search

ory / hydra

The most scalable and customizable OpenID Certified™ OpenID Connect and OAuth Provider on the market. Become an OpenID Connect and OAuth2 Provider over night. Broad support for related RFCs. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=hydra
Apache License 2.0
15.63k stars 1.5k forks source link

consent: Error on login/consent cancel #1791

Closed sawadashota closed 4 years ago

sawadashota commented 4 years ago

Describe the bug

When login/consent cancel, public server(/oauth2/auth?client_id=...) returns an error after #1758

Reproducing the bug(Login)

Steps to reproduce the behavior:

  1. Start Authorization Code Flow
  2. Cancel Login
  3. Redirect to RP with unexpected error message (expected cancelation error message)
https://127.0.0.1:3030/callback?error=server_error&error_debug=The+login+request+was+previously+remembered+and+can+only+be+forgotten+using+the+reject+feature.&error_description=The+authorization+server+encountered+an+unexpected+condition+that+prevented+it+from+fulfilling+the+request&state=RdQSwXfR%2F6B3uNk%2B15RxcA%3D%3D
{"debug":"The login request was previously remembered and can only be forgotten using the reject feature.","description":"The authorization server encountered an unexpected condition that prevented it from fulfilling the request","error":"server_error","level":"error","msg":"An error occurred","time":"2020-04-09T05:47:14Z"}
{"level":"debug","msg":"Stack trace: \ngithub.com/ory/hydra/consent.(*DefaultStrategy).verifyAuthentication\n\t/go/src/github.com/ory/hydra/consent/strategy_default.go:357\ngithub.com/ory/hydra/consent.(*DefaultStrategy).HandleOAuth2AuthorizationRequest\n\t/go/src/github.com/ory/hydra/consent/strategy_default.go:970\ngithub.com/ory/hydra/oauth2.(*Handler).AuthHandler\n\t/go/src/github.com/ory/hydra/oauth2/handler.go:624\ngithub.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/httprouter@v1.2.0/router.go:334\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2012\ngithub.com/ory/hydra/x.RejectInsecureRequests.func1\n\t/go/src/github.com/ory/hydra/x/tls_termination.go:83\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/metricsx.(*Service).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.111/metricsx/middleware.go:261\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/hydra/metrics/prometheus.(*MetricsManager).ServeHTTP\n\t/go/src/github.com/ory/hydra/metrics/prometheus/middleware.go:26\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/reqlog.(*Middleware).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.111/reqlog/middleware.go:140\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/urfave/negroni.(*Negroni).ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:96\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2807\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1895\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1373","time":"2020-04-09T05:47:14Z"}

Reproducing the bug(Consent)

  1. Start Authorization Code Flow
  2. Login
  3. Cancel Consent
  4. Redirect to RP with no error message (expected cancelation error message)

Server configuration

log:
  level: "debug"
  format: json

serve:
  public:
    port: 4444
  admin:
    port: 4445
  tls:
    allow_termination_from:
      - "192.168.0.0/24"
      - "127.0.0.1/32"

dsn: "mysql://[REDUCTED]:[REDUCTED]@tcp(mysql:3306)/hydra?parseTime=true&collation=utf8mb4_bin"

webfinger:
  oidc_discovery:
    userinfo_url: "http://localhost:3000/api/oidc/v1/userinfo"

urls:
  self:
    issuer: "https://127.0.0.1:8080"
  login: "http://localhost:3000/oidc/login"
  consent: "http://localhost:3000/oidc/consent"

ttl:
  login_consent_request: 1h
  access_token: 1h
  refresh_token: 672h
  id_token: 1h
  auth_code: 10m

oauth2:
  expose_internal_errors: "true"

secrets:
  system:
    - SystemSecret12345
    - SystemSecret1234
  cookie:
    - CookieSecret12345
    - CookieSecret1234

Environment

doubliez commented 4 years ago

I'm seeing the same error and stack trace after upgrading to v1.4.2. As a result, after rejecting a login request, the following error is returned to the client (as error description):

"The authorization server encountered an unexpected condition that prevented it from fulfilling the request"

instead of the actual error description that was passed from login-consent app.

aeneasr commented 4 years ago

Ok so the issue is that the actual error message is not being set but instead an internal server error message, right?

aeneasr commented 4 years ago

Was able to reproduce it, working on a fix!

sawadashota commented 4 years ago

Thanks!