Skip to content

PAR: Missing response_type in the request returns 500 internal server error instead of OAuth invalid_request error(400) #2212

New issue
New issue
Closed
Closed
PAR: Missing response_type in the request returns 500 internal server error instead of OAuth invalid_request error(400)#2212
Assignees
jgrandja
Labels
status: duplicateA duplicate of another issue
@swetha39pamulapati

Description

@swetha39pamulapati
swetha39pamulapati
opened on Oct 9, 2025

Describe the bug
When hitting the Pushed Authorization Request (PAR) endpoint without the response_type parameter, the server returns:

{
  "status": 500,
  "error": "Internal Server Error"
}

instead of returning a 400 Bad Request with an OAuth error response.

Observation from code perspective on this issue:
When a PAR request arrives without response_type, authenticationConverter.convert(request) returns null.

Involved class:
OAuth2AuthorizationCodeRequestAuthenticationConverter.convert()

Code excerpt:

if (!this.requestMatcher.matches(request)) {
    return null;
}

The converter returns null instead of throwing an exception.
2. As a result, authenticationManager.authenticate(null) is invoked.
3. This propagates into ObservationAuthenticationManager.authenticate(null), which calls observationContext.setAuthenticationRequest(null).

4.Inside AuthenticationObservationContext.setAuthenticationRequest(null),
the following assertion triggers:

Assert.notNull(null, "authenticationRequest cannot be null");``

  1. This results in an IllegalArgumentException ("authenticationRequest cannot be null").

Since IllegalArgumentException is not an AuthenticationException, it bypasses the OAuth2 error handling mechanism. As a result, the servlet container interprets it as an unhandled exception and returns 500 Internal Server Error instead of a structured OAuth2 error response.

To Reproduce
Send a PAR request without response_type:

curl --location '{{host}}/v1/oauth/par'
--header 'Content-Type: application/x-www-form-urlencoded'
--header 'Authorization: {{}}'
--data-urlencode 'client_id={{}}
--data-urlencode 'redirect_uri={{}}'
--data-urlencode 'scope={{}}'
--data-urlencode 'state={{}}
--data-urlencode 'code_challenge={{}}'
--data-urlencode 'code_challenge_method={{}}'

Expected behavior
The response should be 400 bad request
{
"error_description": "OAuth 2.0 Parameter:response_type",
"error": "invalid_request"
}

Sample
This is reproducable on PAR api request without the response_type.

Metadata

Metadata

Assignees

Labels

status: duplicateA duplicate of another issue

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions