Draft: Fix OAuth2 authorization error handling (!156) · Merge requests · uffd / uffd

Julian requested to merge oauth-fixes into master Nov 06, 2023

Prior to this change uffd always displayed an error page to the user when encountering an OAuth2 authorization error (access denied or other). This violates RFC 6749 that requires such errors to be reported back to the client.

I also did some testing on how CCCV services react to the error=access_denied parameter:

RocketChat: JS exception and displays login screen without error message
Gitlab: Displays login screen with alert: Could not authenticate you from CccvSingleSignOn because "Access denied".
HedgeDoc: Displays start page without error message
Grafana: Displays login page with alert: Login failed, login provider denied login request
uffd-nginxauth: Internal Server Error
dokuwiki-plugin-authuffd: Displays login screen without error message

Aside from our custom implementations (uffd-nginxauth and dokuwiki-plugin-authuffd), that's 2 out of 4. So this change would likely break existing configurations. I think we need a per-client config option.

Edited Nov 06, 2023 by Julian

Draft: Fix OAuth2 authorization error handling

Merge request reports