Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OIDC callback server doesn't display errors query params #19667

Open
tgross opened this issue Jan 8, 2024 · 2 comments
Open

OIDC callback server doesn't display errors query params #19667

tgross opened this issue Jan 8, 2024 · 2 comments

Comments

@tgross
Copy link
Member

tgross commented Jan 8, 2024

While working on testing #19318, I discovered that at least one OIDC provider (MSFT ADFS) returns errors in a error query parameter of the callback URL. This results in a URL like the following:

http://localhost:4649/oidc/callback?error=invalid_resource&error_description=MSIS9602%3a+The+received+%27resource%27+parameter+is+invalid.+The+authorization+server+can+not+find+a+registered+resource+with+the+specified+identifier.&state=st_h3QSSe5YSaai7JZydqqk&client-request-id=6497f86e-a844-4304-4300-0080030000f0

The embedded page doesn't display this to the user in any obvious way, so we end up getting a "success" login page and then the subsequent request to complete the workflow gets an error like:

2024-01-08T14:45:00.649-0500 [DEBUG] http: request failed: method=PUT path=/v1/acl/oidc/complete-auth

error=
| RPC Error:: 400,invalid OIDC complete-auth request: 1 error occurred:
| \t* missing code
|
code=400

@jrasell
Copy link
Member

jrasell commented Jan 10, 2024

I took a quick look at this and it looks like we need to check for an error query parameter in the ServerHTTP function and then optionally see if error_description description is included. If this is present, we could write an error response and display an error page with the detail found.

okta OIDC response object docs: https://developer.okta.com/docs/reference/api/oidc/#response-properties

@tgross
Copy link
Member Author

tgross commented Jan 10, 2024

Yeah I think we'll probably need to send on the ErrorChannel as well so the CLI picks that up as an error rather than success.

@arodd arodd added the hcc/jira label Feb 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants