Short error when Accept header given and doesn't allow text/html?

[cben]

I don't understand OAuth protocol enough, don't know if this idea is feasible.

Motivation

When oauth-proxy sits in front of services that have JSON or other machine-readable APIs, and they are accessed by clients that are not a browser and won't do interactive login, those clients are normally configured out of band to provide a valid token/cookie. When that auth is misconfigured/expired, oauth-proxy returns 403 and the full HTML Login page. This is suboptimal because:

• Wasted traffic, e.g. the page I get is 84KB.
• Logging. Client code may not be expect HTML from oauth-proxy at all, but JSON or something like that from the API it's trying to reach. It's sometimes lazy and doesn't check HTTP codes (I'm guilty of this too, as our API normally returns errors as e.g. parsable JSON). So you get non-helpful errors like "Unexpected <", and your next step is log the body that failed to parse. Logging a 80K body is impractical :boom:, and most of it is useless noise! The only useful signals are: (1) Secured with <a href="https://github.com/openshift/oauth-proxy#oauth2_proxy">OpenShift oauth-proxy</a> version 2.3.0 which is in last 500 bytes of the HTML (2) you sent auth but it was bad, which you can guess but it's not explicit.

Proposal

When oauth-proxy is certain that HTML is not expected, returns a short text, e.g.:

Unauthorized. Received bearer token but it's expired. For interactive login page, accept text/html or visit /oauth/sign_in. https://github.com/openshift/oauth-proxy version 2.3.0.

When can we be "certain" this is not breaking? Not sure because I don't understand OAuth and how non-browser login flows may work... But I guess when oauth-proxy receives a header like Accept: application/json, text/javascript which doesn't allow text/html nor a */* fallback, this would be OK?

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

[openshift-bot]

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

[openshift-ci-robot]

@openshift-bot: Closing this issue.

In response to [this](https://github.com/openshift/oauth-proxy/issues/171#issuecomment-740006908): >Rotten issues close after 30d of inactivity. > >Reopen the issue by commenting `/reopen`. >Mark the issue as fresh by commenting `/remove-lifecycle rotten`. >Exclude this issue from closing again by commenting `/lifecycle frozen`. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.