OAuth2: How to send "deny" request to OAuth2 server?

Question

When a user needs to approve a request to authenticate using OAuth2, they are typically given "Approve" and "Cancel" buttons.

What should I send when a users clicks "Cancel" ?

As a developer, what do I send to the OAuth server to make it deny the request when a user clicks "Cancel" ?

I tried using a grant type of "deny", but that didn't work. I know what to send to get the approval, but can't seem to see what I should send to get the OAuth server to respond with to the redirect_uri with an error for the case when a user cancels.

I've reviewed the spec and this nice OAuth2 Simplified article, but haven't been able to see it.

---

NOTE: I don't see this explicitly detailed anywhere. Is it assumed that my app is supposed to manage this itself? For example, instead of posting to the OAuth2 server in this case, my app just posts to it's own redirect_uri instead?

{redirect-url}?error=access_denied&error_description=The+user+clicked+deny

If so, this seems a little strange, as all implementing clients would have to do this work to construct the url with the error code and reason.

Answer 1

See https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2.1

If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirection URI, the authorization server informs the client by adding the following parameters to the query component of the redirection URI using the "application/x-www-form-urlencoded" format

Example:

HTTP/1.1 302 Found
Location: https://client.example.com/cb?error=access_denied&state=xyz

To redirect in PHP:

<?php
http_redirect("https://client.example.com/cb", array("error" => "access_denied", "state" => "xyz", "error_description" => "The user clicked deny"), true, HTTP_REDIRECT_FOUND);
?>

Answer 2

I don't think this is part of the standard from what I can see. I think it's left to each OAuth2 service implementor to determine how they want to do it.

For example, oauth2orize is a well used OAuth2 library used by the super popular Passport node module, and does it like so:

NOTE: These links may point to old versions of the code. They're canonicalized links to ensure they point to the right place in the code:

https://github.com/jaredhanson/oauth2orize/blob/c59aefd14b0fb98f97e3419b8d611c0fb4255c69/lib/middleware/decision.js#L46

https://github.com/jaredhanson/oauth2orize/blob/c59aefd14b0fb98f97e3419b8d611c0fb4255c69/test/middleware/decision.test.js#L75-L83