user sees error msg when GitHub login is denied due to allowed orgs

Also renamed an interface function from GetName to GetResourceName. Co-authored-by: Ryan Richard <richardry@vmware.com>
2026-01-07 14:05:50 +00:00 · 2024-05-31 16:24:11 -05:00
parent e3d8c71f97
commit 58b4ecc0aa
22 changed files with 200 additions and 89 deletions
--- a/internal/federationdomain/endpoints/callback/callback_handler.go
+++ b/internal/federationdomain/endpoints/callback/callback_handler.go
@@ -48,6 +48,9 @@ func NewHandler(
 		authorizeRequester, err := oauthHelper.NewAuthorizeRequest(r.Context(), reconstitutedAuthRequest)
 		if err != nil {
 			plog.Error("error using state downstream auth params", err,
+				"identityProviderDisplayName", idp.GetDisplayName(),
+				"identityProviderResourceName", idp.GetProvider().GetResourceName(),
+				"supervisorCallbackURL", redirectURI,
 				"fositeErr", oidc.FositeErrorForLog(err))
 			return httperr.New(http.StatusBadRequest, "error using state downstream auth params")
 		}
@@ -59,6 +62,10 @@ func NewHandler(

 		identity, loginExtras, err := idp.LoginFromCallback(r.Context(), authcode(r), state.PKCECode, state.Nonce, redirectURI)
 		if err != nil {
+			plog.InfoErr("unable to complete login from callback", err,
+				"identityProviderDisplayName", idp.GetDisplayName(),
+				"identityProviderResourceName", idp.GetProvider().GetResourceName(),
+				"supervisorCallbackURL", redirectURI)
 			return err
 		}

@@ -69,13 +76,20 @@ func NewHandler(
 			GrantedScopes:       authorizeRequester.GetGrantedScopes(),
 		})
 		if err != nil {
+			plog.InfoErr("unable to create a Pinniped session", err,
+				"identityProviderDisplayName", idp.GetDisplayName(),
+				"identityProviderResourceName", idp.GetProvider().GetResourceName(),
+				"supervisorCallbackURL", redirectURI)
 			return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err)
 		}

 		authorizeResponder, err := oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, session)
 		if err != nil {
 			plog.WarningErr("error while generating and saving authcode", err,
-				"identityProviderDisplayName", idp.GetDisplayName(), "fositeErr", oidc.FositeErrorForLog(err))
+				"identityProviderDisplayName", idp.GetDisplayName(),
+				"identityProviderResourceName", idp.GetProvider().GetResourceName(),
+				"supervisorCallbackURL", redirectURI,
+				"fositeErr", oidc.FositeErrorForLog(err))
 			return httperr.Wrap(http.StatusInternalServerError, "error while generating and saving authcode", err)
 		}

--- a/internal/federationdomain/endpoints/token/token_handler.go
+++ b/internal/federationdomain/endpoints/token/token_handler.go
@@ -233,7 +233,7 @@ func findProviderByNameAndType(
 	idpLister federationdomainproviders.FederationDomainIdentityProvidersListerI,
 ) (resolvedprovider.FederationDomainResolvedIdentityProvider, error) {
 	for _, p := range idpLister.GetIdentityProviders() {
-		if p.GetSessionProviderType() == providerType && p.GetProvider().GetName() == providerResourceName {
+		if p.GetSessionProviderType() == providerType && p.GetProvider().GetResourceName() == providerResourceName {
 			if p.GetProvider().GetResourceUID() != mustHaveResourceUID {
 				return nil, errorsx.WithStack(errUpstreamRefreshError().WithHint(
 					"Provider from upstream session data has changed its resource UID since authentication."))