[Bug]: Cannot handle oauth login error properly

[jonas-martinez]

What happened?

When trying to login to the OAuth and an error occurs, in my case a scope is not allowed to be used as you can see in the log output, I cannot handle the error properly on the client side because I receive a 404 error from the server after the redirection to the non-existing oauth error page.

We must add an error page for the oauth.

What browsers are you seeing the problem on?

No response

Version

alpha

Relevant log output

time=2023-08-07T09:32:20Z level=error msg=An error occurred audience=application error=map[debug: message:invalid_scope reason:The OAuth 2.0 Client is not allowed to request scope 'profile'. status:Bad Request status_code:400] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip, deflate, br accept-language:fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7 connection:keep-alive referer:http://localhost:10000/ sec-ch-ua:"Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"Linux" sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:same-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36] host:localhost:4444 method:GET path:/oauth2/auth query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:172.24.0.1:49458 scheme:http] service_name=Ory Hydra service_version=v2.0.3
time=2023-08-07T09:32:20Z level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip, deflate, br accept-language:fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7 connection:keep-alive referer:http://localhost:10000/ sec-ch-ua:"Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"Linux" sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:same-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36] host:localhost:4444 method:GET path:/oauth2/auth query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:172.24.0.1:49458 scheme:http] http_response=map[headers:map[cache-control:no-store location:http://localhost:10000/redirect.html?error=invalid_scope&error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed.+The+OAuth+2.0+Client+is+not+allowed+to+request+scope+%27profile%27.&state=489581V716394094113806594 pragma:no-cache] size:0 status:303 text_status:See Other took:1.13447ms]

[jonas-martinez]

This is only useful for external clients. The lenra client will not return any error with our current setup and will only return an error when the oauth server is down, which is impossible to handle in the popup anyway.

We should be able to show error pages for external clients when they use a bad clientId or the wrong scopes.

[jonas-martinez]

After some research, we found a configuration for errors which can be done in the hydra.yml file by adding a error: element in the urls:. Some information can be found here on how to do it : https://www.ory.sh/docs/hydra/reference/configuration.

For example we could add this line under the urls:
error: http://localhost:4010/error

And then create a new template on the identity_web library to properly show the error to the user.