Skip to content

fix: Prevent infinite redirects on oidc errors #6550

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Mar 10, 2023
Merged

fix: Prevent infinite redirects on oidc errors #6550

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d96c467
fix: Prevent infinite redirects on bad oidc scopes
Emyrk Mar 10, 2023
5fb866f
also add error_uri
Emyrk Mar 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions coderd/httpmw/oauth2.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,21 @@ func ExtractOAuth2(config OAuth2Config, client *http.Client) func(http.Handler)
return
}

// OIDC errors can be returned as query parameters. This can happen
// if for example we are providing and invalid scope.
// We should terminate the OIDC process if we encounter an error.
oidcError := r.URL.Query().Get("error")
errorDescription := r.URL.Query().Get("error_description")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per the OIDC spec only the error response parameter is required; the error_description field is optional so we should handle that being blank.

Also there is an error_uri parameter that might be present so we should check for that as well.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do handle an empty error_description. The Details part of the error is extra developer debug info. If it is empty, we provide no extra details, since we have no extra information.

I can add error_uri though 👍

if oidcError != "" {
oidcError = fmt.Sprintf("Encountered error in oidc process: %s", oidcError)
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: oidcError,
// errorDescription is optional.
Detail: errorDescription,
})
return
}

code := r.URL.Query().Get("code")
state := r.URL.Query().Get("state")

Expand Down