Oidc: Improve error handling #782

assets/templates/callback.tmpl

@@ -35,7 +35,7 @@
 </head>
 <body class="{{ .config.Flags }}">
 {{ if and .status (eq .status "ok") }}
-<p class="browserupgrade">Login successful. Window can be closed.</p>
+<p class="browserupgrade">Login successful. You can safely close this tab.</p>
 {{ else if and .status (eq .status "error") }}
 <p class="browserupgrade">Login Error: {{ .errors }}</p>
 {{ else }}
@@ -47,10 +47,10 @@
     window.localStorage.setItem("session_id", {{ .id }})
     window.localStorage.setItem("data", JSON.stringify({{ .data }}));
     window.localStorage.setItem("config", JSON.stringify({{ .config }}));
-    window.location.href = '/login'
+    window.location.href = '/login';
     {{ else if and .status (eq .status "error") }}
     window.localStorage.setItem("auth_error", {{ .errors }});
-    window.location.href = '/login?preventAutoLogin=true'
+    window.location.href = '/login?preventAutoLogin=true';
     {{ end }}
 </script>
 </body>

frontend/src/pages/login.vue

@@ -91,8 +91,13 @@ export default {
   created() {
     const c = window.__CONFIG__;
     const preventAutoLogin = sessionStorage.getItem("preventAutoLogin");
+    const err = window.localStorage.getItem('auth_error');
     sessionStorage.removeItem("preventAutoLogin");
     if (!c.oidc || this.$route.query.preventAutoLogin || preventAutoLogin) {
+      if (err) {
+        Notify.error(err);
+        window.localStorage.removeItem('auth_error');
+      }
       return;
     }
     const cleanup = () => {
@@ -100,6 +105,7 @@ export default {
       window.localStorage.removeItem('auth_error');
     };
     const redirect = () => {
+      if (err) return;
       // check if oidc provider is available
       axios.get(c.oidc,{ timeout: 1000}).then(response => {
         // redirect to oidc provider
@@ -127,6 +133,7 @@ export default {
     },
     loginExternal() {
       let popup = window.open('api/v1/auth/external', "external-login");
+      window.localStorage.removeItem('auth_error');
       const onstorage = window.onstorage;
       const cleanup = () => {
         window.localStorage.removeItem('config');
@@ -145,9 +152,8 @@ export default {
         const error = window.localStorage.getItem('auth_error');
 
         if (error !== null) {
-          console.log(error);
-          cleanup();
           Notify.error(`${error}`);
+          cleanup();
           return;
         }
         if (sid === null || data === null || config === null) {
@@ -157,7 +163,6 @@ export default {
         this.$session.setId(sid);
         this.$session.setData(JSON.parse(data));
         this.$session.setConfig(JSON.parse(config));
-        //this.$session.sendClientInfo();
         this.$router.push(this.nextUrl);
         cleanup();
       };

internal/oidc/client.go

@@ -2,6 +2,7 @@ package oidc
 
 import (
 	"errors"
+	"fmt"
 	"net/http"
 	"net/url"
 	"path"
@@ -61,6 +62,11 @@ func NewClient(iss *url.URL, clientId, clientSecret, siteUrl string, debug bool)
 		rp.WithVerifierOpts(
 			rp.WithIssuedAtOffset(5 * time.Second),
 		),
+		rp.WithErrorHandler(func(w http.ResponseWriter, r *http.Request, errorType string, errorDesc string, state string) {
+			log.Errorf("oidc: %s: %s (state: %s)", errorType, errorDesc, state)
+			w.WriteHeader(http.StatusInternalServerError)
+			w.Header().Add("oidc_error", fmt.Sprintf("oidc: %s", errorDesc))
+		}),
 	}
 
 	discover, err := client.Discover(iss.String(), httpClient)
@@ -127,7 +133,11 @@ func (c *Client) CodeExchangeUserInfo(ctx *gin.Context) (oidc.UserInfo, error) {
 
 	log.Debugf("oidc: current request state: %v", ctx.Writer.Status())
 	if sc := ctx.Writer.Status(); sc != 0 && sc != http.StatusOK {
-		return nil, errors.New("oidc: couldn't exchange auth code and thus not retrieve external user info")
+		err := ctx.Writer.Header().Get("oidc_error")
+		if err == "" {
+			return nil, errors.New("oidc: couldn't exchange auth code and thus not retrieve external user info (unknown error)")
+		}
+		return nil, errors.New(ctx.Writer.Header().Get("oidc_error"))
 	}
 
 	return userinfo, nil