Token endpoint should redirect to own error page when getting internalservererror

[delunaj23]

Which version of Duende IdentityServer are you using? 6 Which version of .NET are you using? 8 Describe the bug

A clear and concise description of what you expected to happen.

Failures caused by transient dependency faults in token endpoint are handled by Identity Server and not overridden with own error handling. Response should therefore honour OIDC error spec.

Additional context

Add any other context about the problem here. I'm currently trying out identity server in my personal project. Asking for some guidance when getting 500 error and a valid request is made to Post /auth/connect/token endpoint the response should be in json response compliant with OIDC error spec and also a redirect to error page.

public class ErrorController : Controller { public const string Route = "identity/error";

private readonly IIdentityServerInteractionService _identityServerInteractionService;
private readonly IIdentityServerEvent _identityServerEvent;

public ErrorController(IIdentityServerInteractionService identityServerInteractionService, IIdentityServerEvent identityServerEvent)
{
    _identityServerInteractionService = identityServerInteractionService;
    _identityServerEvent = identityServerEvent;
}

[AllowAnonymous]
[Route(Route)]
public async Task<IActionResult> Index([FromQuery] string errorId)
{
    var errorCtxt = await _identityServerInteractionService.GetErrorContextAsync(errorId) 
        ?? throw new Exception($"Invalid error ID: {errorId}");

    _identityServerEvent.IdentityInteractionError(new IdentityServerInteractionError(errorCtxt);

    if (errorContext.RedirectUri != null)
    {
        return Redirect(errorCtxt.RedirectUri);
    }

    return Redirect(ExternalPaths.StaticErrorPageRedirect);        
}

}

public IdentityServerInteractionError(ErrorMessage error) { ErrorCode = error.Error; Description = error.ErrorDescription; ClientId = error.ClientId; RequestId = error.RequestId; }

public string ErrorCode { get; }
public string? Description { get; }
public string? ClientId { get; }
public string? RequestId { get; }

}

[Test] //[Ignore("Under investigation AB#917551")] public void Given_AuthCodeStoreIsUnavailable_When_TokenEndpointIsRequestedInAuthCodeFlow_Then_RespondWithOIDCError() { Given.AuthorizationCodesStore.Mock .ReadAsync(Arg.Any(), Arg.Any()) .ThrowsAsync(new Exception("Code store unavailable"));

    When.Post($"auth/connect/token")
        .IsRequested(new FormUrlEncodedContent(new List<KeyValuePair<string, string>>
        {
            KeyValuePair.Create("client_id", ClientDefaults.DefaultClientId),
            KeyValuePair.Create("grant_type", "authorization_code"),
            KeyValuePair.Create("redirect_uri", ClientDefaults.DefaultRedirectUri),
            KeyValuePair.Create("code_verifier", "codeverifier"),
            KeyValuePair.Create("code", "code"),
        }));

    Then.Response.IsServerError()
        .And.Response.BodyIs<OidcError>();
}

[delunaj23]

Hi @RolandGuijt, any updates on this by any chance?

[RolandGuijt]

There is typically no direct user involvement during Interaction with the token endpoint. With authorization code flow e.g. it is used to exchange the code for an actual token with a backchannel request. So the response in case of an error should not be an error page as opposed to interaction with the authorization endpoint where we do show an error page for user-related errors.

Does this help? If not could you please provide some more details on the use case?

[RolandGuijt]

@delunaj23 Did my comment clarify things for you? If so I'd like to close this issue.

[RolandGuijt]

Closing for now. Feel free to reopen if needed.