Return access_denied error when an OAuth2 request is denied (#30974)

According to [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1), when the resource owner or authorization server denied an request, an `access_denied` error should be returned. But currently in this case Gitea does not return any error. For example, if the user clicks "Cancel" here, an `access_denied` error should be returned. <img width="360px" src="https://github.com/go-gitea/gitea/assets/15528715/be31c09b-4c0a-4701-b7a4-f54b8fe3a6c5" />
2025-07-12 13:37:20 +00:00 · 2024-05-20 15:17:00 +08:00
parent de9bcd1d23
commit f1d9f18d96
3 changed files with 13 additions and 2 deletions
--- a/services/forms/user_form.go
+++ b/services/forms/user_form.go
@ -161,6 +161,7 @@ func (f *AuthorizationForm) Validate(req *http.Request, errs binding.Errors) bin
 // GrantApplicationForm form for authorizing oauth2 clients
 type GrantApplicationForm struct {
 	ClientID    string `binding:"Required"`
+	Granted     bool
 	RedirectURI string
 	State       string
 	Scope       string