fix: OAuth2/OIDC standards compliance for HTTP handlers#499
Merged
lakhansamani merged 2 commits intomainfrom Mar 20, 2026
Merged
fix: OAuth2/OIDC standards compliance for HTTP handlers#499lakhansamani merged 2 commits intomainfrom
lakhansamani merged 2 commits intomainfrom
Conversation
Audit and fix HTTP handlers against RFC 6749 (OAuth 2.0), RFC 7636 (PKCE), RFC 7009 (Token Revocation), RFC 6750 (Bearer Token), and OpenID Connect Core/Discovery specs. Critical bugs fixed: - Missing return after error in token.go, oauth_callback.go (3 locations) - Index out of bounds panic in oauth_callback.go state parsing Token endpoint (RFC 6749): - Add required token_type:"Bearer" to response - Fix error codes to standard values (unsupported_grant_type, invalid_client, etc) - Return 401 with WWW-Authenticate for Basic Auth client failures - Make authorization code deletion synchronous to prevent reuse race condition Revocation endpoint (RFC 7009): - Return HTTP 200 for invalid tokens (prevents token scanning) - Accept application/x-www-form-urlencoded (standard) and JSON (backward compat) - Support standard "token" field name and token_type_hint UserInfo endpoint (RFC 6750): - Add WWW-Authenticate: Bearer header on 401 responses - Use standard error codes (invalid_token, invalid_request) Discovery endpoint (OIDC Discovery 1.0): - Ensure RS256 always in id_token_signing_alg_values_supported - Add grant_types_supported, token_endpoint_auth_methods_supported, code_challenge_methods_supported, revocation_endpoint, end_session_endpoint Authorize endpoint (RFC 7636): - Add code_challenge_method parameter support (S256 only) - Remove non-standard nonce from authorization code response
The error code is correctly "invalid_request" per RFC 7636. The "S256" text is in error_description, not the error code field.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Comprehensive audit and fix of all HTTP handlers against OAuth2 and OpenID Connect standards (RFC 6749, RFC 7636, RFC 7009, RFC 6750, OIDC Core/Discovery).
Critical Bugs Fixed
returnafter error responses intoken.go(line 64),oauth_callback.go(lines 263, 270) — code continued execution after sending error JSON, causing nil pointer dereferences and undefined behavioroauth_callback.go— accessedsessionSplit[3]with onlylen < 3bounds checkRFC 6749 (OAuth 2.0) — Token Endpoint
token_type: "Bearer"to token response (§5.1)unsupported_grant_type,invalid_request,invalid_client,invalid_grant(§5.2)WWW-Authenticateheader (§5.2)RFC 7009 (Token Revocation) — Revoke Endpoint
application/x-www-form-urlencoded(standard) alongside JSON (backward compat)tokenfield name andtoken_type_hintparameterRFC 6750 (Bearer Token) — UserInfo Endpoint
WWW-Authenticate: Bearerheader on all 401 responses (§3)invalid_token,invalid_requestOIDC Discovery 1.0 — Discovery Endpoint
id_token_signing_alg_values_supportednow always includes RS256 (MUST per spec)grant_types_supported,token_endpoint_auth_methods_supported,code_challenge_methods_supported,revocation_endpoint,end_session_endpointRFC 7636 (PKCE) — Authorize Endpoint
code_challenge_methodparameter support (S256 only)noncefrom authorization code response (§4.1.2: onlycode+state)Tests & Docs
oauth_standards_compliance_test.gowith 20+ test cases covering all standardsdocs/oauth2-oidc-endpoints.md— complete endpoint reference with examplesTest plan
go build ./...— verify clean buildgo vet ./internal/http_handlers/...— no warningsgo test -v -run "TestOpenIDDiscovery|TestTokenEndpoint|TestRevocation|TestUserInfo|TestAuthorize|TestJWKS" ./internal/integration_tests/(requires Postgres)/.well-known/openid-configurationincludes all required OIDC fields/oauth/tokenerror responses match RFC 6749 §5.2 error codes/oauth/revokereturns 200 for invalid tokens per RFC 7009/userinforeturnsWWW-Authenticateheader on 401code_challenge_method=S256