# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1683037337 -7200
# Node ID fbf3ede7541b113aa694f6c04b1918b577e4e768
# Parent  c8d04ac200fc4b04a5b04585fe2e43855927bf5c
mod_http_oauth2: More appropriate error conditions in client validation

Specified in RFC7591 for these kinds of issues.

diff -r c8d04ac200fc -r fbf3ede7541b mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:20:55 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:22:17 2023 +0200
@@ -755,12 +755,12 @@
 
 	local client_uri = url.parse(client_metadata.client_uri);
 	if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then
-		return nil, oauth_error("invalid_request", "Missing, invalid or insecure client_uri");
+		return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri");
 	end
 
 	for _, redirect_uri in ipairs(client_metadata.redirect_uris) do
 		if not redirect_uri_allowed(redirect_uri, client_uri, client_metadata.application_type) then
-			return nil, oauth_error("invalid_request", "Invalid, insecure or inappropriate redirect URI.");
+			return nil, oauth_error("invalid_redirect_uri", "Invalid, insecure or inappropriate redirect URI.");
 		end
 	end
 
@@ -768,10 +768,10 @@
 		if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then
 			local components = url.parse(client_metadata[field]);
 			if components.scheme ~= "https" then
-				return nil, oauth_error("invalid_request", "Insecure URI forbidden");
+				return nil, oauth_error("invalid_client_metadata", "Insecure URI forbidden");
 			end
 			if components.authority ~= client_uri.authority then
-				return nil, oauth_error("invalid_request", "Informative URIs must have the same hostname");
+				return nil, oauth_error("invalid_client_metadata", "Informative URIs must have the same hostname");
 			end
 		end
 	end
@@ -781,9 +781,9 @@
 		if k:find"_uri#" then
 			local uri = url.parse(v);
 			if not uri or uri.scheme ~= "https" then
-				return nil, oauth_error("invalid_request", "Missing, invalid or insecure "..k);
+				return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure "..k);
 			elseif uri.host ~= client_uri.host then
-				return nil, oauth_error("invalid_request", "All URIs must use the same hostname as client_uri");
+				return nil, oauth_error("invalid_client_metadata", "All URIs must use the same hostname as client_uri");
 			end
 		end
 	end