From 6d0d520ffdef1fb2760a410efdad3d274bc3a499 Mon Sep 17 00:00:00 2001 From: Knut Ahlers Date: Mon, 13 Jan 2020 21:39:55 +0000 Subject: [PATCH] [#50] Handle all 4xx errors as "user not found" (#52) * [#50] Handle all 4xx errors as "user not found" to ensure broad acceptance of OIDC providers Signed-off-by: Knut Ahlers * Fix: Error is reported earlier with Go default error Signed-off-by: Knut Ahlers --- plugins/auth/oidc/auth.go | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/plugins/auth/oidc/auth.go b/plugins/auth/oidc/auth.go index 8c64302..484a0fd 100644 --- a/plugins/auth/oidc/auth.go +++ b/plugins/auth/oidc/auth.go @@ -5,6 +5,7 @@ import ( "encoding/gob" "fmt" "net/http" + "regexp" "strings" "golang.org/x/oauth2" @@ -23,6 +24,8 @@ const ( userIDMethodSubject = "subject" ) +var http4xxErrorResponse = regexp.MustCompile(`^(4[0-9]{2}) (.*)`) + type AuthOIDC struct { ClientID string `yaml:"client_id"` ClientSecret string `yaml:"client_secret"` @@ -224,10 +227,20 @@ func (a *AuthOIDC) getOAuthConfig() *oauth2.Config { func (a *AuthOIDC) getUserFromToken(ctx context.Context, token *oauth2.Token) (string, error) { ui, err := a.provider.UserInfo(ctx, oauth2.StaticTokenSource(token)) if err != nil { - if strings.Contains(err.Error(), "401 Unauthorized") { - // Handle Unauthorized as no user found instead of generic error + if http4xxErrorResponse.MatchString(err.Error()) { + /* + * Server answered with any 4xx error + * + * Google OIDC: 401 Unauthorized => Token expired + * Wordpress OIDC plugin: 400 Bad Request => Token expired + * + * As long as they can't agree on ONE status for that we need to + * handle all 4xx as "token expired" and therefore "no valid user" + */ return "", plugins.ErrNoValidUserFound } + + // Other error: Report the error return "", errors.Wrap(err, "Unable to fetch user info") }