[
https://issues.apache.org/jira/browse/CXF-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13416023#comment-13416023
]
Jordi Torrente commented on CXF-4427:
-------------------------------------
Daniel, I agree with you that a lot of details could become a security risk,
but on the other hand a "server_error" code for all situations is quite useless
in order to manage error conditions, isn't it?
We're trying to implement a set of abstract, "high-level" OAuth 2 services,
based on CXF, and with the current version we're unable to create more
user-centric error messages. I accept this functionality has to be considered
completely optional: in some "special" cases it could be desirable, while in
the majority of cases it will be not wanted :)
> Error details are discarded and never sent to the client
> --------------------------------------------------------
>
> Key: CXF-4427
> URL: https://issues.apache.org/jira/browse/CXF-4427
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Jordi Torrente
> Labels: oauth2
>
> Current AccessTokenService implementation catches all OAuthServiceExceptions
> and returns a generic error response discarding all the exception details:
> ServerAccessToken serverToken = null;
> try {
> serverToken = handler.createAccessToken(client, params);
> } catch (OAuthServiceException ex) {
> // the error response is to be returned next
> }
> if (serverToken == null) {
> return createErrorResponse(params, OAuthConstants.INVALID_GRANT);
> }
> I think it would be more useful to create the OAuthError object to return
> using the exception's message, in order to receive the error code/details at
> the client layer
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
