From e30b20dc68566e1f7d5638831c3b8f8c8d241e2c Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Fri, 7 Jan 2022 22:02:09 +0100
Subject: [PATCH] Show OAuth callback error message (#18185)
* Show callback error message.
* lint
* Use error code to display a message.
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
options/locale/locale_en-US.ini | 3 +++
routers/web/auth/oauth.go | 36 ++++++++++++++++++++++++++++++++-
2 files changed, 38 insertions(+), 1 deletion(-)
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index eacd74e1a0..b739a90775 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -317,6 +317,9 @@ oauth_signup_submit = Complete Account
oauth_signin_tab = Link to Existing Account
oauth_signin_title = Sign In to Authorize Linked Account
oauth_signin_submit = Link Account
+oauth.signin.error = There was an error processing the authorization request. If this error persists, please contact the site administrator.
+oauth.signin.error.access_denied = The authorization request was denied.
+oauth.signin.error.temporarily_unavailable = Authorization failed because the authentication server is temporarily unavailable. Please try again later.
openid_connect_submit = Connect
openid_connect_title = Connect to an existing account
openid_connect_desc = The chosen OpenID URI is unknown. Associate it with a new account here.
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index 9b22773d2f..d20bf97f3c 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -106,6 +106,16 @@ func (err AccessTokenError) Error() string {
return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)
}
+// errCallback represents a oauth2 callback error
+type errCallback struct {
+ Code string
+ Description string
+}
+
+func (err errCallback) Error() string {
+ return err.Description
+}
+
// TokenType specifies the kind of token
type TokenType string
@@ -810,7 +820,6 @@ func SignInOAuthCallback(ctx *context.Context) {
}
u, gothUser, err := oAuth2UserLoginCallback(authSource, ctx.Req, ctx.Resp)
-
if err != nil {
if user_model.IsErrUserProhibitLogin(err) {
uplerr := err.(*user_model.ErrUserProhibitLogin)
@@ -819,6 +828,19 @@ func SignInOAuthCallback(ctx *context.Context) {
ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
return
}
+ if callbackErr, ok := err.(errCallback); ok {
+ log.Info("Failed OAuth callback: (%v) %v", callbackErr.Code, callbackErr.Description)
+ switch callbackErr.Code {
+ case "access_denied":
+ ctx.Flash.Error(ctx.Tr("auth.oauth.signin.error.access_denied"))
+ case "temporarily_unavailable":
+ ctx.Flash.Error(ctx.Tr("auth.oauth.signin.error.temporarily_unavailable"))
+ default:
+ ctx.Flash.Error(ctx.Tr("auth.oauth.signin.error"))
+ }
+ ctx.Redirect(setting.AppSubURL + "/user/login")
+ return
+ }
ctx.ServerError("UserSignIn", err)
return
}
@@ -1065,6 +1087,18 @@ func oAuth2UserLoginCallback(authSource *auth.Source, request *http.Request, res
log.Error("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", authSource.Name, setting.OAuth2.MaxTokenLength)
err = fmt.Errorf("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", authSource.Name, setting.OAuth2.MaxTokenLength)
}
+ // goth does not provide the original error message
+ // https://github.com/markbates/goth/issues/348
+ if strings.Contains(err.Error(), "server response missing access_token") || strings.Contains(err.Error(), "could not find a matching session for this request") {
+ errorCode := request.FormValue("error")
+ errorDescription := request.FormValue("error_description")
+ if errorCode != "" || errorDescription != "" {
+ return nil, goth.User{}, errCallback{
+ Code: errorCode,
+ Description: errorDescription,
+ }
+ }
+ }
return nil, goth.User{}, err
}