bugfix: redirect browser instead of returning error when requested sc…

…ope is unknown (3104) (#3113)
nuts-foundation · May 14, 2024 · e293378 · e293378
1 parent f16e92c
commit e293378
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/auth/api/iam/openid4vp.go b/auth/api/iam/openid4vp.go
@@ -128,7 +128,7 @@ func (r Wrapper) handleAuthorizeRequestFromHolder(ctx context.Context, verifier
 	// TODO: Support multiple scopes?
 	presentationDefinitions, err := r.presentationDefinitionForScope(ctx, verifier, params.get(oauth.ScopeParam))
 	if err != nil {
-		return nil, err
+		return nil, withCallbackURI(err, redirectURL)
 	}
 
 	session := OAuthSession{

diff --git a/auth/api/iam/openid4vp_test.go b/auth/api/iam/openid4vp_test.go
@@ -21,6 +21,7 @@ package iam
 import (
 	"context"
 	"encoding/json"
+	"github.com/nuts-foundation/nuts-node/policy"
 	"net/http"
 	"net/url"
 	"strings"
@@ -117,6 +118,20 @@ func TestWrapper_handleAuthorizeRequestFromHolder(t *testing.T) {
 		requireOAuthError(t, err, oauth.InvalidRequest, "missing code_challenge parameter")
 
 	})
+	t.Run("unknown scope", func(t *testing.T) {
+		ctx := newTestClient(t)
+		ctx.iamClient.EXPECT().AuthorizationServerMetadata(gomock.Any(), holderDID).Return(&oauth.AuthorizationServerMetadata{
+			AuthorizationEndpoint:    "http://example.com",
+			ClientIdSchemesSupported: []string{"did"},
+		}, nil)
+		ctx.policy.EXPECT().PresentationDefinitions(gomock.Any(), gomock.Any(), gomock.Any()).Return(pe.WalletOwnerMapping{}, policy.ErrNotFound)
+		params := defaultParams()
+		params[oauth.ScopeParam] = "unknown"
+
+		_, err := ctx.client.handleAuthorizeRequestFromHolder(context.Background(), verifierDID, params)
+
+		requireOAuthError(t, err, oauth.InvalidScope, "unsupported scope (unknown) for presentation exchange: not found")
+	})
 	t.Run("missing code_challenge_method", func(t *testing.T) {
 		ctx := newTestClient(t)
 		params := defaultParams()