Kudos on Doorkeeper!
The error message "The redirect uri included is not valid." is ambiguous for developers consuming an API.
I realize that this is thrown from a catch / rescue statement as a last resort, however, it'd be helpful if it said that it failed validation rather than it being invalid.
To me the latter sounds as if the URL was not passed correctly or is in an invalid format (rather than it failing to match a domain/url expected by the API).
Regards,
Jeff
What exactly is the change that you would like to see?
The wording for each of these serve to demonstrate the added clarity as we ramp up verbosity and specifically target both API providers and consumers.
Good:
"The well-formed redirect URI ($value) included in your request failed custom validation logic."
Better:
"The well-formed redirect URI ($value) included in your request failed custom validation logic implemented by the API provider. Please contact the API provider for more information on why validation failed."
Best:
"The well-formed redirect URI ($value) included in your request failed custom validation logic implemented by the API provider. API consumers should contact the API provider. API providers should return a helpful error message to consumers when custom validation fails (see:
@tute: My request may seem ridiculous on the surface, however, the amount of effort to improve this error message, which will snowball into better error messages all around will save hundreds if not thousands of man hours over time due to the sheer number of Doorkeeper deployments.
I also think better error messages is something we should care about.
I don't see custom logic for URL validation though. All I see is potential for splitting "uri not present" and "uri included is not valid" messages. I would accept a PR with that change, and if there is room for more please let me know.
Thank you for your clear explanation.
Hi @jmealo . Do you still interested in this issue?
I read the conversation, but can't guess why you always mentioned _"custom validation logic implemented by the API provider"_ ?
I agree with something like "_Requested well-formed redirect URI ($value) doesn't match client redirect URI_", what do you think?
@jmealo moreover, https://tools.ietf.org/html/rfc6749#section-5.2 says nothing about correctness of redirect URI. invalid_request also doesn't fit this requirement (redirect URI is not mentioned at all in this section).
The most relevant is (and Doorkeeper works in that way):
invalid_grant
The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
another client.
it was already discussed in https://github.com/doorkeeper-gem/doorkeeper/issues/444~~
What we can do is just to add provided request URI to the response in order to help developers to find mistakes (typos) in the request params.
UPD: Doorkeeper makes Pre-authorization, where it checks redirect URI to be correct. The above is valid for "post"-authorization.
I've changed description message to be more informative (this error occurs when URI is malformed or does n't match client redirect URI).
If anybody found it not informative - PRs are very welcome!
Thanks.
I was interacting with an API that was based on doorkeeper. These catch all errors can obscure API logic errors. It's not always an internal developer in your organization who has access to the API code. Making these errors more descriptive is very important for figuring out cross organizationally where the issue is. It should be obvious to an API consumer whether they are sending an invalid request or there's a bug in the API. This can end up being weeks or months of back-and-forth depending on the responsiveness of the API provider.
"API provider" being anyone who provides an API to be consumed by users external to their organization.
I realize this is a lot to take on in a single ticket but I wanted to make sure I was clear and why I think this is important to handle upstream.
Thank you for taking my concerns seriously and working to improve error messages. They are the UI/UX for APIs :-)
(( If you consider this a people problem and not a technical problem: I don't disagree with that. However, we can use technology to make it better for everyone. ))
Most helpful comment
The wording for each of these serve to demonstrate the added clarity as we ramp up verbosity and specifically target both API providers and consumers.
Good:
"The well-formed redirect URI ($value) included in your request failed custom validation logic."
Better:
"The well-formed redirect URI ($value) included in your request failed custom validation logic implemented by the API provider. Please contact the API provider for more information on why validation failed."
Best:).
"The well-formed redirect URI ($value) included in your request failed custom validation logic implemented by the API provider. API consumers should contact the API provider. API providers should return a helpful error message to consumers when custom validation fails (see:
@tute: My request may seem ridiculous on the surface, however, the amount of effort to improve this error message, which will snowball into better error messages all around will save hundreds if not thousands of man hours over time due to the sheer number of Doorkeeper deployments.