Is there a way to make OpenIddict redirect back to client application with error status of invalid_scope for an invalid scope error?
Today it interrupts the flow by displaying this at the authorize endpoint:
error:invalid_scope
error_description:The specified 'scope' is invalid.
error_uri:https://documentation.openiddict.com/errors/ID2052
But the specification says:
If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirection URI, the authorization server informs the client by adding the following parameters to the query component of the redirection URI...
Is there some configuration option I missed, or a way to hook an event to override this behavior?
EDIT: there is an event hook but it apparently happens before the validation of the redirect URI, so it would be dangerous to take this approach.
options.AddEventHandler<ApplyAuthorizationResponseContext>( builder =>
{
builder.UseInlineHandler( responseContext =>
{
if ( responseContext.Error != null
&& responseContext.Error == "invalid_request"
&& ( responseContext.Response.Error == "invalid_scope" || ( responseContext?.Response?.ErrorDescription?.Contains( "scope is not allowed" ) ?? false ) )
)
{
responseContext.ResponseMode = "query";
var issuer = responseContext?.BaseUri?.AbsoluteUri ?? string.Empty;
var state = responseContext?.Request?.State ?? string.Empty;
//DON'T DO THIS. REDIRECT URI MIGHT BE INVALID
responseContext!.RedirectUri = $"{responseContext?.Request?.RedirectUri}?state={HttpUtility.UrlEncode( state )}&iss={HttpUtility.UrlEncode( issuer )}";
}
return default;
} );
} );