Handle error responses from the OAuth 2.0 provider better

sandhose · sandhose · commit cd3b54c7fa27 · 2024-10-25T16:31:27.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/axum-utils/src/client_authorization.rs b/crates/axum-utils/src/client_authorization.rs
@@ -190,6 +190,7 @@ async fn fetch_jwks(
         .get(uri.as_str())
         .send_traced()
         .await?
+        .error_for_status()?
         .json()
         .await?;
 
diff --git a/crates/oidc-client/Cargo.toml b/crates/oidc-client/Cargo.toml
@@ -12,6 +12,7 @@ repository.workspace = true
 workspace = true
 
 [dependencies]
+async-trait.workspace = true
 base64ct = { version = "1.6.0", features = ["std"] }
 chrono.workspace = true
 form_urlencoded = "1.2.1"
diff --git a/crates/oidc-client/src/error.rs b/crates/oidc-client/src/error.rs
@@ -6,12 +6,14 @@
 
 //! The error types used in this crate.
 
+use async_trait::async_trait;
 use mas_jose::{
     claims::ClaimError,
     jwa::InvalidAlgorithm,
     jwt::{JwtDecodeError, JwtSignatureError, NoKeyWorked},
 };
 use oauth2_types::{oidc::ProviderMetadataVerificationError, pkce::CodeChallengeError};
+use serde::Deserialize;
 use thiserror::Error;
 
 /// All possible errors when using this crate.
@@ -42,17 +44,15 @@ pub enum Error {
 
 /// All possible errors when fetching provider metadata.
 #[derive(Debug, Error)]
+#[error("Fetching provider metadata failed")]
 pub enum DiscoveryError {
     /// An error occurred building the request's URL.
-    #[error(transparent)]
     IntoUrl(#[from] url::ParseError),
 
     /// The server returned an HTTP error status code.
-    #[error(transparent)]
     Http(#[from] reqwest::Error),
 
     /// An error occurred validating the metadata.
-    #[error(transparent)]
     Validation(#[from] ProviderMetadataVerificationError),
 
     /// Discovery is disabled for this provider.
@@ -62,25 +62,26 @@ pub enum DiscoveryError {
 
 /// All possible errors when authorizing the client.
 #[derive(Debug, Error)]
+#[error("Building the authorization URL failed")]
 pub enum AuthorizationError {
     /// An error occurred constructing the PKCE code challenge.
-    #[error(transparent)]
     Pkce(#[from] CodeChallengeError),
 
     /// An error occurred serializing the request.
-    #[error(transparent)]
     UrlEncoded(#[from] serde_urlencoded::ser::Error),
 }
 
 /// All possible errors when requesting an access token.
 #[derive(Debug, Error)]
+#[error("Request to the token endpoint failed")]
 pub enum TokenRequestError {
     /// The HTTP client returned an error.
-    #[error(transparent)]
     Http(#[from] reqwest::Error),
 
+    /// The server returned an error
+    OAuth2(#[from] OAuth2Error),
+
     /// Error while injecting the client credentials into the request.
-    #[error(transparent)]
     Credentials(#[from] CredentialsError),
 }
 
@@ -92,7 +93,7 @@ pub enum TokenAuthorizationCodeError {
     Token(#[from] TokenRequestError),
 
     /// An error occurred validating the ID Token.
-    #[error(transparent)]
+    #[error("Verifying the 'id_token' returned by the provider failed")]
     IdToken(#[from] IdTokenError),
 }
 
@@ -104,7 +105,7 @@ pub enum TokenRefreshError {
     Token(#[from] TokenRequestError),
 
     /// An error occurred validating the ID Token.
-    #[error(transparent)]
+    #[error("Verifying the 'id_token' returned by the provider failed")]
     IdToken(#[from] IdTokenError),
 }
 
@@ -129,12 +130,16 @@ pub enum UserInfoError {
     },
 
     /// An error occurred verifying the Id Token.
-    #[error(transparent)]
+    #[error("Verifying the 'id_token' returned by the provider failed")]
     IdToken(#[from] IdTokenError),
 
     /// An error occurred sending the request.
     #[error(transparent)]
     Http(#[from] reqwest::Error),
+
+    /// The server returned an error
+    #[error(transparent)]
+    OAuth2(#[from] OAuth2Error),
 }
 
 /// All possible errors when requesting a JWKS.
@@ -178,12 +183,12 @@ pub enum IdTokenError {
     #[error("Authorization ID token is missing")]
     MissingAuthIdToken,
 
-    /// An error occurred validating the ID Token's signature and basic claims.
     #[error(transparent)]
+    /// An error occurred validating the ID Token's signature and basic claims.
     Jwt(#[from] JwtVerificationError),
 
-    /// An error occurred extracting a claim.
     #[error(transparent)]
+    /// An error occurred extracting a claim.
     Claim(#[from] ClaimError),
 
     /// The subject identifier returned by the issuer is not the same as the one
@@ -225,3 +230,78 @@ pub enum CredentialsError {
     #[error(transparent)]
     JwtSignature(#[from] JwtSignatureError),
 }
+
+#[derive(Debug, Deserialize)]
+struct OAuth2ErrorResponse {
+    error: String,
+    error_description: Option<String>,
+    error_uri: Option<String>,
+}
+
+impl std::fmt::Display for OAuth2ErrorResponse {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "{:?}", self.error)?;
+
+        if let Some(error_uri) = &self.error_uri {
+            write!(f, " (See {error_uri})")?;
+        }
+
+        if let Some(error_description) = &self.error_description {
+            write!(f, ": {error_description}")?;
+        }
+
+        Ok(())
+    }
+}
+
+/// An error returned by the OAuth 2.0 provider
+#[derive(Debug, Error)]
+pub struct OAuth2Error {
+    error: Option<OAuth2ErrorResponse>,
+
+    #[source]
+    inner: reqwest::Error,
+}
+
+impl std::fmt::Display for OAuth2Error {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        if let Some(error) = &self.error {
+            write!(
+                f,
+                "Request to the provider failed with the following error: {error}"
+            )
+        } else {
+            write!(f, "Request to the provider failed")
+        }
+    }
+}
+
+impl From<reqwest::Error> for OAuth2Error {
+    fn from(inner: reqwest::Error) -> Self {
+        Self { error: None, inner }
+    }
+}
+
+/// An extension trait to deal with error responses from the OAuth 2.0 provider
+#[async_trait]
+pub(crate) trait ResponseExt {
+    async fn error_from_oauth2_error_response(self) -> Result<Self, OAuth2Error>
+    where
+        Self: Sized;
+}
+
+#[async_trait]
+impl ResponseExt for reqwest::Response {
+    async fn error_from_oauth2_error_response(self) -> Result<Self, OAuth2Error> {
+        let Err(inner) = self.error_for_status_ref() else {
+            return Ok(self);
+        };
+
+        let error: OAuth2ErrorResponse = self.json().await?;
+
+        Err(OAuth2Error {
+            error: Some(error),
+            inner,
+        })
+    }
+}
diff --git a/crates/oidc-client/src/requests/token.rs b/crates/oidc-client/src/requests/token.rs
@@ -12,7 +12,10 @@ use oauth2_types::requests::{AccessTokenRequest, AccessTokenResponse};
 use rand::Rng;
 use url::Url;
 
-use crate::{error::TokenRequestError, types::client_credentials::ClientCredentials};
+use crate::{
+    error::{ResponseExt, TokenRequestError},
+    types::client_credentials::ClientCredentials,
+};
 
 /// Request an access token.
 ///
@@ -51,7 +54,8 @@ pub async fn request_access_token(
         .authenticated_form(token_request, &request, now, rng)?
         .send_traced()
         .await?
-        .error_for_status()?
+        .error_from_oauth2_error_response()
+        .await?
         .json()
         .await?;
 
diff --git a/crates/oidc-client/src/requests/userinfo.rs b/crates/oidc-client/src/requests/userinfo.rs
@@ -20,7 +20,7 @@ use url::Url;
 
 use super::jose::JwtVerificationData;
 use crate::{
-    error::{IdTokenError, UserInfoError},
+    error::{IdTokenError, ResponseExt, UserInfoError},
     requests::jose::verify_signed_jwt,
     types::IdToken,
 };
@@ -74,7 +74,11 @@ pub async fn fetch_userinfo(
         .bearer_auth(access_token)
         .header(ACCEPT, HeaderValue::from_static(expected_content_type));
 
-    let userinfo_response = userinfo_request.send_traced().await?.error_for_status()?;
+    let userinfo_response = userinfo_request
+        .send_traced()
+        .await?
+        .error_from_oauth2_error_response()
+        .await?;
 
     let content_type: Mime = userinfo_response
         .headers()
