Skip to content

fix(auth): log the real cause of OIDC/OAuth user-info failures#10679

Merged
mudler merged 1 commit into
masterfrom
fix/oidc-callback-error-logging
Jul 4, 2026
Merged

fix(auth): log the real cause of OIDC/OAuth user-info failures#10679
mudler merged 1 commit into
masterfrom
fix/oidc-callback-error-logging

Conversation

@localai-bot

Copy link
Copy Markdown
Collaborator

What

The OAuth callback discarded the error returned by user-info resolution before sending the generic 500 {"error":"failed to fetch user info"}, so real failures were completely opaque in the logs. This adds an xlog.Error at the swallow site (matching the code-exchange step just above it), surfacing the wrapped cause: ID-token verification errors (e.g. issuer/audience mismatch behind a reverse proxy), a missing id_token, claim-parse errors, or a rejecting GitHub /user response.

The client-facing message is unchanged, so no internal detail leaks to the browser; details go to server logs only.

Why

Refs #10677. An Authentik user hit HTTP 500 {"error":"failed to fetch user info"} at /api/auth/oidc/callback with nothing logged explaining the cause. This is the observability half of that report: it makes the failure self-diagnosable.

The suspected root cause (the OIDC path reads claims only from the ID token and never calls /userinfo, which Authentik commonly relies on) is intentionally not addressed here. It touches the security-sensitive verification path, so it's held until an affected user confirms, from these new logs, that ID-token-only extraction is the actual failure - rather than an issuer/proxy misconfiguration.

Testing

  • make lint (new-from-merge-base): 0 issues
  • make test-coverage-check: all pkg/... and core/... suites pass, including the core/http e2e suite

Assisted-by: Claude:claude-opus-4-8 [Claude Code]

The OAuth callback discarded the error returned by user-info resolution
before sending the generic 500, so real failures were completely opaque
in the logs: ID-token verification errors (e.g. issuer/audience mismatch
behind a reverse proxy), a missing id_token, claim-parse errors, or a
rejecting GitHub userinfo endpoint all collapsed into
"failed to fetch user info" with nothing logged.

Log the wrapped cause with xlog.Error (provider + error), matching the
code-exchange step just above it. The client-facing message is unchanged,
so no internal detail leaks to the browser.

Refs #10677

Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
Assisted-by: Claude:claude-opus-4-8 [Claude Code]
@mudler
mudler merged commit 9e41be4 into master Jul 4, 2026
58 of 60 checks passed
@mudler
mudler deleted the fix/oidc-callback-error-logging branch July 4, 2026 17:33
mudler added a commit that referenced this pull request Jul 8, 2026
…10736)

The OIDC verifier was built with a bare oidc.Config{ClientID: ...}, so
go-oidc applied its default of accepting RS256-signed ID tokens only. An
identity provider configured with an EC signing key (e.g. Authentik) issues
ES256-signed tokens, and the callback failed verification with:

  failed to verify ID token: oidc: malformed jwt: unexpected signature
  algorithm "HS256"; expected ["RS256"]

surfacing to the user as HTTP 500 "failed to fetch user info" (#10677; the
underlying cause became visible after the logging fix in #10679).

Set SupportedSigningAlgs to the standard asymmetric algorithms
(RS256/384/512, ES256/384/512, PS256/384/512, EdDSA). All are verified
against the provider's published JWKS. HS256 is intentionally excluded: it
is symmetric and would validate against the client secret, a different and
security-sensitive trust model.

Tested with a functional spec that signs an ES256 ID token and confirms it
verifies with the configured algorithms and is rejected under go-oidc's
RS256-only default (using oidc.StaticKeySet, no network).

Closes #10677


Assisted-by: Claude:claude-opus-4-8 [Claude Code]

Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
Co-authored-by: Ettore Di Giacinto <mudler@localai.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants