Not passing required parameters results in a 500

[isabellechalhoub]

The Doorkeeper::AuthorizationsController checks to see whether or not required parameters are present by running pre_auth.authorizable? in the new action.

This gem modifies the behavior of the :authenticate_resource_owner! before filter that runs prior to the new action. One of the modifications is to inspect the pre_auth object (an instance of OAuth::PreAuthorization) and look at its scopes.

The OAuth::PreAuthorization#scopes method in turn fires the build_scopes private method, which calls client.application.scopes. This method assumes that client is present. However, if you do not initialize the object with @client, it obviously blows up. This has not been an issue in Doorkeeper itself, because usually the OAuth::PreAuthorization object is assumed to be valid. However, this OpenID Connect gem inspects the object before it has been validated.

We have a PR to add a validation check before trying to inspect the scopes.

[toupeira]

Thanks again, you can give this a try with the new version 1.6.2.