Potential loss of information when failing to get a token

[paul-hicks-mahana]

I've come across a response from a request('tokenEndpoint') which includes a property in the response body that OAuth2Client is ignoring. I've checked the RFC, and there's no "MUST NOT" or similar forbidding extra properties. And at least for this OAuth server, the ignored property would have been very useful to see earlier!

{
  error: "invalid_request",
  error_description: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.",
  hint: "Authorization code has expired",
  message: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.",
}

I'd like to request that the responseBody be included in the thrown OAuth2Error at the end of request(), so that non-standard properties like hint can be found by developers.

[evert]

worth looking into. Got any information about what is producing this?

[paul-hicks-mahana]

In my case, it was the API at oauth.workflowmax2.com/oauth/.
A quick search has found that "hint" header elsewhere:

• https://github.com/supabase/auth-helpers/issues/388
• Add login error hint to OAuth authorisation failure ppy/osu-web#8177