fix: uniform oidc errors (#7237)

* fix: uniform oidc errors sanitize oidc error reporting when passing package boundary towards oidc. * add should TriggerBulk in get audiences for auth request * upgrade to oidc 3.10.1 * provisional oidc upgrade to error branch * pin oidc 3.10.2
2025-08-11 21:17:32 +00:00 · 2024-01-18 08:10:49 +02:00
parent cdfcdec101
commit af4e0484d0
17 changed files with 267 additions and 61 deletions
--- a/internal/api/oidc/key.go
+++ b/internal/api/oidc/key.go
@@ -111,7 +111,10 @@ func (k *keySetCache) getKey(ctx context.Context, keyID string) (_ *jose.JSONWeb
 // VerifySignature implements the oidc.KeySet interface.
 func (k *keySetCache) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (_ []byte, err error) {
 	ctx, span := tracing.NewSpan(ctx)
-	defer func() { span.EndWithError(err) }()
+	defer func() {
+		err = oidcError(err)
+		span.EndWithError(err)
+	}()

 	if len(jws.Signatures) != 1 {
 		return nil, zerrors.ThrowInvalidArgument(nil, "OIDC-Gid9s", "Errors.Token.Invalid")