You've already forked oauth2-proxy
mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2025-11-29 22:48:19 +02:00
Allow users to choose detailed error messages on error pages
This commit is contained in:
Joel Speed
@@ -128,6 +128,7 @@ func NewOAuthProxy(opts *options.Options, validator func(string) bool) (*OAuthPr
|
||||
ProxyPrefix: opts.ProxyPrefix,
|
||||
Footer: opts.Templates.Footer,
|
||||
Version: VERSION,
|
||||
Debug: opts.Templates.Debug,
|
||||
}
|
||||
|
||||
upstreamProxy, err := upstream.NewProxy(opts.UpstreamServers, opts.GetSignatureData(), errorPage.ProxyErrorHandler)
|
||||
@@ -523,7 +524,7 @@ func (p *OAuthProxy) RobotsTxt(rw http.ResponseWriter, req *http.Request) {
|
||||
}
|
||||
|
||||
// ErrorPage writes an error response
|
||||
func (p *OAuthProxy) ErrorPage(rw http.ResponseWriter, req *http.Request, code int, appError string) {
|
||||
func (p *OAuthProxy) ErrorPage(rw http.ResponseWriter, req *http.Request, code int, appError string, messages ...interface{}) {
|
||||
redirectURL, err := p.getAppRedirect(req)
|
||||
if err != nil {
|
||||
logger.Errorf("Error obtaining redirect: %v", err)
|
||||
@@ -532,7 +533,7 @@ func (p *OAuthProxy) ErrorPage(rw http.ResponseWriter, req *http.Request, code i
|
||||
redirectURL = "/"
|
||||
}
|
||||
|
||||
p.errorPage.Render(rw, code, redirectURL, appError)
|
||||
p.errorPage.Render(rw, code, redirectURL, appError, messages...)
|
||||
}
|
||||
|
||||
// IsAllowedRequest is used to check if auth should be skipped for this request
|
||||
@@ -751,28 +752,30 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
|
||||
errorString := req.Form.Get("error")
|
||||
if errorString != "" {
|
||||
logger.Errorf("Error while parsing OAuth2 callback: %s", errorString)
|
||||
p.ErrorPage(rw, req, http.StatusForbidden, errorString)
|
||||
message := fmt.Sprintf("Login Failed: The upstream identity provider returned an error: %s", errorString)
|
||||
// Set the debug message and override the non debug message to be the same for this case
|
||||
p.ErrorPage(rw, req, http.StatusForbidden, message, message)
|
||||
return
|
||||
}
|
||||
|
||||
session, err := p.redeemCode(req)
|
||||
if err != nil {
|
||||
logger.Errorf("Error redeeming code during OAuth2 callback: %v", err)
|
||||
p.ErrorPage(rw, req, http.StatusInternalServerError, "Internal Error")
|
||||
p.ErrorPage(rw, req, http.StatusInternalServerError, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
err = p.enrichSessionState(req.Context(), session)
|
||||
if err != nil {
|
||||
logger.Errorf("Error creating session during OAuth2 callback: %v", err)
|
||||
p.ErrorPage(rw, req, http.StatusInternalServerError, "Internal Error")
|
||||
p.ErrorPage(rw, req, http.StatusInternalServerError, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
state := strings.SplitN(req.Form.Get("state"), ":", 2)
|
||||
if len(state) != 2 {
|
||||
logger.Error("Error while parsing OAuth2 state: invalid length")
|
||||
p.ErrorPage(rw, req, http.StatusInternalServerError, "Invalid State")
|
||||
p.ErrorPage(rw, req, http.StatusInternalServerError, "State paremeter did not have expected length", "Login Failed: Invalid State after login.")
|
||||
return
|
||||
}
|
||||
nonce := state[0]
|
||||
@@ -780,13 +783,13 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
|
||||
c, err := req.Cookie(p.CSRFCookieName)
|
||||
if err != nil {
|
||||
logger.PrintAuthf(session.Email, req, logger.AuthFailure, "Invalid authentication via OAuth2: unable to obtain CSRF cookie")
|
||||
p.ErrorPage(rw, req, http.StatusForbidden, err.Error())
|
||||
p.ErrorPage(rw, req, http.StatusForbidden, err.Error(), "Login Failed: Unable to find a valid CSRF token. Please try again.")
|
||||
return
|
||||
}
|
||||
p.ClearCSRFCookie(rw, req)
|
||||
if c.Value != nonce {
|
||||
logger.PrintAuthf(session.Email, req, logger.AuthFailure, "Invalid authentication via OAuth2: CSRF token mismatch, potential attack")
|
||||
p.ErrorPage(rw, req, http.StatusForbidden, "CSRF Failed")
|
||||
p.ErrorPage(rw, req, http.StatusForbidden, "CSRF token mismatch, potential attack", "Login Failed: Unable to find a valid CSRF token. Please try again.")
|
||||
return
|
||||
}
|
||||
|
||||
@@ -810,7 +813,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
|
||||
http.Redirect(rw, req, redirect, http.StatusFound)
|
||||
} else {
|
||||
logger.PrintAuthf(session.Email, req, logger.AuthFailure, "Invalid authentication via OAuth2: unauthorized")
|
||||
p.ErrorPage(rw, req, http.StatusForbidden, "Invalid Account")
|
||||
p.ErrorPage(rw, req, http.StatusForbidden, "Invalid session: unauthorized")
|
||||
}
|
||||
}
|
||||
|
||||
@@ -892,12 +895,12 @@ func (p *OAuthProxy) Proxy(rw http.ResponseWriter, req *http.Request) {
|
||||
}
|
||||
|
||||
case ErrAccessDenied:
|
||||
p.ErrorPage(rw, req, http.StatusUnauthorized, "Unauthorized")
|
||||
p.ErrorPage(rw, req, http.StatusForbidden, "The session failed authorization checks")
|
||||
|
||||
default:
|
||||
// unknown error
|
||||
logger.Errorf("Unexpected internal error: %v", err)
|
||||
p.ErrorPage(rw, req, http.StatusInternalServerError, "Internal Error")
|
||||
p.ErrorPage(rw, req, http.StatusInternalServerError, err.Error())
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user