conjur
conjur copied to clipboard
cyberark
authenticator prints useful error on 400 response
@ismarc as far as i know the only authenticators that return 400 Bad Request are authn-oidc & authn-azure and they return such a response in case the jwt is missing or empty in the request body.
In these cases the error will be written in the logs and will not be returned in the response body, as we do for all authentication requests, for security reasons.
Are you referring to these cases? I guess that there's no security issue here as this info can be found in the docs. Are you suggesting that in these cases the response body will include the error? We do that in case of a Jwt::TokenExpired error so it's possible.
@shaharglazner do you see any security concern in returning the error message in the response body in this case?
It can improve the UX so the user doesn't need to go to the logs
I believe this ticket is no longer applicable. At the time, if I remember correctly, there were some paths that incorrectly responded with 400 when other values were intended as has been corrected. I believe additional information about the failure reasons is now available in the UI and addresses this.
I still think there's value in this change. I would rephrase the issue to authenticator returns useful error on 400 responses to specify that the error is not only printed to the logs but also returned in the response body.
It's ok to do so in 400 response codes because in this case the request is wrong and we don't expose anything regarding the server behaviour. @shaharglazner wdyt?