search

ory / hydra

The most scalable and customizable OpenID Certified™ OpenID Connect and OAuth Provider on the market. Become an OpenID Connect and OAuth2 Provider over night. Broad support for related RFCs. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=hydra
Apache License 2.0
15.5k stars 1.49k forks source link

Expired Login/Consent Challenge Should be Resolvable for Consent App #3772

Open terev opened 4 months ago

terev commented 4 months ago

Preflight checklist

Ory Network Project

No response

Describe your problem

When a login or consent challenge expires Hydra returns a HTTP 401 with an error indicating the expiry. However this makes it hard for the consent app to resolve the error state. This issue will mostly arise when the user has requested a login form which embeds the login challenge, and they leave the form open until the challenge has expired. This is hard for the consent app to resolve as it can no longer view the login request at this point.

Describe your ideal solution

Ideally Hydra would return a HTTP 410 and include where the consent app should redirect to in order to resolve this error state. Like how hydra responds for handled challenges. https://github.com/ory/hydra/issues/2057#issuecomment-1432929642

Workarounds or alternatives

Was able to somewhat work around this by extracting the request url and return it as a hidden field in the login form. Then on login form submission I match the expired challenge errors, and redirect to the request url to restart the flow.

Version

2.2.0

Additional Context

No response