When the resource owner denies authorization (clicks "Cancel" on the authorize form), he is redirected to the frontpage of the oauth2 server.
According to the spec, he should be redirected back to the client (the client's redirect_url) with error=access_denied.

Comments

bojanz’s picture

bojanz commented
Status: Active » Fixed

Fixed: http://drupalcode.org/project/oauth2_server.git/commitdiff/cb56890?hp=e9...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.