feat(auth): surface OIDC callback errors with distinct codes + log cause (#100) #101
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!101
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "100-oauth-callback-diagnostics"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
The OAuth callback's catch block (added in #85) collapsed every error other than
NoVerifiedEmailErrorinto a generic 400 with "Failed to fetch profile" and no log line. For OIDC, that swallowed three distinct failure classes (IdTokenSignatureError,IdTokenClaimError,NonceMismatchError) and left a self-hoster with nothing to grep for. Hit while deploying #85 against Authentik oncarol.int.wynning.tech— the only signal was "Failed to fetch profile."Now the catch:
console.errorwith the provider id, so the cause shows up in container logs./loginwith a distinct?error=code per failure class:IdTokenSignatureError→oidc_signatureIdTokenClaimError→oidc_claim(iss / aud / exp / email / missing id_token)NonceMismatchError→oidc_nonce_mismatchNoVerifiedEmailError→no_verified_email(unchanged)oauth_profileEither signal alone is enough to diagnose a misconfigured IdP.
Decision: 302 + log (not 400 + log)
The pre-existing
NoVerifiedEmailErrorpath already redirected to/login?error=…, so this lands all "we got a token, validation failed" cases on the same shape. Protocol-level failures (cookies missing, state mismatch, provider mismatch, RFC 9207 iss mismatch) stay 400 — those indicate browser or attack-shaped problems where landing on/loginwould be misleading.Reviewer note: see the "Out of scope" section of #100 — I'm open to flipping these back to 400 if a reviewer prefers the cleaner security-review story.
Test plan
npm run typecheck— clean.npm run lint— clean.npm test— 214 / 38 skipped.?error=code: bad signature (oidc_signature),email_verified: false(oidc_claim), nonce mismatch (oidc_nonce_mismatch).carol.int.wynning.tech— confirm container logs show the specific error class.Closes #100.
🤖 Generated with Claude Code
f8ed6588e26fd6509547