}'",
                 state=self.request.state,
                 redirect_uri=redirect_uri,
                 redirect_fragment=True,

authlib/oauth2/rfc6749/grants/refresh_token.py

@@ -41,15 +41,15 @@ def _validate_request_client(self):
 
         if not client.check_grant_type(self.GRANT_TYPE):
             raise UnauthorizedClientError(
-                f'The client is not authorized to use "grant_type={self.GRANT_TYPE}"'
+                f"The client is not authorized to use 'grant_type={self.GRANT_TYPE}'"
             )
 
         return client
 
     def _validate_request_token(self, client):
         refresh_token = self.request.form.get("refresh_token")
         if refresh_token is None:
-            raise InvalidRequestError('Missing "refresh_token" in request.')
+            raise InvalidRequestError("Missing 'refresh_token' in request.")
 
         token = self.authenticate_refresh_token(refresh_token)
         if not token or not token.check_client(client):
@@ -118,7 +118,7 @@ def create_token_response(self):
         refresh_token = self.request.refresh_token
         user = self.authenticate_user(refresh_token)
         if not user:
-            raise InvalidRequestError('There is no "user" for this token.')
+            raise InvalidRequestError("There is no 'user' for this token.")
 
         client = self.request.client
         token = self.issue_token(user, refresh_token)

authlib/oauth2/rfc6749/grants/resource_owner_password_credentials.py

@@ -89,20 +89,20 @@ def validate_token_request(self):
 
         if not client.check_grant_type(self.GRANT_TYPE):
             raise UnauthorizedClientError(
-                f'The client is not authorized to use "grant_type={self.GRANT_TYPE}"'
+                f"The client is not authorized to use 'grant_type={self.GRANT_TYPE}'"
             )
 
         params = self.request.form
         if "username" not in params:
-            raise InvalidRequestError('Missing "username" in request.')
+            raise InvalidRequestError("Missing 'username' in request.")
         if "password" not in params:
-            raise InvalidRequestError('Missing "password" in request.')
+            raise InvalidRequestError("Missing 'password' in request.")
 
         log.debug("Authenticate user of %r", params["username"])
         user = self.authenticate_user(params["username"], params["password"])
         if not user:
             raise InvalidRequestError(
-                'Invalid "username" or "password" in request.',
+                "Invalid 'username' or 'password' in request.",
             )
         self.request.client = client
         self.request.user = user

authlib/oauth2/rfc7523/assertion.py

@@ -21,7 +21,7 @@ def sign_jwt_bearer_assertion(
     if alg:
         header["alg"] = alg
     if "alg" not in header:
-        raise ValueError('Missing "alg" in header')
+        raise ValueError("Missing 'alg' in header")
 
     payload = {"iss": issuer, "aud": audience}
 

authlib/oauth2/rfc7523/jwt_bearer.py

@@ -102,15 +102,15 @@ def validate_token_request(self):
         """
         assertion = self.request.form.get("assertion")
         if not assertion:
-            raise InvalidRequestError('Missing "assertion" in request')
+            raise InvalidRequestError("Missing 'assertion' in request")
 
         claims = self.process_assertion_claims(assertion)
         client = self.resolve_issuer_client(claims["iss"])
         log.debug("Validate token request of %s", client)
 
         if not client.check_grant_type(self.GRANT_TYPE):
             raise UnauthorizedClientError(
-                f'The client is not authorized to use "grant_type={self.GRANT_TYPE}"'
+                f"The client is not authorized to use 'grant_type={self.GRANT_TYPE}'"
             )
 
         self.request.client = client
@@ -120,7 +120,7 @@ def validate_token_request(self):
         if subject:
             user = self.authenticate_user(subject)
             if not user:
-                raise InvalidGrantError(description='Invalid "sub" value in assertion')
+                raise InvalidGrantError(description="Invalid 'sub' value in assertion")
 
             log.debug("Check client(%s) permission to User(%s)", client, user)
             if not self.has_granted_permission(client, user):

authlib/oauth2/rfc7636/challenge.py

@@ -74,27 +74,27 @@ def validate_code_challenge(self, grant):
             return
 
         if not challenge:
-            raise InvalidRequestError('Missing "code_challenge"')
+            raise InvalidRequestError("Missing 'code_challenge'")
 
         if len(request.datalist.get("code_challenge", [])) > 1:
-            raise InvalidRequestError('Multiple "code_challenge" in request.')
+            raise InvalidRequestError("Multiple 'code_challenge' in request.")
 
         if not CODE_CHALLENGE_PATTERN.match(challenge):
-            raise InvalidRequestError('Invalid "code_challenge"')
+            raise InvalidRequestError("Invalid 'code_challenge'")
 
         if method and method not in self.SUPPORTED_CODE_CHALLENGE_METHOD:
-            raise InvalidRequestError('Unsupported "code_challenge_method"')
+            raise InvalidRequestError("Unsupported 'code_challenge_method'")
 
         if len(request.datalist.get("code_challenge_method", [])) > 1:
-            raise InvalidRequestError('Multiple "code_challenge_method" in request.')
+            raise InvalidRequestError("Multiple 'code_challenge_method' in request.")
 
     def validate_code_verifier(self, grant):
         request: OAuth2Request = grant.request
         verifier = request.form.get("code_verifier")
 
         # public client MUST verify code challenge
         if self.required and request.auth_method == "none" and not verifier:
-            raise InvalidRequestError('Missing "code_verifier"')
+            raise InvalidRequestError("Missing 'code_verifier'")
 
         authorization_code = request.authorization_code
         challenge = self.get_authorization_code_challenge(authorization_code)
@@ -105,10 +105,10 @@ def validate_code_verifier(self, grant):
 
         # challenge exists, code_verifier is required
         if not verifier:
-            raise InvalidRequestError('Missing "code_verifier"')
+            raise InvalidRequestError("Missing 'code_verifier'")
 
         if not CODE_VERIFIER_PATTERN.match(verifier):
-            raise InvalidRequestError('Invalid "code_verifier"')
+            raise InvalidRequestError("Invalid 'code_verifier'")
 
         # 4.6. Server Verifies code_verifier before Returning the Tokens
         method = self.get_authorization_code_challenge_method(authorization_code)
@@ -117,7 +117,7 @@ def validate_code_verifier(self, grant):
 
         func = self.CODE_CHALLENGE_METHODS.get(method)
         if not func:
-            raise RuntimeError(f'No verify method for "{method}"')
+            raise RuntimeError(f"No verify method for '{method}'")
 
         # If the values are not equal, an error response indicating
         # "invalid_grant" MUST be returned.

authlib/oauth2/rfc8628/device_code.py

@@ -91,17 +91,17 @@ def validate_token_request(self):
         """
         device_code = self.request.data.get("device_code")
         if not device_code:
-            raise InvalidRequestError('Missing "device_code" in payload')
+            raise InvalidRequestError("Missing 'device_code' in payload")
 
         client = self.authenticate_token_endpoint_client()
         if not client.check_grant_type(self.GRANT_TYPE):
             raise UnauthorizedClientError(
-                f'The client is not authorized to use "response_type={self.GRANT_TYPE}"',
+                f"The client is not authorized to use 'response_type={self.GRANT_TYPE}'",
             )
 
         credential = self.query_device_credential(device_code)
         if not credential:
-            raise InvalidRequestError('Invalid "device_code" in payload')
+            raise InvalidRequestError("Invalid 'device_code' in payload")
 
         if credential.get_client_id() != client.get_client_id():
             raise UnauthorizedClientError()

authlib/oidc/core/grants/hybrid.py

@@ -51,7 +51,7 @@ def save_authorization_code(self, code, request):
     def validate_authorization_request(self):
         if not is_openid_scope(self.request.scope):
             raise InvalidScopeError(
-                'Missing "openid" scope',
+                "Missing 'openid' scope",
                 redirect_uri=self.request.redirect_uri,
                 redirect_fragment=True,
             )