Catch OIDC Errors When Logging In

We use Auth0 via OIDC as our IDP for our project. We require email verification, and when you attempt to login without a verified email, auth0 rejects the login.

When logging in, I see I get redirected to <gateway>/data/federate/callback/oidc?error=access_denied&error_description=Please%20verify%20your%20email%20before%20logging%20in.&state=asdf
which the immediately redirects me back to the login screen. However, no message or anything is displayed here or anywhere during the process.

I see it gets logged as

Caused by: com.inductiveautomation.ignition.gateway.auth.web.strategy.WebAuthStrategyException: Unable to parse the web auth response from the HTTP request URI: com.inductiveautomation.ignition.gateway.auth.oidc.error.OIDCError@44c478ef[error=access_denied,error_description=Please verify your email before logging in.,error_uri=<null>,state=asdf]

Can I capture, or otherwise display for user feedback, info about login failures?

You might be able to, but you should not. It gives attackers insight into your systems that you do not want them to have.

What if we parse the response to only show info we want to display, and only if its something that should be displayed?

There is nothing that should be displayed on authentication failure.

What would be the best course of action then if I need to notify users that they can't login because, for example, their email isn't validated.

For a user, they just keep getting sent back to the login screen with no indication why. That doesn't really seem like a good login flow.

That is precisely what is required when dealing with attackers. Users should be able to contact an IT group who has access (and training) to check the Ignition log.

1 Like