Skip to content

Return RFC 6750 compliant JSON error responses from auth middleware#4057

Merged
amirejaz merged 6 commits intomainfrom
fix-auth-401-rfc6750-json-response
Mar 9, 2026
Merged

Return RFC 6750 compliant JSON error responses from auth middleware#4057
amirejaz merged 6 commits intomainfrom
fix-auth-401-rfc6750-json-response

Conversation

@amirejaz
Copy link
Copy Markdown
Contributor

@amirejaz amirejaz commented Mar 9, 2026

Summary

The token validator middleware was returning plain text error bodies via http.Error() on 401 responses. RFC 6750-compliant OAuth clients (e.g. Claude Code) expect a JSON error body and fail to parse the plain text response with:

JSON Parse error: Unexpected identifier "authorization". Raw body: authorization header required

This PR adds a writeOAuthError helper that returns a proper RFC 6750 Section 3 JSON error response with Content-Type: application/json and a body of the form:

{
  "error": "invalid_request",
  "error_description": "authorization header required"
}

All three error paths in TokenValidator.Middleware are updated:

  • Missing/invalid Authorization header → invalid_request
  • Invalid token → invalid_token
  • Invalid claims → invalid_token

Fixes #4055

Type of change

  • Bug fix

Test plan

  • Added TestMiddleware_RFC6750JSONErrorResponse covering missing Authorization header, wrong scheme, and malformed bearer token — verifying Content-Type: application/json, valid JSON body, correct error code, and non-empty error_description
  • Full pkg/auth/... test suite passes

Generated with Claude Code

@github-actions github-actions bot added size/S Small PR: 100-299 lines changed and removed size/S Small PR: 100-299 lines changed labels Mar 9, 2026
@amirejaz amirejaz force-pushed the fix-auth-401-rfc6750-json-response branch from ae44c8f to f32a41f Compare March 9, 2026 17:23
@github-actions github-actions bot added size/S Small PR: 100-299 lines changed and removed size/S Small PR: 100-299 lines changed labels Mar 9, 2026
@github-actions github-actions bot added size/S Small PR: 100-299 lines changed and removed size/S Small PR: 100-299 lines changed labels Mar 9, 2026
jerm-dro
jerm-dro previously approved these changes Mar 9, 2026
View reviewed changes
aponcedeleonch
aponcedeleonch previously approved these changes Mar 9, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@aponcedeleonch aponcedeleonch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@amirejaz amirejaz dismissed stale reviews from aponcedeleonch and jerm-dro via 7ae531e March 9, 2026 17:40
@amirejaz amirejaz requested a review from jerm-dro March 9, 2026 17:41
@github-actions github-actions bot added size/S Small PR: 100-299 lines changed and removed size/S Small PR: 100-299 lines changed labels Mar 9, 2026
jerm-dro
jerm-dro previously approved these changes Mar 9, 2026
View reviewed changes
reyortiz3
reyortiz3 reviewed Mar 9, 2026
View reviewed changes
reyortiz3
reyortiz3 reviewed Mar 9, 2026
View reviewed changes
reyortiz3
reyortiz3 reviewed Mar 9, 2026
View reviewed changes
reyortiz3
reyortiz3 reviewed Mar 9, 2026
View reviewed changes
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 9, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 75.00000% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.63%. Comparing base (f7cc727) to head (eed583e).
⚠️ Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
pkg/auth/token.go 75.00% 4 Missing and 1 partial ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #4057   +/-   ##
=======================================
  Coverage   68.63%   68.63%           
=======================================
  Files         446      446           
  Lines       45424    45435   +11     
=======================================
+ Hits        31175    31183    +8     
  Misses      11840    11840           
- Partials     2409     2412    +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions github-actions bot added size/S Small PR: 100-299 lines changed and removed size/S Small PR: 100-299 lines changed labels Mar 9, 2026
@amirejaz amirejaz requested a review from reyortiz3 March 9, 2026 19:27
@github-actions github-actions bot added size/S Small PR: 100-299 lines changed and removed size/S Small PR: 100-299 lines changed labels Mar 9, 2026
@amirejaz amirejaz merged commit c25562f into main Mar 9, 2026
37 checks passed
@amirejaz amirejaz deleted the fix-auth-401-rfc6750-json-response branch March 9, 2026 19:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reyortiz3 reyortiz3 reyortiz3 approved these changes

@aponcedeleonch aponcedeleonch aponcedeleonch left review comments

@jerm-dro jerm-dro jerm-dro left review comments

@jhrozek jhrozek Awaiting requested review from jhrozek jhrozek is a code owner

@JAORMX JAORMX Awaiting requested review from JAORMX JAORMX is a code owner

@ChrisJBurns ChrisJBurns Awaiting requested review from ChrisJBurns ChrisJBurns is a code owner

@yrobla yrobla Awaiting requested review from yrobla yrobla is a code owner

@blkt blkt Awaiting requested review from blkt

@eleftherias eleftherias Awaiting requested review from eleftherias

@lujunsan lujunsan Awaiting requested review from lujunsan

@rdimitrov rdimitrov Awaiting requested review from rdimitrov

Assignees

No one assigned

Labels

size/S Small PR: 100-299 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Auth middleware returns plain text 401 instead of RFC 6750 compliant JSON error response

4 participants

@amirejaz @aponcedeleonch @jerm-dro @reyortiz3