add logic to handle redirection with authentication failure statusv0.9.5-dev.1

3 files changed, 81 insertions, 10 deletions

diff --git a/contrib/Makefile.am.in b/contrib/Makefile.am.in
index 828e2913a..268e423b0 100644
--- a/contrib/Makefile.am.in
+++ b/contrib/Makefile.am.in
@@ -11,6 +11,7 @@ dist_tmplpkgdata_DATA = \
   kyc-proof-internal-error.en.must \
   kyc-proof-logic-failure.en.must \
   kyc-proof-target-unknown.en.must \
+  oauth2-authentication-failure.en.must \
   oauth2-authorization-failure.en.must \
   oauth2-authorization-failure-malformed.en.must \
   oauth2-bad-request.en.must \
diff --git a/contrib/oauth2-authentication-failure.en.must b/contrib/oauth2-authentication-failure.en.must
new file mode 100644
index 000000000..537423269
--- /dev/null
+++ b/contrib/oauth2-authentication-failure.en.must
@@ -0,0 +1,16 @@
+<html>
+<head>
+<title>403: Authentication by KYC server failed</title>
+</head>
+<body>
+  You failed the authentication check.
+  The transaction remains blocked.
+  Please obtain proper credentials and try again to proceed.
+<pre>
+<!-- as provided by OAuth2.0 server --> {{ error }}:
+<!-- optional, as provided by OAuth2.0 server --> {{ error_description }}
+
+<!-- optional link (render as link if present!), as provided by OAuth2.0 server --> {{ error_uri }}
+</pre>
+</body>
+</html>
diff --git a/src/kyclogic/plugin_kyclogic_oauth2.c b/src/kyclogic/plugin_kyclogic_oauth2.c
index 250875cd2..6ffa55d5f 100644
--- a/src/kyclogic/plugin_kyclogic_oauth2.c
+++ b/src/kyclogic/plugin_kyclogic_oauth2.c
@@ -1426,23 +1426,76 @@ oauth2_proof (void *cls,
                                       "code");
   if (NULL == code)
   {
+    const char *err;
+    const char *desc;
+    const char *euri;
     json_t *body;
 
-    GNUNET_break_op (0);
-    ph->status = TALER_KYCLOGIC_STATUS_USER_PENDING;
-    ph->http_status = MHD_HTTP_BAD_REQUEST;
+    err = MHD_lookup_connection_value (connection,
+                                       MHD_GET_ARGUMENT_KIND,
+                                       "error");
+    if (NULL == err)
+    {
+      GNUNET_break_op (0);
+      ph->status = TALER_KYCLOGIC_STATUS_USER_PENDING;
+      ph->http_status = MHD_HTTP_BAD_REQUEST;
+      body = GNUNET_JSON_PACK (
+        GNUNET_JSON_pack_bool ("debug",
+                               ph->pd->debug_mode),
+        GNUNET_JSON_pack_string ("message",
+                                 "'code' parameter malformed"),
+        TALER_JSON_pack_ec (
+          TALER_EC_GENERIC_PARAMETER_MALFORMED));
+      GNUNET_break (
+        GNUNET_SYSERR !=
+        TALER_TEMPLATING_build (ph->connection,
+                                &ph->http_status,
+                                "oauth2-bad-request",
+                                NULL,
+                                NULL,
+                                body,
+                                &ph->response));
+      json_decref (body);
+      ph->task = GNUNET_SCHEDULER_add_now (&return_proof_response,
+                                           ph);
+      return ph;
+    }
+    desc = MHD_lookup_connection_value (connection,
+                                        MHD_GET_ARGUMENT_KIND,
+                                        "error_description");
+    euri = MHD_lookup_connection_value (connection,
+                                        MHD_GET_ARGUMENT_KIND,
+                                        "error_uri");
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                "OAuth2 process %llu failed with error `%s'\n",
+                (unsigned long long) process_row,
+                err);
+    if (0 == strcmp (err,
+                     "server_error"))
+      ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED;
+    else if (0 == strcmp (err,
+                          "unauthorized_client"))
+      ph->status = TALER_KYCLOGIC_STATUS_FAILED;
+    else if (0 == strcmp (err,
+                          "temporarily_unavailable"))
+      ph->status = TALER_KYCLOGIC_STATUS_PENDING;
+    else
+      ph->status = TALER_KYCLOGIC_STATUS_INTERNAL_ERROR;
+    ph->http_status = MHD_HTTP_FORBIDDEN;
     body = GNUNET_JSON_PACK (
-      GNUNET_JSON_pack_bool ("debug",
-                             ph->pd->debug_mode),
-      GNUNET_JSON_pack_string ("message",
-                               "'code' parameter malformed"),
-      TALER_JSON_pack_ec (
-        TALER_EC_GENERIC_PARAMETER_MALFORMED));
+      GNUNET_JSON_pack_string ("error",
+                               err),
+      GNUNET_JSON_pack_allow_null (
+        GNUNET_JSON_pack_string ("error_details",
+                                 desc)),
+      GNUNET_JSON_pack_allow_null (
+        GNUNET_JSON_pack_string ("error_uri",
+                                 euri)));
     GNUNET_break (
       GNUNET_SYSERR !=
       TALER_TEMPLATING_build (ph->connection,
                               &ph->http_status,
-                              "oauth2-bad-request",
+                              "oauth2-authentication-failure",
                               NULL,
                               NULL,
                               body,
@@ -1451,6 +1504,7 @@ oauth2_proof (void *cls,
     ph->task = GNUNET_SCHEDULER_add_now (&return_proof_response,
                                          ph);
     return ph;
+
   }
 
   ph->eh = curl_easy_init ();