Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth/deck: handle callbacks with errors #10048

Closed
petr-muller opened this issue Nov 6, 2018 · 0 comments
Closed

OAuth/deck: handle callbacks with errors #10048

petr-muller opened this issue Nov 6, 2018 · 0 comments
Labels
area/prow Issues or PRs related to prow kind/bug Categorizes issue or PR as related to a bug.

Comments

@petr-muller
Copy link
Member

There are error cases where the registered OAuth callback is called back by GitHub without the user access token, but with error information passed as parameters.

The handler for the OAuth redirect does not detect this error condition and ultimately fails with 500 when trying to extract the token, showing the user quite unfriendly error message and logging just the generic error message:

500 Internal server error Exchange code for token: oauth2: server response missing access_token

At minimum, we should log the errors passed by GitHub - the errors are quite rare, but logging properly makes debugging easier (we just hit this when investigating what turned out to be a configuration mistake).

/kind bug
/area prow
/cc @stevekuznetsov
@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. area/prow Issues or PRs related to prow labels Nov 6, 2018
petr-muller added a commit to petr-muller/test-infra that referenced this issue Nov 9, 2018
@petr-muller
OAuth: Handle errors in redirect when passed by GitHub
2c104c6 
Make Prow properly detect and log possible error information when passed
by GitHub and differentiate the messaging from the case where token
exchange fails for other reasons.

Certain error conditions [1] cause GitHub to call back the OAuth
redirect with error information present in parameters. Previously,
Prow's handler assumed the token to be always present, failing with a
generic error message when it was not.

[1] https://developer.github.com/apps/managing-oauth-apps/troubleshooting-authorization-request-errors/

Fixes: kubernetes#10048
@petr-muller petr-muller mentioned this issue Nov 9, 2018
Merged
ibzib pushed a commit to ibzib/test-infra that referenced this issue Nov 21, 2018
@petr-muller @ibzib
OAuth: Handle errors in redirect when passed by GitHub
c64e602 
Make Prow properly detect and log possible error information when passed
by GitHub and differentiate the messaging from the case where token
exchange fails for other reasons.

Certain error conditions [1] cause GitHub to call back the OAuth
redirect with error information present in parameters. Previously,
Prow's handler assumed the token to be always present, failing with a
generic error message when it was not.

[1] https://developer.github.com/apps/managing-oauth-apps/troubleshooting-authorization-request-errors/

Fixes: kubernetes#10048
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/prow Issues or PRs related to prow kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@petr-muller @k8s-ci-robot