Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat: handle OAuth errors #2227

Merged
merged 17 commits into from
Jul 23, 2024
Merged

Feat: handle OAuth errors #2227

merged 17 commits into from
Jul 23, 2024

Conversation

thekaveman
Copy link
Member

@thekaveman thekaveman commented Jul 17, 2024
edited
Loading

Closes #2019

  • Implements a new error screen in the oauth app
  • Handles errors on creation/registration of the OAuth client
  • Handles errors for all OAuth client method calls
  • Sends a new analytics event oauth error in all cases
    • operation property indicates the specific client call: init, authorize_redirect, authorize_access_token, and load_server_metadata
    • message property describes the exception
  • Captures an exception in Sentry in all cases

How to test

  1. Checkout the branch locally
  2. Run bin/init.sh to get the PO file updates
  3. Launch the app with F5
  4. Select an agency or enter via their slug URL
  5. Manually enter the URL in the browser: /oauth/error: see the error page
  6. Attempt a Login.gov flow for the agency (without configuring the AuthProvider): see the error page
  7. Misconfigure an EligibilityVerifier to not specify an AuthProvider and without an Eligibility API base URL or form class and attempt to sign in with this verifier selected: see the error page

@thekaveman thekaveman self-assigned this Jul 17, 2024
@github-actions github-actions bot added back-end Django views, sessions, middleware, models, migrations etc. deployment-dev [auto] Changes that will trigger a deploy if merged to dev i18n Copy: Language files or Django i18n framework front-end HTML/CSS/JavaScript and Django templates tests Related to automated testing (unit, UI, integration, etc.) labels Jul 17, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 17, 2024
edited
Loading

Coverage report

Click to see where and how coverage changed

FileStatementsMissingCoverageCoverage
(new stmts)		Lines missing
  benefits/core
  middleware.py
  benefits/oauth
  analytics.py
  middleware.py
  redirects.py
  views.py 179
Project Total  

This report was generated by python-coverage-comment-action

@thekaveman thekaveman force-pushed the feat/oauth-error branch 6 times, most recently from faa7598 to a675967 Compare July 17, 2024 20:58
@thekaveman thekaveman marked this pull request as ready for review July 17, 2024 21:08
@thekaveman thekaveman requested a review from a team as a code owner July 17, 2024 21:08
@thekaveman thekaveman force-pushed the feat/oauth-error branch 8 times, most recently from b2b6bf9 to 06aaca5 Compare July 18, 2024 21:11
angela-tran
angela-tran reviewed Jul 19, 2024
View reviewed changes
Copy link
Member

@angela-tran angela-tran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These code changes look good to me!

I'm not sure if this is just me, but when I try to log out, the IdG doesn't redirect me back to Benefits. I end up at this screen:

image

When I try log out on https://dev-benefits.calitp.org, it redirects me back to Benefits.

Does this happen for anyone else?

@thekaveman
Copy link
Member Author

Hmm I'm seeing an error page now (both locally and for dev) just trying to sign in with IdG, so I wonder if they are working on some changes in dev on their side?

image

@thekaveman thekaveman marked this pull request as draft July 22, 2024 17:59
@lalver1
Copy link
Member

lalver1 commented Jul 22, 2024

The code looks good and I did see the new error screen when going through a flow that uses a misconfigured AuthProvider (for example using an invalid Authority) 👍
As I was testing I did notice these 2 use cases that maybe can show the new error screen too:

  • Not selecting an AuthProvider for a flow that requires one. The middleware seems to catch this case, DEBUG benefits.oauth.middleware:22 Session not configured with eligibility verifier that uses auth verification, so the user sees 200-user-error.html. Perhaps we can instead show the new error screen system_error.html in this case.

  • Wrong scope/claim configured. If a wrong scope/claim has been configured, attempting a Login.gov flow will return an error screen generated by the Authority, for example, Sorry, there was an error : Invalid scope. Perhaps we can instead show the new error screen system_error.html in this case.

@thekaveman
Copy link
Member Author

These code changes look good to me!

I'm not sure if this is just me, but when I try to log out, the IdG doesn't redirect me back to Benefits. I end up at this screen:

[image]

When I try log out on https://dev-benefits.calitp.org, it redirects me back to Benefits.

Does this happen for anyone else?

@angela-tran I'm seeing this behavior now locally, but not in dev -- I can't see how it would be due to any changes in this PR. I'll follow up in Slack.

@thekaveman thekaveman requested a review from lalver1 July 22, 2024 21:25
@thekaveman
Copy link
Member Author

thekaveman commented Jul 22, 2024
edited
Loading

These code changes look good to me!
I'm not sure if this is just me, but when I try to log out, the IdG doesn't redirect me back to Benefits. I end up at this screen:
[image]
When I try log out on https://dev-benefits.calitp.org, it redirects me back to Benefits.
Does this happen for anyone else?

@angela-tran I'm seeing this behavior now locally, but not in dev -- I can't see how it would be due to any changes in this PR. I'll follow up in Slack.

I found the issue, it was a change from this PR 😞 I'm going to revert it and rebase... stand by.

Fixed now, I dropped out the commit that changed the URL of our post_logout endpoint, which is registered with IdG 🤦

@angela-tran
Copy link
Member

Fixed now, I dropped out the commit that changed the URL of our post_logout endpoint, which is registered with IdG

Ah that makes sense

thekaveman added 16 commits July 22, 2024 15:30
@thekaveman
feat(oauth): error template and copy
c98549a
@thekaveman
feat(oauth): error url and view function
059fca7
@thekaveman
feat(oauth): view helper gets client or error redirect
b6ed94b 
logs exception to Sentry
@thekaveman
feat(oauth): handle client init errors in login
5917f12
@thekaveman
feat(oauth): handle client init errors in authorize
1f1a521
@thekaveman
feat(oauth): handle client init errors in logout
f4878bb
@thekaveman
feat(oauth): handle authorize_redirect errors
3a992da
@thekaveman
feat(oauth): handle authorize_access_token errors
4909958
@thekaveman
feat(oauth): handle load_server_metadata errors
effc92f
@thekaveman
feat(oauth): define analytics event for client error
f0c0600 
- operation references the specific call that failed
- message gives more information about the exception or response code
@thekaveman
feat(oauth): send analytics error event for client init
94658cb
@thekaveman
feat(oauth): send analytics event for login errors
9edea09 
operation: authorize_redirect
@thekaveman
feat(oauth): send analytics event for authorize errors
a0b5e6c 
operation: authorize_access_token
@thekaveman
feat(oauth): send analytics event for logout errors
c19ebfa 
operation: load_server_metadata
@thekaveman
refactor(tests/oauth): move app_request to first parameter
417d775 
align all test function signatures to have this parameter first
@thekaveman
refactor(oauth): centralize analytics, sentry, error redirect
651ff11
angela-tran
angela-tran previously approved these changes Jul 23, 2024
View reviewed changes
Copy link
Member

@angela-tran angela-tran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

lalver1
lalver1 reviewed Jul 23, 2024
View reviewed changes
Copy link
Member

@lalver1 lalver1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logic looks good @thekaveman for the misconfigured verifier case, but there may be a small typo related to checking for is None and == "" that prevents the new error page from displaying.

benefits/oauth/middleware.py Outdated Show resolved Hide resolved
@thekaveman
feat(oauth): handle misconfigured session verifier
5bce79d 
the case when the session verifier has neither Eligibility API nor IDP config
is a system error / configuration error
@thekaveman thekaveman requested a review from lalver1 July 23, 2024 20:18
lalver1
lalver1 approved these changes Jul 23, 2024
View reviewed changes
Copy link
Member

@lalver1 lalver1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! 👍

@thekaveman thekaveman merged commit 8979fd9 into main Jul 23, 2024
15 checks passed
@thekaveman thekaveman deleted the feat/oauth-error branch July 23, 2024 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lalver1 lalver1 lalver1 approved these changes

@angela-tran angela-tran angela-tran left review comments

Assignees

@thekaveman thekaveman

Labels
back-end Django views, sessions, middleware, models, migrations etc. deployment-dev [auto] Changes that will trigger a deploy if merged to dev front-end HTML/CSS/JavaScript and Django templates i18n Copy: Language files or Django i18n framework tests Related to automated testing (unit, UI, integration, etc.)
Projects
None yet
Milestone
Improved UX for application error states
Development

Successfully merging this pull request may close these issues.

Implement error handling during authentication with the IDG for good UX
3 participants
@thekaveman @lalver1 @angela-tran