Skip to content

fix(server): respond with forbidden if failed to authenticate#4200

Merged
nabokihms merged 3 commits intodexidp:masterfrom
aljoshare:fix/unauthorized-if-failed-to-authenticate
Feb 22, 2026
Merged

fix(server): respond with forbidden if failed to authenticate#4200
nabokihms merged 3 commits intodexidp:masterfrom
aljoshare:fix/unauthorized-if-failed-to-authenticate

Conversation

@aljoshare
Copy link
Contributor

@aljoshare aljoshare commented Jul 1, 2025
edited
Loading

Overview

It changes the response from 500 - Internal Server Error to 403 - Forbidden if the Dex is not able to authenticate a user, e.g. because the user is not in any of the required groups.

What this PR does / why we need it

This PR is necessary because 403 - Forbidden is imho a better response than 500 - Internal Server Error in this case. For example, this part of the code gets executed if a user is not in any of the required groups or if a refresh token is not valid, which is in my opinion a case where the user expects a 403 instead of a 500.

Special notes for your reviewer

If this part is also executed in other cases I missed and where we need the 500, I could also try to change the code so that it differentiates between those cases.

I added a new generic custom error, that indicates that the user is authenticated but not in one of the required groups. It can be reused by other connectors if needed.

@aljoshare aljoshare force-pushed the fix/unauthorized-if-failed-to-authenticate branch from 3c6a1c8 to eafe47e Compare July 1, 2025 05:53
@aljoshare aljoshare marked this pull request as ready for review July 1, 2025 05:59
@nabokihms nabokihms added the release-note/bug-fix Release note: Bug Fixes label Jul 18, 2025
@cardoe
Copy link
Contributor

cardoe commented Aug 3, 2025

Could this path affect any of the RFC response paths? Is there an expectation of a 500 somewhere?

@nabokihms
Copy link
Member

nabokihms commented Aug 6, 2025

Reasonable question, but I think there is no RFC because the callback endpoint is part of the relying party, and the RP can act as it wishes.

My question is: can we distinguish these two errors from other possible errors?

  • user is not in any of the required groups
  • refresh token is not valid

@aljoshare
Copy link
Contributor Author

aljoshare commented Aug 22, 2025

Sorry, I was on vacation. I'll check ✌️

@aljoshare aljoshare marked this pull request as draft February 21, 2026 09:22
@aljoshare aljoshare force-pushed the fix/unauthorized-if-failed-to-authenticate branch 2 times, most recently from b7f671f to 61abe5e Compare February 21, 2026 09:32
@nabokihms nabokihms self-requested a review February 21, 2026 11:22
@nabokihms
Copy link
Member

nabokihms commented Feb 21, 2026

@aljoshare looked through the changes, and the PR seems good. Feel free to undraft it.

@aljoshare aljoshare force-pushed the fix/unauthorized-if-failed-to-authenticate branch from 61abe5e to c4fb0a3 Compare February 22, 2026 10:09
@aljoshare aljoshare changed the title fix(server): respond with unauthorized if failed to authenticate fix(server): respond with forbidden if failed to authenticate Feb 22, 2026
@aljoshare
Copy link
Contributor Author

aljoshare commented Feb 22, 2026

@aljoshare looked through the changes, and the PR seems good. Feel free to undraft it.

Thanks for the quick response! I updated the PR again and changed it to 403, because I think that 403 is more accurate. The user is authenticated but not authorized.

If authentication credentials were provided in the request, the
server considers them insufficient to grant access.
https://datatracker.ietf.org/doc/html/rfc7231#page-59

What do you think?

@aljoshare
feat: introduce and handle error if a user is not in any of the requi…
3329120 
…red groups

Signed-off-by: Aljoscha Bollmann <aljoscha.bollmann@proton.me>
@aljoshare
feat(microsoft): return the correct error if user is not in any of th…
6ae53b7 
…e required groups

Signed-off-by: Aljoscha Bollmann <aljoscha.bollmann@proton.me>
@aljoshare
test(microsoft): test if the correct error is returned if the user is…
1ec99e6 
… not in any of the required groups

Signed-off-by: Aljoscha Bollmann <aljoscha.bollmann@proton.me>
@aljoshare aljoshare force-pushed the fix/unauthorized-if-failed-to-authenticate branch from c4fb0a3 to 1ec99e6 Compare February 22, 2026 10:21
@nabokihms
Copy link
Member

nabokihms commented Feb 22, 2026

Yeah that's even better, thanks.

@aljoshare aljoshare marked this pull request as ready for review February 22, 2026 11:25
@nabokihms nabokihms merged commit 83697b0 into dexidp:master Feb 22, 2026
9 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Feb 23, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nabokihms nabokihms nabokihms approved these changes

Assignees

No one assigned

Labels

release-note/bug-fix Release note: Bug Fixes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aljoshare @cardoe @nabokihms