Draft: Fix OAuth2 authorization error handling

Prior to this change uffd always displayed an error page to the user when encountering an OAuth2 authorization error (access denied or other). This violates RFC 6749 that requires such errors to be reported back to the client.

I also did some testing on how CCCV services react to the error=access_denied parameter:

• RocketChat: JS exception and displays login screen without error message
• Gitlab: Displays login screen with alert: Could not authenticate you from CccvSingleSignOn because "Access denied".
• HedgeDoc: Displays start page without error message
• Grafana: Displays login page with alert: Login failed, login provider denied login request
• uffd-nginxauth: Internal Server Error
• dokuwiki-plugin-authuffd: Displays login screen without error message

Aside from our custom implementations (uffd-nginxauth and dokuwiki-plugin-authuffd), that's 2 out of 4. So this change would likely break existing configurations. I think we need a per-client config option.

assigned to @julian

changed the description

I've noticed this while working on !155 (merged) and looking at the OIDC conformance profiles. In the "SSO for internal services" scenario I don't see much value in reporting auth errors back to clients. If the error is access_denied it does not matter much who displays the error to the user. All other cases are configuration errors, where it matters even less.

So I think I'm mainly adding this for potentially passing OIDC conformance tests.

I decided against merging this, at least for now. I don't think it has much practical value, especially given the mixed application support.

closed