Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

fix: redirect to login page on OIDC expiry instead of showing raw JSON#18271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
blink-so wants to merge3 commits intomain
base:main
Choose a base branch
Loading
fromfix/oidc-expiry-redirect

Conversation

blink-so[bot]
Copy link
Contributor

@blink-soblink-sobot commentedJun 6, 2025

Fixes#18201

Problem

When OIDC sessions expire or authentication fails, users see ugly raw JSON error responses instead of being redirected to a user-friendly login page with clear error messages.

Before:

{"message":"Failed exchanging Oauth code.","detail":"oauth2:\"invalid_grant\"\"AADSTS54005: OAuth2 Authorization code was already redeemed...\""}

After:
Users are redirected to/login?message=Authentication+failed%3A+Session+expired%2C+please+sign+in+again

Solution

Modified the OAuth2 middleware (coderd/httpmw/oauth2.go) to redirect to the login page instead of returning JSON errors for OIDC authentication failures.

Changes Made

  • OIDC Provider Errors: Redirect with user-friendly "Authentication failed" messages
  • Session Expiry: Redirect with "Session expired, please sign in again" for missing/mismatched cookies
  • State Issues: Redirect with appropriate error messages for invalid authentication state
  • OAuth Exchange Failures: Redirect with detailed error information (except device flow)
  • Preserved Device Flow: Still returns JSON forauthorization_pending as expected by OAuth device flow clients

Error Message Examples

  • Authentication failed: Session expired, please sign in again (for expired sessions)
  • Authentication failed: invalid_request - The request is missing a required parameter (for OIDC provider errors)
  • Authentication failed: Invalid authentication state (for missing state)

Testing

  • ✅ All existing tests updated and passing
  • ✅ Added comprehensive test coverage for redirect functionality:
    • OIDCErrorRedirectsToLogin: Tests OIDC provider error parameters
    • NoStateRedirectsToLogin: Tests missing state parameter
    • NoStateCookieRedirectsToLogin: Tests missing session cookie
    • MismatchedStateRedirectsToLogin: Tests state mismatch scenarios
  • ✅ Verified existing authentication flows remain unchanged
  • ✅ Confirmed device flow still works correctly

Impact

This significantly improves the user experience when OIDC authentication fails, especially for session expiry scenarios. Users now get a proper login page with clear instructions instead of confusing JSON errors.

Fixes#18201When OIDC sessions expire or authentication fails, users now get redirectedto the login page with a user-friendly error message instead of seeing rawJSON error responses.Changes:- Modified OAuth2 middleware to redirect to /login?message=<error> for OIDC failures- Added user-friendly error messages for different failure scenarios:  - Session expired errors for missing/mismatched cookies  - Authentication failed messages for OIDC provider errors  - Proper URL encoding of error messages- Preserved device flow behavior (still returns JSON as expected)- Updated tests to verify redirect behavior- Added comprehensive test coverage for new redirect functionalityThis significantly improves the user experience when OIDC authenticationfails, especially for session expiry scenarios.
@github-actionsGitHub Actions
Copy link


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign ourContributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

Coder Assistant seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, pleaseadd the email address used for this commit to your account.
You can retrigger this bot by commentingrecheck in this Pull Request.Posted by theCLA Assistant Lite bot.

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bug: redirect to login page on OIDC expiry
0 participants
[8]ページ先頭
©2009-2025 Movatter.jp