8000 connector/ldap: display login error by bonifaido · Pull Request #1530 · dexidp/dex · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

connector/ldap: display login error #1530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 23, 2019
Merged

connector/ldap: display login error #1530

merged 1 commit into from
Aug 23, 2019

Conversation

bonifaido
Copy link
Member

CallbackConnectors display the error message to the user, which is quite nice for debugging purposes however, PasswordConnectors haven't returned it, this fixes that.

@bonifaido bonifaido self-assigned this Aug 22, 2019
@bonifaido bonifaido requested a review from srenatus August 22, 2019 13:57
srenatus
srenatus reviewed Aug 22, 2019
View reviewed changes
server/handlers.go
@@ -373,7 +373,7 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
identity, ok, err := passwordConnector.Login(r.Context(), scopes, username, password)
if err != nil {
s.logger.Errorf("Failed to login user: %v", err)
s.renderError(w, http.StatusInternalServerError, "Login error.")
s.renderError(w, http.StatusInternalServerError, fmt.Sprintf("Login error: %v", err))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which errors could this be? Is there anything potentially sensible about them? I.e. we don't want let someone guess usernames this way... 💭

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure, after checking the two backends LDAP and Keystone from Dex code point of view (all the PasswordConnectors) there is no error message which would reveal something like that. Of course, if the upstream provider/lib would return something like that (we wrap those errors) that could be dangerous, but in that case, there is a security concern in that software already.

Currently, Dex returns Internal Server Error - Login error. even in the case, the user mistyped the password or the LDAP/Keystone server is inaccessible.

srenatus
srenatus approved these changes Aug 23, 2019
View reviewed changes
Copy link
Contributor
@srenatus srenatus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for looking into the potential errors, too. :)

@srenatus srenatus merged commit 133c256 into master Aug 23, 2019
@bonifaido bonifaido deleted the ldap-error branch August 23, 2019 10:34
@bonifaido
Copy link
Member Author

Welcome :)

mmrath pushed a commit to mmrath/dex that referenced this pull request Sep 2, 2019
@srenatus
Merge pull request dexidp#1530 from dexidp/ldap-error
28c5a66 
connector/ldap: display login error
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@srenatus srenatus srenatus approved these changes

Assignees

@bonifaido bonifaido

Labels
area/connector
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bonifaido @srenatus
0