Add better error handling

2 files changed, 23 insertions, 8 deletions

diff --git a/src/main/java/org/traccar/api/security/OpenIDProvider.java b/src/main/java/org/traccar/api/security/OpenIDProvider.java
index 80d84dfbd..1e18fde43 100644
--- a/src/main/java/org/traccar/api/security/OpenIDProvider.java
+++ b/src/main/java/org/traccar/api/security/OpenIDProvider.java
@@ -32,6 +32,7 @@ import java.util.Date;
 import java.util.List;
 import java.io.IOException;
 import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Response;
 import com.google.inject.Inject;
 
@@ -43,6 +44,7 @@ import com.nimbusds.oauth2.sdk.AuthorizationGrant;
 import com.nimbusds.oauth2.sdk.TokenRequest;
 import com.nimbusds.oauth2.sdk.TokenResponse;
 import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
+import com.nimbusds.oauth2.sdk.AuthorizationErrorResponse;
 import com.nimbusds.oauth2.sdk.ParseException;
 import com.nimbusds.oauth2.sdk.AuthorizationResponse;
 import com.nimbusds.oauth2.sdk.auth.Secret;
@@ -134,7 +136,7 @@ public class OpenIDProvider {
         }
     }
 
-    private AuthorizationCode parseCallback(URI requri) {
+    private AuthorizationCode parseCallback(URI requri) throws WebApplicationException {
         AuthorizationResponse response;
 
         try {
@@ -144,7 +146,8 @@ public class OpenIDProvider {
         }
 
         if (!response.indicatesSuccess()) {
-            return null;
+            AuthorizationErrorResponse error = response.toErrorResponse();
+            throw new WebApplicationException(Response.status(403).entity(error.getErrorObject().getDescription()).build());
         }
 
         return response.toSuccessResponse().getAuthorizationCode();
@@ -196,19 +199,19 @@ public class OpenIDProvider {
         return user;
     }
 
-    public Response handleCallback(URI requri, HttpServletRequest request) throws StorageException {
+    public Response handleCallback(URI requri, HttpServletRequest request) throws StorageException, WebApplicationException {
         // Parse callback
         AuthorizationCode authCode = this.parseCallback(requri);
 
         if (authCode == null) {
-            return Response.ok().entity("Callback parse fail").build();
+            return Response.status(403).entity( "Invalid OpenID Connect callback.").build();
         }
 
         // Get token from IDP
         OIDCTokenResponse tokens = this.getToken(authCode);
 
         if (tokens == null) {
-            return Response.ok().entity("Token request failed").build();
+            return Response.status(403).entity("Unable to authenticate with the OpenID Connect provider. Please try again.").build();
         }
 
         BearerAccessToken bearerToken = tokens.getOIDCTokens().getBearerAccessToken();
@@ -217,7 +220,7 @@ public class OpenIDProvider {
         UserInfo idpUser = this.getUserInfo(bearerToken);
 
         if (idpUser == null) {
-            return Response.ok().entity("User info request failed").build();
+            return Response.status(500).entity("Failed to access OpenID Connect user info endpoint. Please contact your administrator.").build();
         }
 
         String email = idpUser.getEmailAddress();
diff --git a/swagger.json b/swagger.json
index 6a8bc91f6..8968db4eb 100644
--- a/swagger.json
+++ b/swagger.json
@@ -1027,6 +1027,10 @@
           "303": {
             "description": "Redirect to OpenID Connect identity provider",
             "content": { }
+          },
+          "404": {
+            "description": "OpenID Connect disabled",
+            "content": { }
           }
         }
       }
@@ -1043,11 +1047,19 @@
         ],
         "responses": {
           "303": {
-            "description": "Redirect to homepage",
+            "description": "Successful authentication, redirect to homepage",
+            "content": { }
+          },
+          "403": {
+            "description": "Invalid callback or negative response from identity provider",
             "content": { }
           },
           "404": {
-            "description": "Invalid callback",
+            "description": "OpenID Connect disabled",
+            "content": { }
+          },
+          "500": {
+            "description": "Other OpenID Connect error",
             "content": { }
           }
         }