ory
OIDC callback returns 401 to browser when identity state is inactive
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [X] I have joined the Ory Community Slack.
- [X] I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
When there is an error, the callback should redirect to the configured Error UI URL with a flow parameter set. This enables our UI to render the error message as desiered.
I don't want to leave the customer on Ory Network Project with JSON error in body, even if the identity is inactive.
Reproducing the bug
- Configure Ory Project to use Custom UI, including the Error UI URL.
- Register identity using OIDC provider.
- Set identity status to inactive.
- Attempt to login again, using browser based OIDC code flow.
Relevant log output
No response
Relevant configuration
No response
Version
Ory Network
On which operating system are you observing this issue?
Ory Network
In which environment are you deploying?
Ory Network
Additional Context
The redirect from Google back to Ory Network:
https://ory-network-project/self-service/methods/oidc/callback/google?state=redacted&code=redacted&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid&authuser=0&hd=redacted&prompt=none
The response from Ory Network:
{
"error": {
"code": 401,
"status": "Unauthorized",
"request": "6d05d366-57ba-9f83-8c08-065582fa0953",
"reason": "This account was disabled.",
"details": { "identity_id": "redacted" },
"message": "identity is disabled"
}
}
Additional context:
Use API flows, to implement the above. See the JSON error returned on the OIDC callback (this should be a redirect to the error UI instead, even for API flows).
