[#50] Handle all 4xx errors as "user not found" (#52)

* [#50] Handle all 4xx errors as "user not found"

to ensure broad acceptance of OIDC providers

Signed-off-by: Knut Ahlers <knut@ahlers.me>

* Fix: Error is reported earlier with Go default error

Signed-off-by: Knut Ahlers <knut@ahlers.me>

plugins/auth/oidc/auth.go

@@ -5,6 +5,7 @@ import (
 	"encoding/gob"
 	"fmt"
 	"net/http"
+	"regexp"
 	"strings"
 
 	"golang.org/x/oauth2"
@@ -23,6 +24,8 @@ const (
 	userIDMethodSubject   = "subject"
 )
 
+var http4xxErrorResponse = regexp.MustCompile(`^(4[0-9]{2}) (.*)`)
+
 type AuthOIDC struct {
 	ClientID     string `yaml:"client_id"`
 	ClientSecret string `yaml:"client_secret"`
@@ -224,10 +227,20 @@ func (a *AuthOIDC) getOAuthConfig() *oauth2.Config {
 func (a *AuthOIDC) getUserFromToken(ctx context.Context, token *oauth2.Token) (string, error) {
 	ui, err := a.provider.UserInfo(ctx, oauth2.StaticTokenSource(token))
 	if err != nil {
-		if strings.Contains(err.Error(), "401 Unauthorized") {
+		if http4xxErrorResponse.MatchString(err.Error()) {
-			// Handle Unauthorized as no user found instead of generic error
+			/*
+			 * Server answered with any 4xx error
+			 *
+			 * Google OIDC: 401 Unauthorized => Token expired
+			 * Wordpress OIDC plugin: 400 Bad Request => Token expired
+			 *
+			 * As long as they can't agree on ONE status for that we need to
+			 * handle all 4xx as "token expired" and therefore "no valid user"
+			 */
 			return "", plugins.ErrNoValidUserFound
 		}
+
+		// Other error: Report the error
 		return "", errors.Wrap(err, "Unable to fetch user info")
 	}