Skip to content

Return invalid_request instead of server_error for unknown subjects in /authorize and /token #4003

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Return invalid_request instead of server_error for unknown subjects in /authorize and /token #4003

Copilot wants to merge 2 commits into from
+18 −2

Conversation

Copy link

Copilot AI commented Feb 10, 2026
edited by reinkrul
Loading

The /authorize endpoint returns server_error (HTTP 500) when the subject is not found, misclassifying a client error as a server error.

Changes

  • Modified subjectExists() to return oauth.OAuth2Error with InvalidRequest code instead of raw didsubject.ErrSubjectNotFound
  • Updated test expectations in TestWrapper_subjectExists to verify OAuth2 error structure

Impact

Requests to /oauth2/{unknown-subject}/authorize now return:

HTTP 400 Bad Request
{
  "error": "invalid_request",
  "error_description": "subject not found"
}

Fixes #3974

Previously returned HTTP 500 with generic server_error code.

This aligns with the error handling pattern already used in OpenIDConfiguration() for the same error condition.

Original prompt

This section details on the original issue you should resolve

<issue_title>IAM: /authorize yields server error when subject is not known</issue_title>
<issue_description>```
time="2025-04-14T11:40:00+02:00" level=warning msg="HandleAuthorizeRequest failed" error="subject not found" module=Auth/iam operation=HandleAuthorizeRequest operationID=HandleAuthorizeRequest requestURI=/oauth2/local/authorize user=""


![Image](https://github.com/user-attachments/assets/f9b77a3e-4251-4d18-b648-e779fc026056)

I think we should be OK communicating the underlying error to the client.</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI changed the title [WIP] Fix server error when subject is not known in IAM authorize Return invalid_request instead of server_error for unknown subjects in /authorize Feb 10, 2026
Copilot AI requested a review from reinkrul February 10, 2026 07:08
@qltysh
Copy link

qltysh bot commented Feb 10, 2026
edited
Loading

Qlty

Coverage Impact

⬆️ Merging this pull request will increase total coverage on master by 0.01%.

Modified Files with Diff Coverage (1)

RatingFile% DiffUncovered Line #s
Coverage rating: B Coverage rating: B
auth/api/iam/api.go100.0%
Total100.0%
🚦 See full report on Qlty Cloud »

🛟 Help

  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

@reinkrul
#3792: Fix IAM authorize error handling to return InvalidRequest inst…
c527cf1 
…ead of ServerError

Co-authored-by: reinkrul <1481228+reinkrul@users.noreply.github.com>
@reinkrul reinkrul force-pushed the copilot/fix-iam-authorize-server-error branch from 2f2f5a4 to c527cf1 Compare February 10, 2026 08:23
@reinkrul reinkrul marked this pull request as ready for review February 10, 2026 08:23
@reinkrul reinkrul mentioned this pull request Feb 10, 2026
Closed
@reinkrul reinkrul changed the title Return invalid_request instead of server_error for unknown subjects in /authorize Return invalid_request instead of server_error for unknown subjects in /authorize and /token Feb 10, 2026
@qltysh
Copy link

qltysh bot commented Feb 10, 2026

0 new issues

Tool Category Rule Count

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reinkrul reinkrul Awaiting requested review from reinkrul reinkrul is a code owner

@woutslakhorst woutslakhorst Awaiting requested review from woutslakhorst woutslakhorst is a code owner

@gerardsn gerardsn Awaiting requested review from gerardsn gerardsn is a code owner

@stevenvegt stevenvegt Awaiting requested review from stevenvegt stevenvegt is a code owner

@confiks confiks Awaiting requested review from confiks confiks is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@reinkrul reinkrul

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

IAM: Requesting access token for unknown subject (on remote server) yields error 500 IAM: /authorize yields server error when subject is not known

2 participants

@reinkrul