From 09dbb7c0b6f363dcdabb989d2cc692be171bde91 Mon Sep 17 00:00:00 2001 From: Sebastian Mennicke Date: Fri, 30 Jan 2026 11:58:38 +0100 Subject: [PATCH] Security fix: Introduced new exception for 'unknown client_id' that does not set the error_url to prevent open redirect attacks --- src/pyop/exceptions.py | 5 +++++ src/pyop/request_validator.py | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/pyop/exceptions.py b/src/pyop/exceptions.py index 9017f10..4b39a9e 100644 --- a/src/pyop/exceptions.py +++ b/src/pyop/exceptions.py @@ -59,6 +59,11 @@ def to_error_url(self): return None +class UnknownClientId(InvalidAuthenticationRequest): + def to_error_url(self): + return None + + class InvalidRedirectURI(InvalidAuthenticationRequest): def to_error_url(self): return None diff --git a/src/pyop/request_validator.py b/src/pyop/request_validator.py index c5419f8..0ec66b3 100644 --- a/src/pyop/request_validator.py +++ b/src/pyop/request_validator.py @@ -5,6 +5,7 @@ from .exceptions import InvalidClientRegistrationRequest from .exceptions import InvalidAuthenticationRequest +from .exceptions import UnknownClientId from .exceptions import InvalidRedirectURI from .util import is_allowed_response_type, find_common_values @@ -32,7 +33,7 @@ def client_id_is_known(provider, authentication_request): """ if authentication_request['client_id'] not in provider.clients: logger.error('Unknown client_id \'{}\''.format(authentication_request['client_id'])) - raise InvalidAuthenticationRequest('Unknown client_id', + raise UnknownClientId('Unknown client_id', authentication_request, oauth_error='unauthorized_client')