Error response contains error_message instead of error_description (Incompatibility)

[seb-men]

Code Version

pyop version 3.4.2

Current Behavior

If the redirect_uri is valid and an error occurs (for example missing openid scope), the InvalidAuthenticationRequest exception returns an error_url that contains the parameters "error", "error_message" and optional "state". "error" and "state" are correct, but the parameter "error_message" is neither mentioned in the OAuth RFC 6759 Section 4.1.2.1 nor in the OIDC spec Section 3.1.2.6.

Expected Behavior

Instead, the parameter should be named "error_description" according to the specs. The OIDC spec also states that "Other parameters SHOULD NOT be returned."

The current behavior is not a strict violation against the spec, because "error_description" is OPTIONAL and other parameter "SHOULD NOT" be returned. Still, it will cause incompatibilities with most clients that adhere to the specs.

Possible Solution

Return "error_description" instead of "error_message", or in addition to "error_message" for backwards compatibility with clients that were written for pyop / SATOSA specifically. Backwards compatibility could even controlled by a flag in the configuration.

The fix would be:

diff --git a/src/pyop/exceptions.py b/src/pyop/exceptions.py
index 9017f10..9378ea6 100644
--- a/src/pyop/exceptions.py
+++ b/src/pyop/exceptions.py
@@ -52,7 +52,7 @@ class InvalidAuthenticationRequest(InvalidRequestError):
         redirect_uri = self.request.get('redirect_uri')
         response_type = self.request.get('response_type')
         if redirect_uri and response_type and self.oauth_error:
-            error_resp = AuthorizationErrorResponse(error=self.oauth_error, error_message=str(self),
+            error_resp = AuthorizationErrorResponse(error=self.oauth_error, error_description=str(self),
                                                     state=self.request.get('state'))
             return error_resp.request(redirect_uri, should_fragment_encode(self.request))

Steps to Reproduce

1. Set up Satosa with an OIDC frontend or another provider using pyop
2. Issue an authorization request without openid scope, for example: https://satosa_host:satosa_port/oidc/authorization?response_type=code&client_id=demo&scope=unknown&redirect_uri=https://localhost/redirect
3. Your browser will redirect you to https://localhost/redirect?error=invalid_request&error_message=openid+not+in+scope, whereas it SHOULD be error_description=openid+not+in+scope