Merge pull request #4861 from penpot/niwinz-auth-oidc-reject-bugfix

🐛 Fix unexpected error when user explictly reject oidc auth

backend/src/app/auth/oidc.clj

@@ -420,12 +420,6 @@
 
 (defn- get-info
   [{:keys [::provider ::setup/props] :as cfg} {:keys [params] :as request}]
-  (when-let [error (get params :error)]
-    (ex/raise :type :internal
-              :code :error-on-retrieving-code
-              :error-id error
-              :error-desc (get params :error_description)))
-
   (let [state  (get params :state)
         code   (get params :code)
         state  (tokens/verify props {:token state :iss :oauth})
@@ -609,9 +603,11 @@
 (defn- callback-handler
   [cfg request]
   (try
+    (if-let [error (dm/get-in request [:params :error])]
+      (redirect-with-error "unable-to-auth" error)
       (let [info    (get-info cfg request)
             profile (get-profile cfg info)]
-      (process-callback cfg request info profile))
+        (process-callback cfg request info profile)))
     (catch Throwable cause
       (l/err :hint "error on oauth process" :cause cause)
       (redirect-with-error "unable-to-auth" (ex-message cause)))))

frontend/src/app/main/data/users.cljs

@@ -696,7 +696,7 @@
   (ptk/reify ::show-redirect-error
     ptk/WatchEvent
     (watch [_ _ _]
-      (let [hint (case error
+      (when-let [hint (case error
                         "registration-disabled"
                         (tr "errors.registration-disabled")
                         "profile-blocked"
@@ -705,6 +705,11 @@
                         (tr "errors.auth-provider-not-allowed")
                         "email-domain-not-allowed"
                         (tr "errors.email-domain-not-allowed")
-                   :else
+
+                        ;; We explicitly do not show any error here, it a explicit user operation.
+                        "unable-to-auth"
+                        nil
+
                         (tr "errors.generic"))]
+
         (rx/of (msg/warn hint))))))