Fix redirection URLs when implicit grant is denied

ajgarlag · ajgarlag · commit 05b52cb69475 · 2025-10-31T11:18:55.000+01:00
It was generating URLs mixing fragment and query string.
diff --git a/src/Controller/AuthorizationController.php b/src/Controller/AuthorizationController.php
@@ -111,7 +111,7 @@ public function indexAction(Request $request): Response
 
             $response = $this->server->completeAuthorizationRequest($authRequest, $serverResponse);
         } catch (OAuthServerException $e) {
-            $response = $e->generateHttpResponse($serverResponse);
+            $response = $e->generateHttpResponse($serverResponse, str_contains($e->getRedirectUri() ?? '', '#'));
         }
 
         return $this->httpFoundationFactory->createResponse($response);
diff --git a/tests/Acceptance/AuthorizationEndpointTest.php b/tests/Acceptance/AuthorizationEndpointTest.php
@@ -474,4 +474,33 @@ public function testFailedAuthorizeRequest(): void
         $this->assertSame('The authorization grant type is not supported by the authorization server.', $jsonResponse['error_description']);
         $this->assertSame('Check that all required parameters have been provided', $jsonResponse['hint']);
     }
+
+    public function testUnathorizedImplicitRequest(): void
+    {
+        $this->loginUser();
+
+        $this->client->request(
+            'GET',
+            '/authorize',
+            [
+                'client_id' => FixtureFactory::FIXTURE_CLIENT_FIRST,
+                'response_type' => 'token',
+                'state' => 'foobar',
+            ]
+        );
+
+        $response = $this->client->getResponse();
+
+        $this->assertSame(302, $response->getStatusCode());
+        $redirectUri = $response->headers->get('Location');
+
+        $this->assertStringStartsWith(FixtureFactory::FIXTURE_CLIENT_FIRST_REDIRECT_URI, $redirectUri);
+        $fragment = [];
+        parse_str(parse_url($redirectUri, \PHP_URL_FRAGMENT), $fragment);
+        $this->assertArrayHasKey('error', $fragment);
+        $this->assertArrayHasKey('error_description', $fragment);
+        $this->assertArrayHasKey('state', $fragment);
+        $this->assertEquals('access_denied', $fragment['error']);
+        $this->assertEquals('foobar', $fragment['state']);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ public function indexAction(Request $request): Response`
`111`	`111`
`112`	`112`	`$response = $this->server->completeAuthorizationRequest($authRequest, $serverResponse);`
`113`	`113`	`} catch (OAuthServerException $e) {`
`114`		`- $response = $e->generateHttpResponse($serverResponse);`
	`114`	`+ $response = $e->generateHttpResponse($serverResponse, str_contains($e->getRedirectUri() ?? '', '#'));`
`115`	`115`	`}`
`116`	`116`
`117`	`117`	`return $this->httpFoundationFactory->createResponse($response);`