mirror of
https://github.com/Luzifer/nginx-sso.git
synced 2024-10-18 07:34:22 +00:00
* [#50] Handle all 4xx errors as "user not found" to ensure broad acceptance of OIDC providers Signed-off-by: Knut Ahlers <knut@ahlers.me> * Fix: Error is reported earlier with Go default error Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
parent
3e9a00944f
commit
6d0d520ffd
1 changed files with 15 additions and 2 deletions
|
@ -5,6 +5,7 @@ import (
|
||||||
"encoding/gob"
|
"encoding/gob"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"regexp"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"golang.org/x/oauth2"
|
"golang.org/x/oauth2"
|
||||||
|
@ -23,6 +24,8 @@ const (
|
||||||
userIDMethodSubject = "subject"
|
userIDMethodSubject = "subject"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
var http4xxErrorResponse = regexp.MustCompile(`^(4[0-9]{2}) (.*)`)
|
||||||
|
|
||||||
type AuthOIDC struct {
|
type AuthOIDC struct {
|
||||||
ClientID string `yaml:"client_id"`
|
ClientID string `yaml:"client_id"`
|
||||||
ClientSecret string `yaml:"client_secret"`
|
ClientSecret string `yaml:"client_secret"`
|
||||||
|
@ -224,10 +227,20 @@ func (a *AuthOIDC) getOAuthConfig() *oauth2.Config {
|
||||||
func (a *AuthOIDC) getUserFromToken(ctx context.Context, token *oauth2.Token) (string, error) {
|
func (a *AuthOIDC) getUserFromToken(ctx context.Context, token *oauth2.Token) (string, error) {
|
||||||
ui, err := a.provider.UserInfo(ctx, oauth2.StaticTokenSource(token))
|
ui, err := a.provider.UserInfo(ctx, oauth2.StaticTokenSource(token))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if strings.Contains(err.Error(), "401 Unauthorized") {
|
if http4xxErrorResponse.MatchString(err.Error()) {
|
||||||
// Handle Unauthorized as no user found instead of generic error
|
/*
|
||||||
|
* Server answered with any 4xx error
|
||||||
|
*
|
||||||
|
* Google OIDC: 401 Unauthorized => Token expired
|
||||||
|
* Wordpress OIDC plugin: 400 Bad Request => Token expired
|
||||||
|
*
|
||||||
|
* As long as they can't agree on ONE status for that we need to
|
||||||
|
* handle all 4xx as "token expired" and therefore "no valid user"
|
||||||
|
*/
|
||||||
return "", plugins.ErrNoValidUserFound
|
return "", plugins.ErrNoValidUserFound
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Other error: Report the error
|
||||||
return "", errors.Wrap(err, "Unable to fetch user info")
|
return "", errors.Wrap(err, "Unable to fetch user info")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue