mongodb-js · addaleax · Oct 6, 2025 · Oct 6, 2025 · Oct 6, 2025 · Oct 6, 2025
diff --git a/src/plugin.spec.ts b/src/plugin.spec.ts
@@ -1704,6 +1704,32 @@ describe('OIDC plugin (mock OIDC provider)', function () {
       expect(entry.error).to.include(selfSignedReason);
     });
 
+    it('logs helpful error messages for OIDC token parse failures', async function () {
+      getTokenPayload = () => ({
+        expires_in: tokenPayload.expires_in,
+        payload: { ...tokenPayload.payload, nonce: undefined },
+      });
+      const plugin = createMongoDBOIDCPlugin({
+        openBrowserTimeout: 60_000,
+        openBrowser: fetchBrowser,
+        allowedFlows: ['auth-code'],
+        redirectURI: 'http://localhost:0/callback',
+      });
+
+      try {
+        await requestToken(plugin, {
+          issuer: provider.issuer,
+          clientId: 'mockclientid',
+          requestScopes: [],
+        });
+        expect.fail('missed exception');
+      } catch (err: any) {
+        expect(err.message).to.equal(
+          'invalid response encountered (caused by: JWT "nonce" (nonce) claim missing)'
+        );
+      }
+    });
+
     it('handles JSON failure responses from the IDP', async function () {
       overrideRequestHandler = (url, req, res) => {
         if (new URL(url).pathname.endsWith('/token')) {

diff --git a/src/util.ts b/src/util.ts
@@ -254,20 +254,30 @@ function getCause(err: unknown): Record<string, unknown> | undefined {
   }
 }
 
+function wrapGenericError(err: unknown): MongoDBOIDCError {
+  if (MongoDBOIDCError.isMongoDBOIDCError(err)) return err;
+  return new MongoDBOIDCError(errorString(err), {
+    codeName: 'GenericError',
+    cause: err,
+  });
+}
+
 // [email protected] has reduced error messages for HTTP errors significantly, reducing e.g.
 // an HTTP error to just a simple 'unexpect HTTP response status code' message, without
 // further diagnostic information. So if the `cause` of an `err` object is a fetch `Response`
 // object, we try to throw a more helpful error.
 export async function improveHTTPResponseBasedError<T>(
   err: T
-): Promise<T | MongoDBOIDCError> {
+): Promise<MongoDBOIDCError> {
   // Note: `err.cause` can either be an `Error` object itself, or a `Response`, or a JSON HTTP response body
   const cause = getCause(err);
   if (cause) {
     try {
       const statusObject =
         'status' in cause ? cause : (err as Record<string, unknown>);
-      if (!statusObject.status) return err;
+      if (!statusObject.status) {
+        return wrapGenericError(err);
+      }
 
       let body = '';
       try {
@@ -306,10 +316,10 @@ export async function improveHTTPResponseBasedError<T>(
         { codeName: 'HTTPResponseError', cause: err }
       );
     } catch {
-      return err;
+      return wrapGenericError(err);
     }
   }
-  return err;
+  return wrapGenericError(err);
 }
 
 // Check whether converting a Node.js `Readable` stream to a web `ReadableStream`