Login screen is displayed for No Response_type query param for /Authorize endpoint

[learningvkpg]

Describe the bug
When an /oauth2/authorize endpoint is hit without any response_type parameter it is redirecting to login screen
According to spec error response of /authorize should redirect to redirect url and state the error message in query param
some thing like this
HTTP/1.1 302 Found
Location: **https://client.example.com/cb?error=access_denied&state=xyz

https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1

But this is redirect to login screen

To Reproduce
Steps to reproduce the behavior.
You can check with above code base

Expected behavior
Proper error message should be displayed along with redirect_uri

I have analyzed the code and figured out the problem
OAuth2AuthorizationCodeRequestAuthenticationConverter class which is responsible for validating the input request throws exception if there is response_type param
String responseType = request.getParameter(OAuth2ParameterNames.RESPONSE_TYPE); if (!StringUtils.hasText(responseType) || parameters.get(OAuth2ParameterNames.RESPONSE_TYPE).size() != 1) { throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.RESPONSE_TYPE); } else if (!responseType.equals(OAuth2AuthorizationResponseType.CODE.getValue())) { throwError(OAuth2ErrorCodes.UNSUPPORTED_RESPONSE_TYPE, OAuth2ParameterNames.RESPONSE_TYPE); }

and no authentication object is created due to error and this error is handed by sendErrorResponse method
this method has below condition which will be true for all validations done in converter regardless of invalid redirect uri
As per Spec if the client Id is missing or redirect uri is incorrect then we should not redirect to invalid redirect uri
below condition holds good for such case
`

	if (authorizationCodeRequestAuthentication == null ||
			!StringUtils.hasText(authorizationCodeRequestAuthentication.getRedirectUri())) {
		response.sendError(HttpStatus.BAD_REQUEST.value(), error.toString());
		return;
	}

This will redirect to /error
Since there is no authentication object created AnonymousAuthenticationFilter creates AnonymousAuthenticationToken

This /error is intercepted by AuthorizationFilter which makes the access decision since this anonymous this willl throw AccessDeniedException
This exception is handled by ExceptionTranslationFilter which calls LoginUrlAuthenticationEntryPoint.commence which will redirect to /login and Login screen after entering credentials we get 400 bad request with whitelabel error page

`

[jgrandja]

@learningvkpg

In Section 4.1.1. Authorization Request, it states:

If an authorization request is missing the response_type parameter, or if the response type is not understood, the authorization server MUST return an error response as described in Section 4.1.2.1.

In Section 4.1.2.1. Error Response, it states:

If the request fails due to a missing, invalid, or mismatching redirect URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user agent to the invalid redirect URI.

The AS MUST NOT redirect if the client_id or redirect_uri are invalid.

It then states:

If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirect URI, the authorization server informs the client by adding the following parameters to the query component of the redirect URI using the application/x-www-form-urlencoded format

Otherwise, the redirect should be initiated to the redirect_uri. However, this implies that the request is an Authorization Request.

BUT if there is no response_type parameter, then it is NOT an Authorization Request because the response_type parameter (REQUIRED) is the primary parameter that determines the type of flow that is triggered. Therefore, the current implementation for validating the response_type parameter behaves the same way as client_id and redirect_uri and simply throws an exception without performing the redirect.

As an aside, no where in the spec does it specifically state that the redirect should be performed if there is no response_type parameter.

IMO, if the response_type parameter is not supplied in the request, then it's not an Authorization Request. It's a bug in the caller and should be fixed there.

I'm going to close this as the current behaviour works as designed.