OIDC login errors are not being displayed in the frontend

[samczsun]

Description

When my OIDC provider returns an error, it is not displayed in the frontend, causing confusion for users. For example, I would like users to verify their email, so my provide requests https://opencti/auth/oic/callback?error=access_denied&error_description=Please+verify+your+email+before+logging+in. and I see the following in my logs

{"category":"APP","error":{"error":"access_denied","error_description":"Please verify your email before logging in.","name":"OPError","state":"[redacted]"},"level":"info","message":"[OPENID] ERROR General openid passport error","source":"backend","timestamp":"2024-07-21T06:25:21.609Z","version":"6.2.6"}

However, the user only sees that their login was successful but they were taken back to the login page, with no error feedback

Environment

1. OS (where OpenCTI server runs): Ubuntu
2. OpenCTI version: 6.2.6
3. OpenCTI client: Frontend
4. Other environment details:

Reproducible Steps

1. Login via OIDC, but cause the login to fail

Expected Output

OpenCTI should display the failure reason

Actual Output

OpenCTI just shows the login screen with no failure reason

Additional information

Screenshots (optional)

[nino-filigran]

Fix: If possible, when request to log fails, have a generic error message on the login screen (something went wrong, please contact your admin).

[petskratt]

Same issue when access to OpenCTI is based on user belonging to a group in OIDC provider side - users without group are redirected to login page without explanation.

[aHenryJard]

The fix proposed by @nino-filigran is already in place, when there is an error or the group or organization cannot be found, the generic message is displayed on the login page "Invalid authentication, please ask your administrator".

I'm closing, feel free to reopen if needed.