Skip to content

Fix up how OIDC errors flow #4520

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jan 16, 2019
Merged

Fix up how OIDC errors flow #4520

merged 3 commits into from
Jan 16, 2019

Conversation

Tratcher
Copy link
Member

@Tratcher Tratcher commented Dec 7, 2018

#4384 @PinpointTownes
This tweaks the new AccessDenied feature (aspnet/Security#1887) to avoid changing the error and losing fidelity for the OIDC scenario.

@Tratcher Tratcher added this to the 3.0.0-preview2 milestone Dec 7, 2018
@Tratcher Tratcher requested a review from HaoK December 7, 2018 23:20
HaoK
HaoK requested changes Dec 7, 2018
View reviewed changes
Copy link
Member

@HaoK HaoK left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add some basic tests, this already regressed once.

@Tratcher
Copy link
Member Author

Tratcher commented Dec 7, 2018

We don't even have the infrastructure set up yet... https://github.com/aspnet/Security/issues/772

I'd like to test it with the template test that caught the regression but I think we'd have to check in for that to run.

@kevinchalet
Copy link
Contributor

#4384 @PinpointTownes
This tweaks the new AccessDenied feature (aspnet/Security#1887) to avoid changing the error and losing fidelity for the OIDC scenario.

Interesting case (that I had obviously not taken into account 😄)

I guess what you have now is fine, but I'm tempted to think it would be a good idea to also fix the B2C code to use the new event (instead of determining whether the exception message of OpenIdConnectProtocolException contains a magical code, which really looks weird).

@Tratcher
Copy link
Member Author

Tratcher commented Dec 7, 2018

Yes B2C could use the new AccessDenied event, but it would still end up checking for a specific error code associated with password resets.

@HaoK
Copy link
Member

HaoK commented Dec 8, 2018

I think this should drive adding the infrastructure to at least add a test for this regression

@Tratcher Tratcher self-assigned this Dec 14, 2018
@Tratcher
Copy link
Member Author

@HaoK let's merge this to unblock preview2.

@HaoK
Copy link
Member

HaoK commented Jan 15, 2019

Well constantly punting on test coverage in OIDC is what got us to this place, can't you just add something basic at least for the regression flow?

@HaoK
Copy link
Member

HaoK commented Jan 15, 2019

How can we even be sure this fixes the issue for example with no tests?

@Tratcher
Copy link
Member Author

I did find some tests for this scenario here: https://github.com/aspnet/AspNetCore/blob/c7d63649005c4c2863b34794994eef57595e7bb7/src/AADIntegration/test/Microsoft.AspNetCore.Authentication.AzureADB2C.UI.Test/AzureAdB2COpenIDConnectEventHandlersTests.cs#L99-L113

They hadn't failed because they were mocking the RemoteFailureContext. Since B2C is relying on specific types and strings I would only expect a behavior change like this to be caught by a functional test in B2C. I'll try writing one there.

@HaoK
Copy link
Member

HaoK commented Jan 15, 2019

Sounds good to me, yeah just one regression test in the b2c stuff as part of this PR to show that we fixed something and will catch at least this regression in the future works

@Tratcher
Copy link
Member Author

Updated

@Tratcher Tratcher merged commit d838165 into master Jan 16, 2019
@Tratcher Tratcher deleted the tratcher/denied branch January 16, 2019 04:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HaoK HaoK HaoK approved these changes

Assignees

@Tratcher Tratcher

Labels
None yet
Projects
None yet
Milestone
3.0.0-preview2
Development

Successfully merging this pull request may close these issues.
3 participants
@Tratcher @kevinchalet @HaoK