Bugfix: handle missing client_id

cristiprg · cristiprg · commit f32c57dd336d · 2025-08-13T17:58:10.000+01:00
This commit fixes a bug where the application crashes if the client_id
parameter is not sent in the body, by checking the status returned by
the oauthlib function before any further processing.

Test for this usecase is added.
diff --git a/oauth2_provider/views/device.py b/oauth2_provider/views/device.py
@@ -29,11 +29,10 @@ class DeviceAuthorizationView(OAuthLibMixin, View):
     def post(self, request, *args, **kwargs):
         headers, response, status = self.create_device_authorization_response(request)
 
-        device_request = DeviceRequest(client_id=request.POST["client_id"], scope=request.POST.get("scope"))
-
         if status != 200:
             return http.JsonResponse(data=json.loads(response), status=status, headers=headers)
 
+        device_request = DeviceRequest(client_id=request.POST["client_id"], scope=request.POST.get("scope"))
         device_response = DeviceCodeResponse(**response)
         create_device_grant(device_request, device_response)
 
diff --git a/tests/test_device.py b/tests/test_device.py
@@ -497,6 +497,28 @@ def test_incorrect_client_id_sent(self):
             "error_description": "Invalid client_id parameter value.",
         }
 
+    def test_missing_client_id(self):
+        """
+        Ensure the correct error is returned when the client id is missing.
+        """
+        request_data: dict[str, str] = {
+            "not_client_id": "client_id_that_does_not_exist",
+        }
+        request_as_x_www_form_urlencoded: str = urlencode(request_data)
+
+        response: django.http.response.JsonResponse = self.client.post(
+            reverse("oauth2_provider:device-authorization"),
+            data=request_as_x_www_form_urlencoded,
+            content_type="application/x-www-form-urlencoded",
+        )
+
+        assert response.status_code == 400
+
+        assert response.json() == {
+            "error": "invalid_request",
+            "error_description": "Missing client_id parameter.",
+        }
+
     def test_device_confirm_and_user_code_views_require_login(self):
         URLs = [
             reverse("oauth2_provider:device-confirm", kwargs={"user_code": None, "client_id": "abc"}),
