1
0
Fork 0
mirror of https://github.com/Luzifer/nginx-sso.git synced 2024-12-20 12:51:17 +00:00

[#50] Handle all 4xx errors as "user not found" (#52)

* [#50] Handle all 4xx errors as "user not found"

to ensure broad acceptance of OIDC providers

Signed-off-by: Knut Ahlers <knut@ahlers.me>

* Fix: Error is reported earlier with Go default error

Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2020-01-13 21:39:55 +00:00 committed by GitHub
parent 3e9a00944f
commit 6d0d520ffd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -5,6 +5,7 @@ import (
"encoding/gob"
"fmt"
"net/http"
"regexp"
"strings"
"golang.org/x/oauth2"
@ -23,6 +24,8 @@ const (
userIDMethodSubject = "subject"
)
var http4xxErrorResponse = regexp.MustCompile(`^(4[0-9]{2}) (.*)`)
type AuthOIDC struct {
ClientID string `yaml:"client_id"`
ClientSecret string `yaml:"client_secret"`
@ -224,10 +227,20 @@ func (a *AuthOIDC) getOAuthConfig() *oauth2.Config {
func (a *AuthOIDC) getUserFromToken(ctx context.Context, token *oauth2.Token) (string, error) {
ui, err := a.provider.UserInfo(ctx, oauth2.StaticTokenSource(token))
if err != nil {
if strings.Contains(err.Error(), "401 Unauthorized") {
// Handle Unauthorized as no user found instead of generic error
if http4xxErrorResponse.MatchString(err.Error()) {
/*
* Server answered with any 4xx error
*
* Google OIDC: 401 Unauthorized => Token expired
* Wordpress OIDC plugin: 400 Bad Request => Token expired
*
* As long as they can't agree on ONE status for that we need to
* handle all 4xx as "token expired" and therefore "no valid user"
*/
return "", plugins.ErrNoValidUserFound
}
// Other error: Report the error
return "", errors.Wrap(err, "Unable to fetch user info")
}