console: surface OIDC sign-in failures on the login page#36193
console: surface OIDC sign-in failures on the login page#36193leedqin wants to merge 1 commit intoMaterializeInc:mainfrom
Conversation
* Add `OidcCallback` route component so IdP callback errors render
instead of an indefinite loading spinner.
* Add `AuthError::OidcFailed` carrying the sanitized `OidcError::Display`
in the 401 body, so environmentd token rejections can be surfaced to
the user without leaking internal config.
* Wire the 401 interceptor to post a one-shot `{reason, detail}` message
to `sessionStorage`; the login page renders it as an `Alert`
leedqin
force-pushed
the
console-improve-oidc-errors
branch
from
53dd542 to
ecb9e14
Compare
| FailedToUpdateSession, | ||
| #[error("invalid credentials")] | ||
| InvalidCredentials, | ||
| /// Payload is `OidcError`'s sanitized `Display` (no expected-values leaks). |
There was a problem hiding this comment.
I think similar to the pgwire tests in src/environmentd/tests/auth.rs, we should have tests asserting the details for the http errors.
| const hasBearer = (input: Parameters<typeof fetch>[0]): boolean => | ||
| input instanceof Request && | ||
| (input.headers.get("Authorization")?.startsWith("Bearer ") ?? false); | ||
|
|
||
| /** Reads the sanitized `OidcError::Display` environmentd returns for OIDC 401s. */ |
There was a problem hiding this comment.
This feels like a hacky way to differentiate login errors from session expiration. Rather than use local storage, can we encode the error message into the URL (like a search param) then on the login page, just show the error there?
| export const OidcCallback = () => { | ||
| const auth = useAuth(); | ||
|
|
||
| if (!auth.error) return <LoadingScreen />; |
There was a problem hiding this comment.
I think we should unify the error behavior with errors from the Materialize side and just redirect to the login page with the error message.
| export const LOGIN_REASON_MESSAGES: Record<LoginReason, string> = { | ||
| auth_rejected: `Sign-in was rejected.${AUTH_REJECTED_SUFFIX}`, | ||
| session_expired: "Your previous session ended. Please sign in again.", |
There was a problem hiding this comment.
We could just not print an error for session expiration because we don't know definitively that a 401 with no detail is the session expiring.
2 participants
Motivation
Addressing SSO Feedback to show better error messages in the console if there are SSO failures and not have a confusing user experience. Fixes CNS-53
Description
Verification
When the sign in failed and if the user is not part of the organization
When OIDC might not be configured properly
