closed-social
/
gitea
3
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7401 Commits
2 Branches
178 MiB
Tree: b33f7f792b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b33f7f792b'
${ noResults }
gitea/routers/user/oauth.go

479 lines
16 KiB
Raw Normal View History

Integrate OAuth2 Provider (#5378)
5 years ago
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
5 years ago
Integrate OAuth2 Provider (#5378)
5 years ago
 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package user
  6. 

  7. import (
  8. 	"encoding/base64"
  9. 	"fmt"
  10. 	"net/url"
  11. 	"strings"
  12. 

  13. 	"github.com/dgrijalva/jwt-go"
  14. 	"github.com/go-macaron/binding"
  15. 

  16. 	"code.gitea.io/gitea/models"
  17. 	"code.gitea.io/gitea/modules/auth"
  18. 	"code.gitea.io/gitea/modules/base"
  19. 	"code.gitea.io/gitea/modules/context"
  20. 	"code.gitea.io/gitea/modules/log"
  21. 	"code.gitea.io/gitea/modules/setting"
  22. 	"code.gitea.io/gitea/modules/util"
  23. )
  24. 

  25. const (
  26. 	tplGrantAccess base.TplName = "user/auth/grant"
  27. 	tplGrantError  base.TplName = "user/auth/grant_error"
  28. )
  29. 

  30. // TODO move error and responses to SDK or models

  31. 

  32. // AuthorizeErrorCode represents an error code specified in RFC 6749

  33. type AuthorizeErrorCode string
  34. 

  35. const (
  36. 	// ErrorCodeInvalidRequest represents the according error in RFC 6749

  37. 	ErrorCodeInvalidRequest AuthorizeErrorCode = "invalid_request"
  38. 	// ErrorCodeUnauthorizedClient represents the according error in RFC 6749

  39. 	ErrorCodeUnauthorizedClient AuthorizeErrorCode = "unauthorized_client"
  40. 	// ErrorCodeAccessDenied represents the according error in RFC 6749

  41. 	ErrorCodeAccessDenied AuthorizeErrorCode = "access_denied"
  42. 	// ErrorCodeUnsupportedResponseType represents the according error in RFC 6749

  43. 	ErrorCodeUnsupportedResponseType AuthorizeErrorCode = "unsupported_response_type"
  44. 	// ErrorCodeInvalidScope represents the according error in RFC 6749

  45. 	ErrorCodeInvalidScope AuthorizeErrorCode = "invalid_scope"
  46. 	// ErrorCodeServerError represents the according error in RFC 6749

  47. 	ErrorCodeServerError AuthorizeErrorCode = "server_error"
  48. 	// ErrorCodeTemporaryUnavailable represents the according error in RFC 6749

  49. 	ErrorCodeTemporaryUnavailable AuthorizeErrorCode = "temporarily_unavailable"
  50. )
  51. 

  52. // AuthorizeError represents an error type specified in RFC 6749

  53. type AuthorizeError struct {
  54. 	ErrorCode        AuthorizeErrorCode `json:"error" form:"error"`
  55. 	ErrorDescription string
  56. 	State            string
  57. }
  58. 

  59. // Error returns the error message

  60. func (err AuthorizeError) Error() string {
  61. 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)
  62. }
  63. 

  64. // AccessTokenErrorCode represents an error code specified in RFC 6749

  65. type AccessTokenErrorCode string
  66. 

  67. const (
  68. 	// AccessTokenErrorCodeInvalidRequest represents an error code specified in RFC 6749

  69. 	AccessTokenErrorCodeInvalidRequest AccessTokenErrorCode = "invalid_request"
  70. 	// AccessTokenErrorCodeInvalidClient represents an error code specified in RFC 6749

  71. 	AccessTokenErrorCodeInvalidClient = "invalid_client"
  72. 	// AccessTokenErrorCodeInvalidGrant represents an error code specified in RFC 6749

  73. 	AccessTokenErrorCodeInvalidGrant = "invalid_grant"
  74. 	// AccessTokenErrorCodeUnauthorizedClient represents an error code specified in RFC 6749

  75. 	AccessTokenErrorCodeUnauthorizedClient = "unauthorized_client"
  76. 	// AccessTokenErrorCodeUnsupportedGrantType represents an error code specified in RFC 6749

  77. 	AccessTokenErrorCodeUnsupportedGrantType = "unsupported_grant_type"
  78. 	// AccessTokenErrorCodeInvalidScope represents an error code specified in RFC 6749

  79. 	AccessTokenErrorCodeInvalidScope = "invalid_scope"
  80. )
  81. 

  82. // AccessTokenError represents an error response specified in RFC 6749

  83. type AccessTokenError struct {
  84. 	ErrorCode        AccessTokenErrorCode `json:"error" form:"error"`
  85. 	ErrorDescription string               `json:"error_description"`
  86. }
  87. 

  88. // Error returns the error message

  89. func (err AccessTokenError) Error() string {
  90. 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)
  91. }
  92. 

  93. // TokenType specifies the kind of token

  94. type TokenType string
  95. 

  96. const (
  97. 	// TokenTypeBearer represents a token type specified in RFC 6749

  98. 	TokenTypeBearer TokenType = "bearer"
  99. 	// TokenTypeMAC represents a token type specified in RFC 6749

  100. 	TokenTypeMAC = "mac"
  101. )
  102. 

  103. // AccessTokenResponse represents a successful access token response

  104. type AccessTokenResponse struct {
  105. 	AccessToken  string    `json:"access_token"`
  106. 	TokenType    TokenType `json:"token_type"`
  107. 	ExpiresIn    int64     `json:"expires_in"`
  108. 	RefreshToken string    `json:"refresh_token"`
  109. }
  110. 

  111. func newAccessTokenResponse(grant *models.OAuth2Grant) (*AccessTokenResponse, *AccessTokenError) {
  112. 	if setting.OAuth2.InvalidateRefreshTokens {
  113. 		if err := grant.IncreaseCounter(); err != nil {
  114. 			return nil, &AccessTokenError{
  115. 				ErrorCode:        AccessTokenErrorCodeInvalidGrant,
  116. 				ErrorDescription: "cannot increase the grant counter",
  117. 			}
  118. 		}
  119. 	}
  120. 	// generate access token to access the API

  121. 	expirationDate := util.TimeStampNow().Add(setting.OAuth2.AccessTokenExpirationTime)
  122. 	accessToken := &models.OAuth2Token{
  123. 		GrantID: grant.ID,
  124. 		Type:    models.TypeAccessToken,
  125. 		StandardClaims: jwt.StandardClaims{
  126. 			ExpiresAt: expirationDate.AsTime().Unix(),
  127. 		},
  128. 	}
  129. 	signedAccessToken, err := accessToken.SignToken()
  130. 	if err != nil {
  131. 		return nil, &AccessTokenError{
  132. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,
  133. 			ErrorDescription: "cannot sign token",
  134. 		}
  135. 	}
  136. 

  137. 	// generate refresh token to request an access token after it expired later

  138. 	refreshExpirationDate := util.TimeStampNow().Add(setting.OAuth2.RefreshTokenExpirationTime * 60 * 60).AsTime().Unix()
  139. 	refreshToken := &models.OAuth2Token{
  140. 		GrantID: grant.ID,
  141. 		Counter: grant.Counter,
  142. 		Type:    models.TypeRefreshToken,
  143. 		StandardClaims: jwt.StandardClaims{
  144. 			ExpiresAt: refreshExpirationDate,
  145. 		},
  146. 	}
  147. 	signedRefreshToken, err := refreshToken.SignToken()
  148. 	if err != nil {
  149. 		return nil, &AccessTokenError{
  150. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,
  151. 			ErrorDescription: "cannot sign token",
  152. 		}
  153. 	}
  154. 

  155. 	return &AccessTokenResponse{
  156. 		AccessToken:  signedAccessToken,
  157. 		TokenType:    TokenTypeBearer,
  158. 		ExpiresIn:    setting.OAuth2.AccessTokenExpirationTime,
  159. 		RefreshToken: signedRefreshToken,
  160. 	}, nil
  161. }
  162. 

  163. // AuthorizeOAuth manages authorize requests

  164. func AuthorizeOAuth(ctx *context.Context, form auth.AuthorizationForm) {
  165. 	errs := binding.Errors{}
  166. 	errs = form.Validate(ctx.Context, errs)
  167. 

  168. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)
  169. 	if err != nil {
  170. 		if models.IsErrOauthClientIDInvalid(err) {
  171. 			handleAuthorizeError(ctx, AuthorizeError{
  172. 				ErrorCode:        ErrorCodeUnauthorizedClient,
  173. 				ErrorDescription: "Client ID not registered",
  174. 				State:            form.State,
  175. 			}, "")
  176. 			return
  177. 		}
  178. 		ctx.ServerError("GetOAuth2ApplicationByClientID", err)
  179. 		return
  180. 	}
  181. 	if err := app.LoadUser(); err != nil {
  182. 		ctx.ServerError("LoadUser", err)
  183. 		return
  184. 	}
  185. 

  186. 	if !app.ContainsRedirectURI(form.RedirectURI) {
  187. 		handleAuthorizeError(ctx, AuthorizeError{
  188. 			ErrorCode:        ErrorCodeInvalidRequest,
  189. 			ErrorDescription: "Unregistered Redirect URI",
  190. 			State:            form.State,
  191. 		}, "")
  192. 		return
  193. 	}
  194. 

  195. 	if form.ResponseType != "code" {
  196. 		handleAuthorizeError(ctx, AuthorizeError{
  197. 			ErrorCode:        ErrorCodeUnsupportedResponseType,
  198. 			ErrorDescription: "Only code response type is supported.",
  199. 			State:            form.State,
  200. 		}, form.RedirectURI)
  201. 		return
  202. 	}
  203. 

  204. 	// pkce support

  205. 	switch form.CodeChallengeMethod {
  206. 	case "S256":
  207. 	case "plain":
  208. 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallengeMethod); err != nil {
  209. 			handleAuthorizeError(ctx, AuthorizeError{
  210. 				ErrorCode:        ErrorCodeServerError,
  211. 				ErrorDescription: "cannot set code challenge method",
  212. 				State:            form.State,
  213. 			}, form.RedirectURI)
  214. 			return
  215. 		}
  216. 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallenge); err != nil {
  217. 			handleAuthorizeError(ctx, AuthorizeError{
  218. 				ErrorCode:        ErrorCodeServerError,
  219. 				ErrorDescription: "cannot set code challenge",
  220. 				State:            form.State,
  221. 			}, form.RedirectURI)
  222. 			return
  223. 		}
  224. 		break
  225. 	case "":
  226. 		break
  227. 	default:
  228. 		handleAuthorizeError(ctx, AuthorizeError{
  229. 			ErrorCode:        ErrorCodeInvalidRequest,
  230. 			ErrorDescription: "unsupported code challenge method",
  231. 			State:            form.State,
  232. 		}, form.RedirectURI)
  233. 		return
  234. 	}
  235. 

  236. 	grant, err := app.GetGrantByUserID(ctx.User.ID)
  237. 	if err != nil {
  238. 		handleServerError(ctx, form.State, form.RedirectURI)
  239. 		return
  240. 	}
  241. 

  242. 	// Redirect if user already granted access

  243. 	if grant != nil {
  244. 		code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod)
  245. 		if err != nil {
  246. 			handleServerError(ctx, form.State, form.RedirectURI)
  247. 			return
  248. 		}
  249. 		redirect, err := code.GenerateRedirectURI(form.State)
  250. 		if err != nil {
  251. 			handleServerError(ctx, form.State, form.RedirectURI)
  252. 			return
  253. 		}
  254. 		ctx.Redirect(redirect.String(), 302)
  255. 		return
  256. 	}
  257. 

  258. 	// show authorize page to grant access

  259. 	ctx.Data["Application"] = app
  260. 	ctx.Data["RedirectURI"] = form.RedirectURI
  261. 	ctx.Data["State"] = form.State
  262. 	ctx.Data["ApplicationUserLink"] = "<a href=\"" + setting.LocalURL + app.User.LowerName + "\">@" + app.User.Name + "</a>"
  263. 	ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + form.RedirectURI + "</strong>"
  264. 	// TODO document SESSION <=> FORM

  265. 	ctx.Session.Set("client_id", app.ClientID)
  266. 	ctx.Session.Set("redirect_uri", form.RedirectURI)
  267. 	ctx.Session.Set("state", form.State)
  268. 	ctx.HTML(200, tplGrantAccess)
  269. }
  270. 

  271. // GrantApplicationOAuth manages the post request submitted when a user grants access to an application

  272. func GrantApplicationOAuth(ctx *context.Context, form auth.GrantApplicationForm) {
  273. 	if ctx.Session.Get("client_id") != form.ClientID || ctx.Session.Get("state") != form.State ||
  274. 		ctx.Session.Get("redirect_uri") != form.RedirectURI {
  275. 		ctx.Error(400)
  276. 		return
  277. 	}
  278. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)
  279. 	if err != nil {
  280. 		ctx.ServerError("GetOAuth2ApplicationByClientID", err)
  281. 		return
  282. 	}
  283. 	grant, err := app.CreateGrant(ctx.User.ID)
  284. 	if err != nil {
  285. 		handleAuthorizeError(ctx, AuthorizeError{
  286. 			State:            form.State,
  287. 			ErrorDescription: "cannot create grant for user",
  288. 			ErrorCode:        ErrorCodeServerError,
  289. 		}, form.RedirectURI)
  290. 		return
  291. 	}
  292. 

  293. 	var codeChallenge, codeChallengeMethod string
  294. 	codeChallenge, _ = ctx.Session.Get("CodeChallenge").(string)
  295. 	codeChallengeMethod, _ = ctx.Session.Get("CodeChallengeMethod").(string)
  296. 

  297. 	code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, codeChallenge, codeChallengeMethod)
  298. 	if err != nil {
  299. 		handleServerError(ctx, form.State, form.RedirectURI)
  300. 		return
  301. 	}
  302. 	redirect, err := code.GenerateRedirectURI(form.State)
  303. 	if err != nil {
  304. 		handleServerError(ctx, form.State, form.RedirectURI)
  305. 	}
  306. 	ctx.Redirect(redirect.String(), 302)
  307. }
  308. 

  309. // AccessTokenOAuth manages all access token requests by the client

  310. func AccessTokenOAuth(ctx *context.Context, form auth.AccessTokenForm) {
  311. 	if form.ClientID == "" {
  312. 		authHeader := ctx.Req.Header.Get("Authorization")
  313. 		authContent := strings.SplitN(authHeader, " ", 2)
  314. 		if len(authContent) == 2 && authContent[0] == "Basic" {
  315. 			payload, err := base64.StdEncoding.DecodeString(authContent[1])
  316. 			if err != nil {
  317. 				handleAccessTokenError(ctx, AccessTokenError{
  318. 					ErrorCode:        AccessTokenErrorCodeInvalidRequest,
  319. 					ErrorDescription: "cannot parse basic auth header",
  320. 				})
  321. 				return
  322. 			}
  323. 			pair := strings.SplitN(string(payload), ":", 2)
  324. 			if len(pair) != 2 {
  325. 				handleAccessTokenError(ctx, AccessTokenError{
  326. 					ErrorCode:        AccessTokenErrorCodeInvalidRequest,
  327. 					ErrorDescription: "cannot parse basic auth header",
  328. 				})
  329. 				return
  330. 			}
  331. 			form.ClientID = pair[0]
  332. 			form.ClientSecret = pair[1]
  333. 		}
  334. 	}
  335. 	switch form.GrantType {
  336. 	case "refresh_token":
  337. 		handleRefreshToken(ctx, form)
  338. 		return
  339. 	case "authorization_code":
  340. 		handleAuthorizationCode(ctx, form)
  341. 		return
  342. 	default:
  343. 		handleAccessTokenError(ctx, AccessTokenError{
  344. 			ErrorCode:        AccessTokenErrorCodeUnsupportedGrantType,
  345. 			ErrorDescription: "Only refresh_token or authorization_code grant type is supported",
  346. 		})
  347. 	}
  348. }
  349. 

  350. func handleRefreshToken(ctx *context.Context, form auth.AccessTokenForm) {
  351. 	token, err := models.ParseOAuth2Token(form.RefreshToken)
  352. 	if err != nil {
  353. 		handleAccessTokenError(ctx, AccessTokenError{
  354. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
  355. 			ErrorDescription: "client is not authorized",
  356. 		})
  357. 		return
  358. 	}
  359. 	// get grant before increasing counter

  360. 	grant, err := models.GetOAuth2GrantByID(token.GrantID)
  361. 	if err != nil || grant == nil {
  362. 		handleAccessTokenError(ctx, AccessTokenError{
  363. 			ErrorCode:        AccessTokenErrorCodeInvalidGrant,
  364. 			ErrorDescription: "grant does not exist",
  365. 		})
  366. 		return
  367. 	}
  368. 

  369. 	// check if token got already used

  370. 	if setting.OAuth2.InvalidateRefreshTokens && (grant.Counter != token.Counter || token.Counter == 0) {
  371. 		handleAccessTokenError(ctx, AccessTokenError{
  372. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
  373. 			ErrorDescription: "token was already used",
  374. 		})
  375. 		log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID)
  376. 		return
  377. 	}
  378. 	accessToken, tokenErr := newAccessTokenResponse(grant)
  379. 	if tokenErr != nil {
  380. 		handleAccessTokenError(ctx, *tokenErr)
  381. 		return
  382. 	}
  383. 	ctx.JSON(200, accessToken)
  384. }
  385. 

  386. func handleAuthorizationCode(ctx *context.Context, form auth.AccessTokenForm) {
  387. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)
  388. 	if err != nil {
  389. 		handleAccessTokenError(ctx, AccessTokenError{
  390. 			ErrorCode:        AccessTokenErrorCodeInvalidClient,
  391. 			ErrorDescription: fmt.Sprintf("cannot load client with client id: '%s'", form.ClientID),
  392. 		})
  393. 		return
  394. 	}
  395. 	if !app.ValidateClientSecret([]byte(form.ClientSecret)) {
  396. 		handleAccessTokenError(ctx, AccessTokenError{
  397. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
  398. 			ErrorDescription: "client is not authorized",
  399. 		})
  400. 		return
  401. 	}
  402. 	if form.RedirectURI != "" && !app.ContainsRedirectURI(form.RedirectURI) {
  403. 		handleAccessTokenError(ctx, AccessTokenError{
  404. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
  405. 			ErrorDescription: "client is not authorized",
  406. 		})
  407. 		return
  408. 	}
  409. 	authorizationCode, err := models.GetOAuth2AuthorizationByCode(form.Code)
  410. 	if err != nil || authorizationCode == nil {
  411. 		handleAccessTokenError(ctx, AccessTokenError{
  412. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
  413. 			ErrorDescription: "client is not authorized",
  414. 		})
  415. 		return
  416. 	}
  417. 	// check if code verifier authorizes the client, PKCE support

  418. 	if !authorizationCode.ValidateCodeChallenge(form.CodeVerifier) {
  419. 		handleAccessTokenError(ctx, AccessTokenError{
  420. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
  421. 			ErrorDescription: "client is not authorized",
  422. 		})
  423. 		return
  424. 	}
  425. 	// check if granted for this application

  426. 	if authorizationCode.Grant.ApplicationID != app.ID {
  427. 		handleAccessTokenError(ctx, AccessTokenError{
  428. 			ErrorCode:        AccessTokenErrorCodeInvalidGrant,
  429. 			ErrorDescription: "invalid grant",
  430. 		})
  431. 		return
  432. 	}
  433. 	// remove token from database to deny duplicate usage

  434. 	if err := authorizationCode.Invalidate(); err != nil {
  435. 		handleAccessTokenError(ctx, AccessTokenError{
  436. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,
  437. 			ErrorDescription: "cannot proceed your request",
  438. 		})
  439. 	}
  440. 	resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant)
  441. 	if tokenErr != nil {
  442. 		handleAccessTokenError(ctx, *tokenErr)
  443. 		return
  444. 	}
  445. 	// send successful response

  446. 	ctx.JSON(200, resp)
  447. }
  448. 

  449. func handleAccessTokenError(ctx *context.Context, acErr AccessTokenError) {
  450. 	ctx.JSON(400, acErr)
  451. }
  452. 

  453. func handleServerError(ctx *context.Context, state string, redirectURI string) {
  454. 	handleAuthorizeError(ctx, AuthorizeError{
  455. 		ErrorCode:        ErrorCodeServerError,
  456. 		ErrorDescription: "A server error occurred",
  457. 		State:            state,
  458. 	}, redirectURI)
  459. }
  460. 

  461. func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirectURI string) {
  462. 	if redirectURI == "" {
  463. 		log.Warn("Authorization failed: %v", authErr.ErrorDescription)
  464. 		ctx.Data["Error"] = authErr
  465. 		ctx.HTML(400, tplGrantError)
  466. 		return
  467. 	}
  468. 	redirect, err := url.Parse(redirectURI)
  469. 	if err != nil {
  470. 		ctx.ServerError("url.Parse", err)
  471. 		return
  472. 	}
  473. 	q := redirect.Query()
  474. 	q.Set("error", string(authErr.ErrorCode))
  475. 	q.Set("error_description", authErr.ErrorDescription)
  476. 	q.Set("state", authErr.State)
  477. 	redirect.RawQuery = q.Encode()
  478. 	ctx.Redirect(redirect.String(), 302)
  479. }