fix: Display error when a user connected with OIDC token from another account

shepilov · shepilov · commit 220eb43a724b · 2026-02-04T12:31:04.000+01:00
diff --git a/assets/locales/en.po b/assets/locales/en.po
@@ -482,6 +482,9 @@ msgstr "The authentication has failed"
 msgid "the FranceConnect authentication has failed"
 msgstr "The FranceConnect authentication has failed"
 
+msgid "OIDC Domain Mismatch %s %s"
+msgstr "To connect to %s, please disconnect first from %s"
+
 msgid "Instance Blocked Login"
 msgstr "The Twake was blocked because of too many login attempts"
 
diff --git a/assets/locales/fr.po b/assets/locales/fr.po
@@ -550,6 +550,9 @@ msgstr "L'authentification n'a pu aboutir"
 msgid "the FranceConnect authentication has failed"
 msgstr "Le compte FranceConnect utilisé ne correspond pas à votre compte Twake."
 
+msgid "OIDC Domain Mismatch %s %s"
+msgstr "Pour vous connecter à %s, veuillez d'abord vous déconnecter de %s"
+
 msgid "Instance Blocked Login"
 msgstr "Le Twake a été bloqué à cause de trop nombreux essais de connexion"
 
diff --git a/assets/locales/ru.po b/assets/locales/ru.po
@@ -533,6 +533,9 @@ msgstr "Аутентификация не удалась"
 msgid "the FranceConnect authentication has failed"
 msgstr "Используемый аккаунт FranceConnect не соответствует вашему аккаунту Twake."
 
+msgid "OIDC Domain Mismatch %s %s"
+msgstr "Чтобы подключиться к %s, сначала отключитесь от %s"
+
 msgid "Instance Blocked Login"
 msgstr "Twake был заблокирован из-за слишком многих попыток входа"
 
diff --git a/assets/locales/vi.po b/assets/locales/vi.po
@@ -484,6 +484,9 @@ msgstr "Xác thực không thành công"
 msgid "the FranceConnect authentication has failed"
 msgstr "Xác thực bằng FranceConnect không thành công"
 
+msgid "OIDC Domain Mismatch %s %s"
+msgstr "Để kết nối với %s, vui lòng đăng xuất khỏi %s trước"
+
 msgid "Instance Blocked Login"
 msgstr "Twake đã bị khóa do có quá nhiều lần đăng nhập không thành công"
 
diff --git a/web/oidc/oidc.go b/web/oidc/oidc.go
@@ -43,6 +43,17 @@ var (
 	ErrIdentityProvider     = errors.New("error from the identity provider")
 )
 
+// DomainMismatchError is returned when the user tries to connect to an
+// instance but has an active OIDC session for a different instance.
+type DomainMismatchError struct {
+	ExpectedDomain string // The instance the user is trying to access
+	ActualDomain   string // The instance from the OIDC token
+}
+
+func (e *DomainMismatchError) Error() string {
+	return fmt.Sprintf("OIDC Domain Mismatch %s %s", e.ExpectedDomain, e.ActualDomain)
+}
+
 // extractSessionID extracts the session ID (sid) from an id_token.
 func extractSessionID(idToken string) string {
 	if idToken == "" {
@@ -1054,7 +1065,7 @@ func checkDomainFromUserInfo(conf *Config, inst *instance.Instance, token string
 	}
 	if domain != inst.Domain {
 		logger.WithNamespace("oidc").Errorf("Invalid domains: %s != %s", domain, inst.Domain)
-		return ErrAuthenticationFailed
+		return &DomainMismatchError{ExpectedDomain: inst.Domain, ActualDomain: domain}
 	}
 	return nil
 }
