From e293378f1a5fc9e955120c86099051a4d01dde4e Mon Sep 17 00:00:00 2001
From: reinkrul <info@reinkrul.nl>
Date: Tue, 14 May 2024 14:45:34 +0200
Subject: [PATCH] bugfix: redirect browser instead of returning error when
 requested scope is unknown (3104) (#3113)

---
 auth/api/iam/openid4vp.go      |  2 +-
 auth/api/iam/openid4vp_test.go | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/auth/api/iam/openid4vp.go b/auth/api/iam/openid4vp.go
index 73c95f2dbb..9380f3f3bc 100644
--- a/auth/api/iam/openid4vp.go
+++ b/auth/api/iam/openid4vp.go
@@ -128,7 +128,7 @@ func (r Wrapper) handleAuthorizeRequestFromHolder(ctx context.Context, verifier
 	// TODO: Support multiple scopes?
 	presentationDefinitions, err := r.presentationDefinitionForScope(ctx, verifier, params.get(oauth.ScopeParam))
 	if err != nil {
-		return nil, err
+		return nil, withCallbackURI(err, redirectURL)
 	}
 
 	session := OAuthSession{
diff --git a/auth/api/iam/openid4vp_test.go b/auth/api/iam/openid4vp_test.go
index 34c4bb3825..49def05dc9 100644
--- a/auth/api/iam/openid4vp_test.go
+++ b/auth/api/iam/openid4vp_test.go
@@ -21,6 +21,7 @@ package iam
 import (
 	"context"
 	"encoding/json"
+	"github.com/nuts-foundation/nuts-node/policy"
 	"net/http"
 	"net/url"
 	"strings"
@@ -117,6 +118,20 @@ func TestWrapper_handleAuthorizeRequestFromHolder(t *testing.T) {
 		requireOAuthError(t, err, oauth.InvalidRequest, "missing code_challenge parameter")
 
 	})
+	t.Run("unknown scope", func(t *testing.T) {
+		ctx := newTestClient(t)
+		ctx.iamClient.EXPECT().AuthorizationServerMetadata(gomock.Any(), holderDID).Return(&oauth.AuthorizationServerMetadata{
+			AuthorizationEndpoint:    "http://example.com",
+			ClientIdSchemesSupported: []string{"did"},
+		}, nil)
+		ctx.policy.EXPECT().PresentationDefinitions(gomock.Any(), gomock.Any(), gomock.Any()).Return(pe.WalletOwnerMapping{}, policy.ErrNotFound)
+		params := defaultParams()
+		params[oauth.ScopeParam] = "unknown"
+
+		_, err := ctx.client.handleAuthorizeRequestFromHolder(context.Background(), verifierDID, params)
+
+		requireOAuthError(t, err, oauth.InvalidScope, "unsupported scope (unknown) for presentation exchange: not found")
+	})
 	t.Run("missing code_challenge_method", func(t *testing.T) {
 		ctx := newTestClient(t)
 		params := defaultParams()