search

appsmithorg / appsmith

Platform to build admin panels, internal tools, and dashboards. Integrates with 25+ databases and any API.
https://www.appsmith.com
Apache License 2.0
33.78k stars 3.63k forks source link

[Feature]: Graceful error messages for invalid scopes with spaces #30728

Open LagunaElectric opened 7 months ago

LagunaElectric commented 7 months ago

Is there an existing issue for this?

Description

A users instance went down after adding the offline_access scope to their Okta SSO setup with the following error:

org.springframework.beans.factory.UnsatisfiedDependencyException:
Error creating bean with name 'securityConfig':
Unsatisfied dependency expressed through field 'reactiveClientRegistrationRepository':
Error creating bean with name 'clientRegistrationRepository' defined in class path resource [org/springframework/boot/autoconfigure/security/oauth2/client/reactive/ReactiveOAuth2ClientConfigurations$ReactiveClientRegistrationRepositoryConfiguration.class]:
Failed to instantiate [org.springframework.security.oauth2.client.registration.InMemoryReactiveClientRegistrationRepository]:
Factory method 'clientRegistrationRepository' threw exception with message: scope "offline_access" contains invalid characters

When we checked the docker.env file we found there was a space in the scope like so: offline _access.

We expect that the platform would still start and give a UI warning or other indication about the invalid configuration instead of not starting at all.

Steps To Reproduce

  1. Have an instance with SSO.
  2. Provide a valid scope but with a space in the middle somewhere.
  3. Restart the instance.
  4. Observe that the instance doesn't start.
  5. Observe the above error in the backend logs.

Public Sample App

No response

Environment

Production

Issue video log

No response

Version

Self-Hosted EE 1.9.43

Nikhil-Nandagopal commented 6 months ago

Scopes are meant to not have spaces. Do we know which provider had spaces? I am closing this till we know more

LagunaElectric commented 6 months ago

I agree, but we should still gracefully handle the case that it happens. It could be as simple as user input error, but instance startup shouldn't fail because of a scope typo. Even more confusing is that the error message identified the scope with the space in it, but didn't show the space in the error message. We had to go look at the docker.env file to see that the invalid character was a space.

Can you elaborate on what you mean when you ask what provider has spaces? Afaik none of them support it, but the premise of the issue stands. In this case the IdP is Okta.

Nikhil-Nandagopal commented 6 months ago

Yeah fair point. So I'll turn this into an enhancement to improve the error message then