bug: openid-connect throws 500 error with no session state found when the client_secret is incorrect
#10685
Comments
|
@kayx23 can this be a good first issue from your POV? |
|
I think so. You could have one look into it and assess if it's possible to catch the case where client_id is invalid. I am a bit doubtful but didn't look too deep. |
|
#6803 here is a relevant but slightly different issue. It also aims for improving the error msg when |
|
@luoluoyuyu please take a look |
|
Hi @kayx23 , I don't think this is a bug, for login and logout processing need to rely on the |
Hi @luoluoyuyu - I've seen that block, which is why I said "have one look into it and assess if it's possible to catch the case where client_id is invalid. I am a bit doubtful". I will leave this issue to you to decide how to proceed. Whether it is a bug from an engineering perspective is up for debate. From a user perspective, users only know APISIX errored out with In reality, there are a number of scenarios one could end up with this error, and incorrect client ID is only one of them. @moonming - if this error is left unhandled, or, the specific causes that crash the program cannot be handled case by case (because the error takes place in lua-resty-oidc), we should still keep the troubleshooting section in the doc listing all the reasons for |
We should add this section to the documentation,@kayx23 @shreemaan-abhishek @moonming please let me try to resolve this issue |
|
@kayx23 Different openid providers return different logs for the same error. This will be a problem that needs to be faced to improve the documentation. |
|
hm ok I'll check again |
@luoluoyuyu interestingly I misread your message and thought you got that error for Keycloak, and I didn't want to manually test again, so I modified client secret in It produces an error that matches what you experienced for auth0:
I went back to APISIX logs of my local instance (same one I tested with) to search for this error but couldn't find it (strange). |
Please see my last comment.
I was debating if I should document "using the incorrect client secret" as one of the reasons one could run into 500 error |
@kayx23 I think it should be stated. But the reason why there are two different logs needs to be analyzed. So that it can be explained to the user in the documentation why |
|
I added this as a cause to the new doc. Since this issue cannot be addressed programmatically from our side (per @luoluoyuyu's evaluation above), this issue could be closed? |
|
@kayx23 you could close this issue i think. |
github-project-automation
bot
moved this from 🏗 In progress
to ✅ Done
in Apache APISIX backlog
Current Behavior
When using
openid-connectfor auth code grant, if you configure an invalidclient_secret, APISIX throws 500 error withno session state found, which isn't an intuitive error msg.My understanding:
no session state foundwas thrown because the authentication wasn't successful, so no token was returned and stored in session.To reproduce, you could follow the keycloak doc or azure AD doc and just key in a random string for
client_secretwhile keeping other details correct (in reality you should be able to repro regardless of the OP you use).Expected Behavior
Not throwing 500 internal server error and print a more meaningful error msg.
Error Logs
Environment
apisix version): 3.7.0The text was updated successfully, but these errors were encountered: