From f018117f1195424feaafb55060532763eeaae008 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Tue, 12 Jul 2022 14:30:41 +0200
Subject: [PATCH] idp_oidc: use invalid_grant error in token endpoint (#66544)

---
 src/authentic2_idp_oidc/views.py | 13 ++++++++++---
 tests/idp_oidc/test_misc.py      |  6 ++----
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/authentic2_idp_oidc/views.py b/src/authentic2_idp_oidc/views.py
index 4a8fa1a9..81e058ea 100644
--- a/src/authentic2_idp_oidc/views.py
+++ b/src/authentic2_idp_oidc/views.py
@@ -74,6 +74,7 @@ class OIDCException(Exception):
             content['error_description'] = self.error_description
 
         if self.client:
+            content['client_id'] = self.client.client_id
             msg = 'idp_oidc: error "%s" in %s endpoint "%s" for client %s'
             if self.extra_info:
                 msg += ' (%s)' % self.extra_info
@@ -181,6 +182,10 @@ class InvalidClient(OIDCException):
     error_code = 'invalid_client'
 
 
+class InvalidGrant(OIDCException):
+    error_code = 'invalid_grant'
+
+
 class WrongClientSecret(InvalidClient):
     error_description = _('Wrong client secret')
 
@@ -730,12 +735,14 @@ def tokens_from_authz_code(request):
     try:
         oidc_code = models.OIDCCode.objects.select_related().get(uuid=code)
     except models.OIDCCode.DoesNotExist:
-        raise InvalidRequest(_('Parameter "code" is invalid'), client=client)
+        raise InvalidGrant(_('Code is unknown.'), client=client)
     if not oidc_code.is_valid():
-        raise InvalidRequest(_('Parameter "code" has expired or user is disconnected'), client=client)
+        raise InvalidGrant(_('Code has expired, user is disconnected or session was lost.'), client=client)
     redirect_uri = request.POST.get('redirect_uri')
     if oidc_code.redirect_uri != redirect_uri:
-        raise InvalidRequest(_('Parameter "redirect_uri" does not match the code.'), client=client)
+        raise InvalidGrant(_('Redirect_uri does not match the code.'), client=client)
+    if oidc_code.client != client:
+        raise InvalidGrant(_('Code was issued to a different client.'), client=client)
     if client.access_token_duration is None:
         expires_in = datetime.timedelta(seconds=oidc_code.session.get_expiry_age())
         expired = None
diff --git a/tests/idp_oidc/test_misc.py b/tests/idp_oidc/test_misc.py
index 8e36b1a8..68a0b550 100644
--- a/tests/idp_oidc/test_misc.py
+++ b/tests/idp_oidc/test_misc.py
@@ -892,8 +892,7 @@ def test_invalid_request(oidc_client, caplog, oidc_settings, simple_user, app):
             token_url, params=params, headers=client_authentication_headers(oidc_client), status=400
         )
         assert 'error' in response.json
-        assert response.json['error'] == 'invalid_request'
-        assert response.json['error_description'] == 'Parameter "code" has expired or user is disconnected'
+        assert response.json['error'] == 'invalid_grant'
 
     # invalid logout
     logout_url = make_url(
@@ -926,8 +925,7 @@ def test_invalid_request(oidc_client, caplog, oidc_settings, simple_user, app):
             status=400,
         )
         assert 'error' in response.json
-        assert response.json['error'] == 'invalid_request'
-        assert response.json['error_description'] == 'Parameter "code" has expired or user is disconnected'
+        assert response.json['error'] == 'invalid_grant'
 
 
 def test_client_secret_post_authentication(oidc_settings, app, simple_oidc_client, simple_user):
-- 
2.35.1