tests: missing client_id on OIDC authorization page

yaal-coop · Sep 13, 2024 · 001d635 · 001d635
1 parent 5149b96
commit 001d635
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/canaille/oidc/endpoints/oauth.py b/canaille/oidc/endpoints/oauth.py
@@ -50,7 +50,9 @@ def authorize():
         request.form.to_dict(flat=False),
     )
 
-    client = Backend.instance.get(models.Client, client_id=request.args["client_id"])
+    client = Backend.instance.get(
+        models.Client, client_id=request.args.get("client_id")
+    )
     user = current_user()
 
     if response := authorize_guards(client):

diff --git a/tests/oidc/test_authorization_code_flow.py b/tests/oidc/test_authorization_code_flow.py
@@ -763,3 +763,20 @@ def test_locked_account(
     )
 
     assert "access_token" not in res.json
+
+
+def test_missing_client_id(
+    testclient, logged_user, client, keypair, trusted_client, backend
+):
+    """Missing client_id should raise a 400 error."""
+
+    res = testclient.get(
+        "/oauth/authorize",
+        params=dict(
+            response_type="code",
+            scope="openid profile email groups address phone",
+            nonce="somenonce",
+        ),
+        status=400,
+    )
+    res.mustcontain("client_id parameter is missing.")