fix: uniform oidc errors (#7237)

* fix: uniform oidc errors sanitize oidc error reporting when passing package boundary towards oidc. * add should TriggerBulk in get audiences for auth request * upgrade to oidc 3.10.1 * provisional oidc upgrade to error branch * pin oidc 3.10.2
2025-08-11 21:07:31 +00:00 · 2024-01-18 08:10:49 +02:00
parent cdfcdec101
commit af4e0484d0
17 changed files with 267 additions and 61 deletions
--- a/internal/api/oidc/error.go
+++ b/internal/api/oidc/error.go
@@ -0,0 +1,49 @@
+package oidc
+
+import (
+	"errors"
+
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
+
+	http_util "github.com/zitadel/zitadel/internal/api/http"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+// oidcError ensures [*oidc.Error] and [op.StatusError] types for err.
+// It must be used when an error passes the package boundary towards oidc.
+// When err is already of the correct type is passed as-is.
+// If the err is a Zitadel error, it is transformed with a proper HTTP status code.
+// Unknown errors are treated as internal server errors.
+func oidcError(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	var (
+		sError op.StatusError
+		oError *oidc.Error
+		zError *zerrors.ZitadelError
+	)
+	if errors.As(err, &sError) || errors.As(err, &oError) {
+		return err
+	}
+
+	// here we are encountering an error type that is completely unknown to us.
+	if !errors.As(err, &zError) {
+		err = zerrors.ThrowInternal(err, "OIDC-AhX2u", "Errors.Internal")
+		errors.As(err, &zError)
+	}
+
+	statusCode, _ := http_util.ZitadelErrorToHTTPStatusCode(err)
+	newOidcErr := oidc.ErrServerError
+	if statusCode < 500 {
+		newOidcErr = oidc.ErrInvalidRequest
+	}
+	return op.NewStatusError(
+		newOidcErr().
+			WithParent(err).
+			WithDescription(zError.GetMessage()),
+		statusCode,
+	)
+}