From d96c467b106805017f0ef6247dba20329cd0a690 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Thu, 9 Mar 2023 23:19:49 -0600
Subject: [PATCH 1/2] fix: Prevent infinite redirects on bad oidc scopes

---
 coderd/httpmw/oauth2.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/coderd/httpmw/oauth2.go b/coderd/httpmw/oauth2.go
index 820523b6befcb..6412a6a075c90 100644
--- a/coderd/httpmw/oauth2.go
+++ b/coderd/httpmw/oauth2.go
@@ -56,6 +56,21 @@ func ExtractOAuth2(config OAuth2Config, client *http.Client) func(http.Handler)
 				return
 			}
 
+			// OIDC errors can be returned as query parameters. This can happen
+			// if for example we are providing and invalid scope.
+			// We should terminate the OIDC process if we encounter an error.
+			oidcError := r.URL.Query().Get("error")
+			errorDescription := r.URL.Query().Get("error_description")
+			if oidcError != "" {
+				oidcError = fmt.Sprintf("Encountered error in oidc process: %s", oidcError)
+				httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+					Message: oidcError,
+					// errorDescription is optional.
+					Detail: errorDescription,
+				})
+				return
+			}
+
 			code := r.URL.Query().Get("code")
 			state := r.URL.Query().Get("state")
 

From 5fb866f004754aca52bd564261c1c534a1ed07ac Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Fri, 10 Mar 2023 09:48:04 -0600
Subject: [PATCH 2/2] also add error_uri

---
 coderd/httpmw/oauth2.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/coderd/httpmw/oauth2.go b/coderd/httpmw/oauth2.go
index 6412a6a075c90..26c4ff63d71ea 100644
--- a/coderd/httpmw/oauth2.go
+++ b/coderd/httpmw/oauth2.go
@@ -61,11 +61,18 @@ func ExtractOAuth2(config OAuth2Config, client *http.Client) func(http.Handler)
 			// We should terminate the OIDC process if we encounter an error.
 			oidcError := r.URL.Query().Get("error")
 			errorDescription := r.URL.Query().Get("error_description")
+			errorURI := r.URL.Query().Get("error_uri")
 			if oidcError != "" {
+				// Combine the errors into a single string if either is provided.
+				if errorDescription == "" && errorURI != "" {
+					errorDescription = fmt.Sprintf("error_uri: %s", errorURI)
+				} else if errorDescription != "" && errorURI != "" {
+					errorDescription = fmt.Sprintf("%s, error_uri: %s", errorDescription, errorURI)
+				}
 				oidcError = fmt.Sprintf("Encountered error in oidc process: %s", oidcError)
 				httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 					Message: oidcError,
-					// errorDescription is optional.
+					// This message might be blank. This is ok.
 					Detail: errorDescription,
 				})
 				return