Skip to content

[WIP] Specify behavior of disabled user login with biometric #5132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tung2744 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[WIP] Specify behavior of disabled user login with biometric #5132

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions docs/specs/biometric.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,3 +73,35 @@ identity:
biometric:
list_enabled: false
```

## Errors
Copy link
Contributor

@louischan-oursky louischan-oursky Apr 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that the OAuth error shape is quite limited, I am thinking if we want to introduce a way to include our API error into a OAuth response.

https://datatracker.ietf.org/doc/html/rfc6749#section-8.5 specifies how to add additional error codes.

We can add a new error code authgear_error. When error=authgear_error, the response will have an extra field authgear_error, where the value is a Authgear API error JSON object.

Then the new SDKs be taught to decode error=authgear_error, throw an instance ServerError to handle this.

Copy link
Contributor Author

@tung2744 tung2744 Apr 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As oauth error could appear in the url, I am not sure if it is appropriate to add field to store the api error json object which could be long.


### Invalid Account Status

If a user with one of the following status:

- Disabled
- Deactivated
- Scheduled deletion by admin
- Scheduled deletion by end-user
- Scheduled anonymization by admin

is trying to use Biometric login, the login attempt will be rejected, and an error will be returned by the token endpoint.

The error format follows [rfc6749 section 5.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-5.2), with `error=invalid_account_status`. The following is an example of error when a disbled user is trying to use biometric login:

```
error=invalid_account_status
error_description=user is disabled
```

The SDK should simply throw an `OAuthError` containing the same information as the error returned from the token endpoint, and stop the login process. The biometric key should be kept.

The error object thrown by the SDK should looks like:

```swift
OAuthError(
error="invalid_account_status",
error_description="user is disabled"
)
```