From 771d1ac1fc7e27682f680b14b5f582d73413be41 Mon Sep 17 00:00:00 2001
From: Matthew Buckett <matthew.buckett@ctl.ox.ac.uk>
Date: Fri, 21 Nov 2025 16:08:51 +0000
Subject: [PATCH] AB#107916 Correctly handle incorrect client secret

Rather than complaining that we got an unsupported error code we handle the invalid_client code and display a more helpful message.
---
 .../java/uk/ac/ox/ctl/canvasproxy/OAuth2ErrorController.java   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/main/java/uk/ac/ox/ctl/canvasproxy/OAuth2ErrorController.java b/src/main/java/uk/ac/ox/ctl/canvasproxy/OAuth2ErrorController.java
index 5e97bb5..7842d80 100644
--- a/src/main/java/uk/ac/ox/ctl/canvasproxy/OAuth2ErrorController.java
+++ b/src/main/java/uk/ac/ox/ctl/canvasproxy/OAuth2ErrorController.java
@@ -45,6 +45,9 @@ public void handleError(
           "Developer keys are mis-configured, check configuration.");
     } else if ("unauthorized_client".equals(errorCode)) {
       throw new OAuth2FlowException("This tool isn't enabled for your account.");
+    } else if ("invalid_client".equals(errorCode)) {
+      // If the client secret is wrong Canvas can return this error when attempting to retrieve the token.
+      throw new OAuth2FlowException("Check client ID and secret are correct.");
     } else if (errorCode == null) {
       // We have no errorCode at all and this is probably because the filter didn't run. This can happen if the
       // user ends up re-visiting the URL returned from granting the access.