From 303606b7cebab524bd420859c985d4d3cc7ccd62 Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Wed, 14 Feb 2024 15:27:22 +0100 Subject: add logic to handle redirection with authentication failure status --- contrib/Makefile.am.in | 1 + contrib/oauth2-authentication-failure.en.must | 16 ++++++ src/kyclogic/plugin_kyclogic_oauth2.c | 74 +++++++++++++++++++++++---- 3 files changed, 81 insertions(+), 10 deletions(-) create mode 100644 contrib/oauth2-authentication-failure.en.must diff --git a/contrib/Makefile.am.in b/contrib/Makefile.am.in index 828e2913a..268e423b0 100644 --- a/contrib/Makefile.am.in +++ b/contrib/Makefile.am.in @@ -11,6 +11,7 @@ dist_tmplpkgdata_DATA = \ kyc-proof-internal-error.en.must \ kyc-proof-logic-failure.en.must \ kyc-proof-target-unknown.en.must \ + oauth2-authentication-failure.en.must \ oauth2-authorization-failure.en.must \ oauth2-authorization-failure-malformed.en.must \ oauth2-bad-request.en.must \ diff --git a/contrib/oauth2-authentication-failure.en.must b/contrib/oauth2-authentication-failure.en.must new file mode 100644 index 000000000..537423269 --- /dev/null +++ b/contrib/oauth2-authentication-failure.en.must @@ -0,0 +1,16 @@ + + +403: Authentication by KYC server failed + + + You failed the authentication check. + The transaction remains blocked. + Please obtain proper credentials and try again to proceed. +
+ {{ error }}:
+ {{ error_description }}
+
+ {{ error_uri }}
+
+ + diff --git a/src/kyclogic/plugin_kyclogic_oauth2.c b/src/kyclogic/plugin_kyclogic_oauth2.c index 250875cd2..6ffa55d5f 100644 --- a/src/kyclogic/plugin_kyclogic_oauth2.c +++ b/src/kyclogic/plugin_kyclogic_oauth2.c @@ -1426,23 +1426,76 @@ oauth2_proof (void *cls, "code"); if (NULL == code) { + const char *err; + const char *desc; + const char *euri; json_t *body; - GNUNET_break_op (0); - ph->status = TALER_KYCLOGIC_STATUS_USER_PENDING; - ph->http_status = MHD_HTTP_BAD_REQUEST; + err = MHD_lookup_connection_value (connection, + MHD_GET_ARGUMENT_KIND, + "error"); + if (NULL == err) + { + GNUNET_break_op (0); + ph->status = TALER_KYCLOGIC_STATUS_USER_PENDING; + ph->http_status = MHD_HTTP_BAD_REQUEST; + body = GNUNET_JSON_PACK ( + GNUNET_JSON_pack_bool ("debug", + ph->pd->debug_mode), + GNUNET_JSON_pack_string ("message", + "'code' parameter malformed"), + TALER_JSON_pack_ec ( + TALER_EC_GENERIC_PARAMETER_MALFORMED)); + GNUNET_break ( + GNUNET_SYSERR != + TALER_TEMPLATING_build (ph->connection, + &ph->http_status, + "oauth2-bad-request", + NULL, + NULL, + body, + &ph->response)); + json_decref (body); + ph->task = GNUNET_SCHEDULER_add_now (&return_proof_response, + ph); + return ph; + } + desc = MHD_lookup_connection_value (connection, + MHD_GET_ARGUMENT_KIND, + "error_description"); + euri = MHD_lookup_connection_value (connection, + MHD_GET_ARGUMENT_KIND, + "error_uri"); + GNUNET_log (GNUNET_ERROR_TYPE_WARNING, + "OAuth2 process %llu failed with error `%s'\n", + (unsigned long long) process_row, + err); + if (0 == strcmp (err, + "server_error")) + ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED; + else if (0 == strcmp (err, + "unauthorized_client")) + ph->status = TALER_KYCLOGIC_STATUS_FAILED; + else if (0 == strcmp (err, + "temporarily_unavailable")) + ph->status = TALER_KYCLOGIC_STATUS_PENDING; + else + ph->status = TALER_KYCLOGIC_STATUS_INTERNAL_ERROR; + ph->http_status = MHD_HTTP_FORBIDDEN; body = GNUNET_JSON_PACK ( - GNUNET_JSON_pack_bool ("debug", - ph->pd->debug_mode), - GNUNET_JSON_pack_string ("message", - "'code' parameter malformed"), - TALER_JSON_pack_ec ( - TALER_EC_GENERIC_PARAMETER_MALFORMED)); + GNUNET_JSON_pack_string ("error", + err), + GNUNET_JSON_pack_allow_null ( + GNUNET_JSON_pack_string ("error_details", + desc)), + GNUNET_JSON_pack_allow_null ( + GNUNET_JSON_pack_string ("error_uri", + euri))); GNUNET_break ( GNUNET_SYSERR != TALER_TEMPLATING_build (ph->connection, &ph->http_status, - "oauth2-bad-request", + "oauth2-authentication-failure", NULL, NULL, body, @@ -1451,6 +1504,7 @@ oauth2_proof (void *cls, ph->task = GNUNET_SCHEDULER_add_now (&return_proof_response, ph); return ph; + } ph->eh = curl_easy_init (); -- cgit v1.2.3