feat(auth): surface OIDC callback errors with distinct codes + log cause #100
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#100
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
The OAuth callback handler's catch block (added in #85) collapses every error other than
NoVerifiedEmailErrorinto a generic 400 with the message "Failed to fetch profile" and no log line:For OIDC,
extractProfile()can throwIdTokenSignatureError,IdTokenClaimError(covering iss/aud/exp/nbf/email/missing id_token), orNonceMismatchError— each indicating a different root cause that needs a different fix. The current code makes them indistinguishable from the browser AND swallows the underlying error so it doesn't reach container logs either. Hit while deploying #85 against Authentik oncarol.int.wynning.tech— the only signal was "Failed to fetch profile," with no way to tell whether the signature, a claim, the nonce, or something else failed.Scope
app/api/auth/oauth/callback/[provider]/route.tscatch block: log the underlying error toconsole.errorwith the provider id so the cause shows up in container logs.?error=code on the/loginredirect:IdTokenSignatureError→oidc_signatureIdTokenClaimError→oidc_claim(iss / aud / exp / email / missing id_token)NonceMismatchError→oidc_nonce_mismatchNoVerifiedEmailError→no_verified_email(unchanged)oauth_profileOut of scope
/loginpage copy for the new error codes. Lands separately.Acceptance
A self-hoster who hits a misconfigured Authentik / Keycloak / etc. gets a redirect URL ending in
?error=oidc_signature(or_claim/_nonce_mismatch) AND a[oauth callback <name>]line in container logs naming the underlying error class. Either signal alone is enough to diagnose.