Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

golang/oauth2/stsexchange: error handling enhancement proposal #740

Open
olefirenque opened this issue Sep 6, 2024 · 3 comments
Open

golang/oauth2/stsexchange: error handling enhancement proposal #740

olefirenque opened this issue Sep 6, 2024 · 3 comments

Comments

@olefirenque
Copy link

olefirenque commented Sep 6, 2024

Hello!

The standard implementation of client_credentials grant_type uses a RetrieveError, which is really useful because it provides the raw response body and error code.

oauth2/token.go

Lines 184 to 198 in 3e64809

// RetrieveError is the error returned when the token endpoint returns a
// non-2XX HTTP status code or populates RFC 6749's 'error' parameter.
// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
type RetrieveError struct {
Response *http.Response
// Body is the body that was consumed by reading Response.Body.
// It may be truncated.
Body []byte
// ErrorCode is RFC 6749's 'error' parameter.
ErrorCode string
// ErrorDescription is RFC 6749's 'error_description' parameter.
ErrorDescription string
// ErrorURI is RFC 6749's 'error_uri' parameter.
ErrorURI string
}

As I noticed, the stsexchange implementation wraps the raw error message, which makes it difficult to properly handle custom errors from different OIDC providers.

if c := resp.StatusCode; c < 200 || c > 299 {
return nil, fmt.Errorf("oauth2/google: status code %d: %s", c, body)
}

It would be great if stsexchange wrapped errors the same way client_credentials do.

@olefirenque olefirenque changed the title golang/oauth2: error handling enhancement proposal golang/oauth2/stsexchange: error handling enhancement proposal Sep 6, 2024
@codyoss
Copy link
Member

codyoss commented Sep 13, 2024

Would you mind raising an issue on https://github.com/googleapis/google-cloud-go instead. This package google package is slowly being phased out in favor of https://pkg.go.dev/cloud.google.com/go/auth/credentials

@olefirenque
Copy link
Author

olefirenque commented Sep 13, 2024

Sure, I can bring this up, but I would like to point out that in my case I use both client_credentials and token-exchange from oauth2 (I don't actually use any Google cloud infrastructure). It would be more convenient to use this enhancement here, since it allows to handle token issuance errors in a more general way (in particular, they will have a common type for the error).

Can the attached MR still be considered?

@codyoss
Copy link
Member

codyoss commented Sep 13, 2024

(I don't actually use any Google cloud infrastructure)

Your PR and issue mention the google sub-directory that is used for Google clients. This package will soon be deprecated in favor of the one I liked above. We don't plan on adding any more features to this google package at this time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants