aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2024-02-14 15:27:22 +0100
committerChristian Grothoff <christian@grothoff.org>2024-02-14 15:27:22 +0100
commit303606b7cebab524bd420859c985d4d3cc7ccd62 (patch)
treee8bafbd106892f38c42d8e4adbebee3da500a54b
parentefcb6ef34bb343d77379ea8bf2b7ee97f7cdda3f (diff)
add logic to handle redirection with authentication failure statusv0.9.5-dev.1
-rw-r--r--contrib/Makefile.am.in1
-rw-r--r--contrib/oauth2-authentication-failure.en.must16
-rw-r--r--src/kyclogic/plugin_kyclogic_oauth2.c74
3 files changed, 81 insertions, 10 deletions
diff --git a/contrib/Makefile.am.in b/contrib/Makefile.am.in
index 828e2913a..268e423b0 100644
--- a/contrib/Makefile.am.in
+++ b/contrib/Makefile.am.in
@@ -11,6 +11,7 @@ dist_tmplpkgdata_DATA = \
kyc-proof-internal-error.en.must \
kyc-proof-logic-failure.en.must \
kyc-proof-target-unknown.en.must \
+ oauth2-authentication-failure.en.must \
oauth2-authorization-failure.en.must \
oauth2-authorization-failure-malformed.en.must \
oauth2-bad-request.en.must \
diff --git a/contrib/oauth2-authentication-failure.en.must b/contrib/oauth2-authentication-failure.en.must
new file mode 100644
index 000000000..537423269
--- /dev/null
+++ b/contrib/oauth2-authentication-failure.en.must
@@ -0,0 +1,16 @@
+<html>
+<head>
+<title>403: Authentication by KYC server failed</title>
+</head>
+<body>
+ You failed the authentication check.
+ The transaction remains blocked.
+ Please obtain proper credentials and try again to proceed.
+<pre>
+<!-- as provided by OAuth2.0 server --> {{ error }}:
+<!-- optional, as provided by OAuth2.0 server --> {{ error_description }}
+
+<!-- optional link (render as link if present!), as provided by OAuth2.0 server --> {{ error_uri }}
+</pre>
+</body>
+</html>
diff --git a/src/kyclogic/plugin_kyclogic_oauth2.c b/src/kyclogic/plugin_kyclogic_oauth2.c
index 250875cd2..6ffa55d5f 100644
--- a/src/kyclogic/plugin_kyclogic_oauth2.c
+++ b/src/kyclogic/plugin_kyclogic_oauth2.c
@@ -1426,23 +1426,76 @@ oauth2_proof (void *cls,
"code");
if (NULL == code)
{
+ const char *err;
+ const char *desc;
+ const char *euri;
json_t *body;
- GNUNET_break_op (0);
- ph->status = TALER_KYCLOGIC_STATUS_USER_PENDING;
- ph->http_status = MHD_HTTP_BAD_REQUEST;
+ err = MHD_lookup_connection_value (connection,
+ MHD_GET_ARGUMENT_KIND,
+ "error");
+ if (NULL == err)
+ {
+ GNUNET_break_op (0);
+ ph->status = TALER_KYCLOGIC_STATUS_USER_PENDING;
+ ph->http_status = MHD_HTTP_BAD_REQUEST;
+ body = GNUNET_JSON_PACK (
+ GNUNET_JSON_pack_bool ("debug",
+ ph->pd->debug_mode),
+ GNUNET_JSON_pack_string ("message",
+ "'code' parameter malformed"),
+ TALER_JSON_pack_ec (
+ TALER_EC_GENERIC_PARAMETER_MALFORMED));
+ GNUNET_break (
+ GNUNET_SYSERR !=
+ TALER_TEMPLATING_build (ph->connection,
+ &ph->http_status,
+ "oauth2-bad-request",
+ NULL,
+ NULL,
+ body,
+ &ph->response));
+ json_decref (body);
+ ph->task = GNUNET_SCHEDULER_add_now (&return_proof_response,
+ ph);
+ return ph;
+ }
+ desc = MHD_lookup_connection_value (connection,
+ MHD_GET_ARGUMENT_KIND,
+ "error_description");
+ euri = MHD_lookup_connection_value (connection,
+ MHD_GET_ARGUMENT_KIND,
+ "error_uri");
+ GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+ "OAuth2 process %llu failed with error `%s'\n",
+ (unsigned long long) process_row,
+ err);
+ if (0 == strcmp (err,
+ "server_error"))
+ ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED;
+ else if (0 == strcmp (err,
+ "unauthorized_client"))
+ ph->status = TALER_KYCLOGIC_STATUS_FAILED;
+ else if (0 == strcmp (err,
+ "temporarily_unavailable"))
+ ph->status = TALER_KYCLOGIC_STATUS_PENDING;
+ else
+ ph->status = TALER_KYCLOGIC_STATUS_INTERNAL_ERROR;
+ ph->http_status = MHD_HTTP_FORBIDDEN;
body = GNUNET_JSON_PACK (
- GNUNET_JSON_pack_bool ("debug",
- ph->pd->debug_mode),
- GNUNET_JSON_pack_string ("message",
- "'code' parameter malformed"),
- TALER_JSON_pack_ec (
- TALER_EC_GENERIC_PARAMETER_MALFORMED));
+ GNUNET_JSON_pack_string ("error",
+ err),
+ GNUNET_JSON_pack_allow_null (
+ GNUNET_JSON_pack_string ("error_details",
+ desc)),
+ GNUNET_JSON_pack_allow_null (
+ GNUNET_JSON_pack_string ("error_uri",
+ euri)));
GNUNET_break (
GNUNET_SYSERR !=
TALER_TEMPLATING_build (ph->connection,
&ph->http_status,
- "oauth2-bad-request",
+ "oauth2-authentication-failure",
NULL,
NULL,
body,
@@ -1451,6 +1504,7 @@ oauth2_proof (void *cls,
ph->task = GNUNET_SCHEDULER_add_now (&return_proof_response,
ph);
return ph;
+
}
ph->eh = curl_easy_init ();