Use 400 and 401 error codes as OAuth2 documents, accept 400 as webfinger error code (#597)

api/views/oauth.py

@@ -73,6 +73,7 @@ class AuthorizationView(LoginRequiredMixin, View):
                 request,
                 "api/oauth_error.html",
                 {"error": f"Invalid response type '{response_type}'"},
+                status=400,
             )
 
         application = Application.objects.filter(
@@ -81,7 +82,10 @@ class AuthorizationView(LoginRequiredMixin, View):
 
         if application is None:
             return render(
-                request, "api/oauth_error.html", {"error": "Invalid client_id"}
+                request,
+                "api/oauth_error.html",
+                {"error": "Invalid client_id"},
+                status=400,
             )
 
         if application.redirect_uris and redirect_uri not in application.redirect_uris:
@@ -89,6 +93,7 @@ class AuthorizationView(LoginRequiredMixin, View):
                 request,
                 "api/oauth_error.html",
                 {"error": "Invalid application redirect URI"},
+                status=401,
             )
 
         context = {

users/models/identity.py

@@ -697,7 +697,7 @@ class Identity(StatorModel):
                 if (
                     response
                     and response.status_code < 500
-                    and response.status_code not in [401, 403, 404, 406, 410]
+                    and response.status_code not in [400, 401, 403, 404, 406, 410]
                 ):
                     raise ValueError(
                         f"Client error fetching webfinger: {response.status_code}",