fix: uniform oidc errors (#7237)

* fix: uniform oidc errors sanitize oidc error reporting when passing package boundary towards oidc. * add should TriggerBulk in get audiences for auth request * upgrade to oidc 3.10.1 * provisional oidc upgrade to error branch * pin oidc 3.10.2
2025-08-12 00:27:31 +00:00 · 2024-01-18 08:10:49 +02:00
parent cdfcdec101
commit af4e0484d0
17 changed files with 267 additions and 61 deletions
--- a/internal/api/oidc/access_token.go
+++ b/internal/api/oidc/access_token.go
@@ -27,20 +27,22 @@ type accessToken struct {
 	isPAT           bool
 }

+var ErrInvalidTokenFormat = errors.New("invalid token format")
+
 func (s *Server) verifyAccessToken(ctx context.Context, tkn string) (*accessToken, error) {
 	var tokenID, subject string

 	if tokenIDSubject, err := s.Provider().Crypto().Decrypt(tkn); err == nil {
 		split := strings.Split(tokenIDSubject, ":")
 		if len(split) != 2 {
-			return nil, errors.New("invalid token format")
+			return nil, zerrors.ThrowPermissionDenied(ErrInvalidTokenFormat, "OIDC-rei1O", "token is not valid or has expired")
 		}
 		tokenID, subject = split[0], split[1]
 	} else {
 		verifier := op.NewAccessTokenVerifier(op.IssuerFromContext(ctx), s.keySet)
 		claims, err := op.VerifyAccessToken[*oidc.AccessTokenClaims](ctx, tkn, verifier)
 		if err != nil {
-			return nil, err
+			return nil, zerrors.ThrowPermissionDenied(err, "OIDC-Eib8e", "token is not valid or has expired")
 		}
 		tokenID, subject = claims.JWTID, claims.Subject
 	}