CODEWITHSUNDEEP
oauth
A.A
A.A

Reputation: 4081

OAuth Unsuccessful Response

According to https://www.oauth.com/oauth2-servers/access-tokens/access-token-response/

Error responses are returned with an HTTP 400 status code (unless specified otherwise), with error and error_description parameters. The error parameter will always be one of the values listed below.

  • invalid_request
  • invalid_client
  • invalid_grant
  • invalid_scope
  • unauthorized_client
  • unsupported_grant_type

Can I have custom error like "invalid_captcha" or "captcha_required"?

I want, if someone sends wrong credentials for 3 times, I send "captcha_required" error and for next time must send valid captcha code.

My question is:

  1. Is it allowed to define custom error codes in OAuth ?
  2. Is there alternative way to solve my problem?

Upvotes: 0

Views: 181

Answers (2)

Alex
Alex

Reputation: 18526

A possible way to do this would be to introduce a custom error code and use that in the error_description.

As an example, Azure Active Directory B2C has a password reset flow where upon the user clicking on "Forgot Passwort", B2C actually throws an error with the custom error description AADB2C90118 to the application, which can now execute custom code. As AAD is one of the mayor oauth implementations, one could consider it a "credible source".

A sign-up or sign-in user flow with local accounts includes a Forgot password? link on the first page of the experience. Clicking this link doesn't automatically trigger a password reset user flow.

Instead, the error code AADB2C90118 is returned to your application. Your application needs to handle this error code by running a specific user flow that resets the password. To see an example, take a look at a simple ASP.NET sample that demonstrates the linking of user flows.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-policies#linking-user-flows


            if (notification.ProtocolMessage.ErrorDescription != null && notification.ProtocolMessage.ErrorDescription.Contains("AADB2C90118"))
            {
                // If the user clicked the reset password link, redirect to the reset password route
                notification.Response.Redirect("/Account/ResetPassword");
            }

Upvotes: 0

Lee Garcon
Lee Garcon

Reputation: 192

  1. I don't think so.

  2. You could always add the custom error in error_description. For example, captcha_required would be

    { "error": "invalid_request", "error_description": "invalid_captcha", "error_uri": "whatever you want here" } and you could access error_description and see if it matches.

Upvotes: 1

Related Questions