diff options
author | Dan <djr2468@gmail.com> | 2023-04-02 13:51:46 +0100 |
---|---|---|
committer | Dan <djr2468@gmail.com> | 2023-04-02 13:51:46 +0100 |
commit | 2cc1cb3c7530fdabb750a9e0b5cc26e3e2286185 (patch) | |
tree | 0633990256880e76cec878cd371938476fa7bd8a | |
parent | 040fa7c83b67b0c6541348c4ecd3979c7a80ebc5 (diff) | |
download | trackermap-server-2cc1cb3c7530fdabb750a9e0b5cc26e3e2286185.tar.gz trackermap-server-2cc1cb3c7530fdabb750a9e0b5cc26e3e2286185.tar.bz2 trackermap-server-2cc1cb3c7530fdabb750a9e0b5cc26e3e2286185.zip |
Add better error handling
-rw-r--r-- | src/main/java/org/traccar/api/security/OpenIDProvider.java | 15 | ||||
-rw-r--r-- | swagger.json | 16 |
2 files changed, 23 insertions, 8 deletions
diff --git a/src/main/java/org/traccar/api/security/OpenIDProvider.java b/src/main/java/org/traccar/api/security/OpenIDProvider.java index 80d84dfbd..1e18fde43 100644 --- a/src/main/java/org/traccar/api/security/OpenIDProvider.java +++ b/src/main/java/org/traccar/api/security/OpenIDProvider.java @@ -32,6 +32,7 @@ import java.util.Date; import java.util.List; import java.io.IOException; import javax.servlet.http.HttpServletRequest; +import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.Response; import com.google.inject.Inject; @@ -43,6 +44,7 @@ import com.nimbusds.oauth2.sdk.AuthorizationGrant; import com.nimbusds.oauth2.sdk.TokenRequest; import com.nimbusds.oauth2.sdk.TokenResponse; import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant; +import com.nimbusds.oauth2.sdk.AuthorizationErrorResponse; import com.nimbusds.oauth2.sdk.ParseException; import com.nimbusds.oauth2.sdk.AuthorizationResponse; import com.nimbusds.oauth2.sdk.auth.Secret; @@ -134,7 +136,7 @@ public class OpenIDProvider { } } - private AuthorizationCode parseCallback(URI requri) { + private AuthorizationCode parseCallback(URI requri) throws WebApplicationException { AuthorizationResponse response; try { @@ -144,7 +146,8 @@ public class OpenIDProvider { } if (!response.indicatesSuccess()) { - return null; + AuthorizationErrorResponse error = response.toErrorResponse(); + throw new WebApplicationException(Response.status(403).entity(error.getErrorObject().getDescription()).build()); } return response.toSuccessResponse().getAuthorizationCode(); @@ -196,19 +199,19 @@ public class OpenIDProvider { return user; } - public Response handleCallback(URI requri, HttpServletRequest request) throws StorageException { + public Response handleCallback(URI requri, HttpServletRequest request) throws StorageException, WebApplicationException { // Parse callback AuthorizationCode authCode = this.parseCallback(requri); if (authCode == null) { - return Response.ok().entity("Callback parse fail").build(); + return Response.status(403).entity( "Invalid OpenID Connect callback.").build(); } // Get token from IDP OIDCTokenResponse tokens = this.getToken(authCode); if (tokens == null) { - return Response.ok().entity("Token request failed").build(); + return Response.status(403).entity("Unable to authenticate with the OpenID Connect provider. Please try again.").build(); } BearerAccessToken bearerToken = tokens.getOIDCTokens().getBearerAccessToken(); @@ -217,7 +220,7 @@ public class OpenIDProvider { UserInfo idpUser = this.getUserInfo(bearerToken); if (idpUser == null) { - return Response.ok().entity("User info request failed").build(); + return Response.status(500).entity("Failed to access OpenID Connect user info endpoint. Please contact your administrator.").build(); } String email = idpUser.getEmailAddress(); diff --git a/swagger.json b/swagger.json index 6a8bc91f6..8968db4eb 100644 --- a/swagger.json +++ b/swagger.json @@ -1027,6 +1027,10 @@ "303": { "description": "Redirect to OpenID Connect identity provider", "content": { } + }, + "404": { + "description": "OpenID Connect disabled", + "content": { } } } } @@ -1043,11 +1047,19 @@ ], "responses": { "303": { - "description": "Redirect to homepage", + "description": "Successful authentication, redirect to homepage", + "content": { } + }, + "403": { + "description": "Invalid callback or negative response from identity provider", "content": { } }, "404": { - "description": "Invalid callback", + "description": "OpenID Connect disabled", + "content": { } + }, + "500": { + "description": "Other OpenID Connect error", "content": { } } } |