fix: handle invalid grant error from Idp

shelmangroup · Aug 29, 2024 · 76b99ef · 76b99ef
1 parent 8c756ce
commit 76b99ef
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/authz/authz.go b/authz/authz.go
@@ -20,6 +20,7 @@ import (
 	"connectrpc.com/otelconnect"
 	cache_store "github.com/eko/gocache/lib/v4/store"
 	"github.com/gogo/googleapis/google/rpc"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/codes"
@@ -232,7 +233,15 @@ func (s *Service) authProcess(ctx context.Context, req *auth.AttributeContext_Ht
 		if err != nil {
 			span.RecordError(err, trace.WithStackTrace(true))
 			span.SetStatus(codes.Error, err.Error())
-			return nil, err
+			// FIXME: might be a better way to handle this error case?
+			// This will redirect the client back to the first requested URL
+			// and request against the idp will be retried, which means less
+			// confusing for the user.
+			if err == oidc.ErrInvalidGrant() {
+				slog.Error("Invalid grant", slog.String("url", requestedURL), slog.String("err", err.Error()))
+			} else {
+				return nil, err
+			}
 		}
 		// set downstream headers and redirect client to requested URL from session cookie
 		slog.Debug("redirecting client to first requested URL", slog.String("url", sessionData.GetRequestedUrl()))