2023-04-19 13:31:32 +02:00 · 2023-04-19 11:27:15 +02:00
2 changed files with 45 additions and 6 deletions
--- a/src/authentic2_auth_oidc/views.py
+++ b/src/authentic2_auth_oidc/views.py
@ -314,7 +314,9 @@ class LoginCallback(View):
        error = request.GET['error']
        error_dict = self.errors.get(error, {})
        level = error_dict.get('level', logging.WARNING)
-        error_description = request.GET.get('error_description', error_dict.get('error_description'))
+        remote_error_description = request.GET.get('error_description')
+        local_error_description = error_dict.get('error_description')
+        error_description = remote_error_description or local_error_description
        error_url = request.GET.get('error_url')

        log_msg = 'auth_oidc: error received '
@ -329,9 +331,16 @@ class LoginCallback(View):
        logger.log(level, log_msg)

        if 'none' not in prompt:
-            if error_description:
+            # messages displayed to end user
+            if local_error_description:
+                # user-friendly error message
+                messages.add_message(request, level, local_error_description)
+                if remote_error_description:
+                    # log a more tech error description for debugging purposes
+                    messages.debug(request, remote_error_description)
+            elif remote_error_description:
                message = _('%(error_description)s (%(error)s)') % {
-                    'error_description': error_description,
+                    'error_description': remote_error_description,
                    'error': error,
                }
                messages.add_message(request, level, message)
@ -343,11 +352,13 @@ class LoginCallback(View):
                }
                if provider:
                    message = _(
-                        'Login with %(provider_name)s failed, report %(request_id)s to an administrator (%(error)s)'
+                        'Login with %(provider_name)s failed, please try again later and/or report '
+                        '%(request_id)s to an administrator (%(error)s)'
                    )
                else:
                    message = _(
-                        'Login with OpenID Connect failed, report %s to an administrator. (%(error)s)'
+                        'Login with OpenID Connect failed, please try again later and/or report %s to an '
+                        'administrator. (%(error)s)'
                    )

                messages.warning(request, message % message_params)
--- a/tests/test_auth_oidc.py
+++ b/tests/test_auth_oidc.py
@ -25,9 +25,11 @@ from unittest import mock

 import pytest
 from django.contrib.auth import get_user_model
+from django.contrib.messages import constants as message_constants
 from django.core.exceptions import ValidationError
 from django.db import IntegrityError, transaction
 from django.http import QueryDict
+from django.test.utils import override_settings
 from django.urls import reverse
 from django.utils.encoding import force_str
 from django.utils.timezone import now, utc
@ -1178,7 +1180,33 @@ def test_error_access_denied(app, caplog, oidc_provider_jwkset):
    assert 'denied by you or the identity provider' in caplog.records[-1].message
    assert caplog.records[-1].levelname == 'INFO'
    assert 'denied by you or the identity provider' in response.pyquery('.info').text()
-    assert 'access_denied' in response
+    assert 'access_denied' not in response  # error code not logged in UI anymore
+
+    response = app.get(
+        login_callback_url(oidc_provider),
+        params={
+            'error': 'access_denied',
+            'error_description': 'some OP technical error message',
+            'state': state,
+        },
+    )
+    response = response.maybe_follow()
+    assert 'denied by you or the identity provider' not in caplog.records[-1].message
+    assert 'some OP technical error message' in caplog.records[-1].message
+
+    with override_settings(MESSAGE_LEVEL=message_constants.DEBUG):
+        response = app.get(
+            login_callback_url(oidc_provider),
+            params={
+                'error': 'access_denied',
+                'error_description': 'some OP technical error message',
+                'state': state,
+            },
+        )
+
+        response = response.maybe_follow()
+        assert 'denied by you or the identity provider' in response.pyquery('.info').text()
+        assert 'some OP technical error message' in response.pyquery('.debug').text()


 def test_error_other(app, caplog, oidc_provider_jwkset):