Return state with authorization denied error

whytheplatypus · jleclanche · commit cbf8dcfa3afe · 2018-05-12T06:51:05.000+03:00
Conforms to RFC6749 section 4.1.2.1: https://tools.ietf.org/html/rfc6749#section-4.1.2.1 REQUIRED if a "state" parameter was present in the client authorization request. The exact value received from the client. (cherry picked from commit be659ca)
diff --git a/oauth2_provider/oauth2_backends.py b/oauth2_provider/oauth2_backends.py
@@ -110,7 +110,8 @@ def create_authorization_response(self, request, scopes, credentials, allow):
         """
         try:
             if not allow:
-                raise oauth2.AccessDeniedError()
+                raise oauth2.AccessDeniedError(
+                    state=credentials.get("state", None))
 
             # add current user to credentials. this will be used by OAUTH2_VALIDATOR_CLASS
             credentials["user"] = request.user
diff --git a/tests/test_authorization_code.py b/tests/test_authorization_code.py
@@ -335,6 +335,26 @@ def test_code_post_auth_deny(self):
         response = self.client.post(reverse("oauth2_provider:authorize"), data=form_data)
         self.assertEqual(response.status_code, 302)
         self.assertIn("error=access_denied", response["Location"])
+        self.assertIn("state=random_state_string", response["Location"])
+
+    def test_code_post_auth_deny_no_state(self):
+        """
+        Test optional state when resource owner deny access
+        """
+        self.client.login(username="test_user", password="123456")
+
+        form_data = {
+            "client_id": self.application.client_id,
+            "scope": "read write",
+            "redirect_uri": "http://example.org",
+            "response_type": "code",
+            "allow": False,
+        }
+
+        response = self.client.post(reverse("oauth2_provider:authorize"), data=form_data)
+        self.assertEqual(response.status_code, 302)
+        self.assertIn("error=access_denied", response["Location"])
+        self.assertNotIn("state", response["Location"])
 
     def test_code_post_auth_bad_responsetype(self):
         """
@@ -433,6 +453,7 @@ def test_code_post_auth_deny_custom_redirect_uri_scheme(self):
         self.assertEqual(response.status_code, 302)
         self.assertIn("custom-scheme://example.com?", response["Location"])
         self.assertIn("error=access_denied", response["Location"])
+        self.assertIn("state=random_state_string", response["Location"])
 
     def test_code_post_auth_redirection_uri_with_querystring(self):
         """
@@ -455,6 +476,7 @@ def test_code_post_auth_redirection_uri_with_querystring(self):
         self.assertEqual(response.status_code, 302)
         self.assertIn("http://example.com?foo=bar", response["Location"])
         self.assertIn("code=", response["Location"])
+        self.assertIn("state=random_state_string", response["Location"])
 
     def test_code_post_auth_failing_redirection_uri_with_querystring(self):
         """
@@ -475,7 +497,10 @@ def test_code_post_auth_failing_redirection_uri_with_querystring(self):
 
         response = self.client.post(reverse("oauth2_provider:authorize"), data=form_data)
         self.assertEqual(response.status_code, 302)
-        self.assertEqual("http://example.com?foo=bar&error=access_denied", response["Location"])
+        self.assertIn("http://example.com?", response["Location"])
+        self.assertIn("error=access_denied", response["Location"])
+        self.assertIn("state=random_state_string", response["Location"])
+        self.assertIn("foo=bar", response["Location"])
 
     def test_code_post_auth_fails_when_redirect_uri_path_is_invalid(self):
         """
