Merge pull request #254 from buzzfeed/jusshersmith-fix-500-bad-request-bug

Jusshersmith · web-flow · commit 917f88031854 · 2019-10-07T10:56:47.000+01:00
sso_*: fix 500 error caused by expired Okta refresh token
diff --git a/internal/auth/authenticator.go b/internal/auth/authenticator.go
@@ -259,6 +259,9 @@ func (p *Authenticator) SignIn(rw http.ResponseWriter, req *http.Request) {
 		p.ProxyOAuthRedirect(rw, req, session, tags)
 	case http.ErrNoCookie:
 		p.SignInPage(rw, req, http.StatusOK)
+	case providers.ErrTokenRevoked:
+		p.sessionStore.ClearSession(rw, req)
+		p.SignInPage(rw, req, http.StatusOK)
 	case sessions.ErrLifetimeExpired, sessions.ErrInvalidSession:
 		p.sessionStore.ClearSession(rw, req)
 		p.SignInPage(rw, req, http.StatusOK)
diff --git a/internal/auth/providers/okta.go b/internal/auth/providers/okta.go
@@ -9,6 +9,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"net/url"
+	"strings"
 	"time"
 
 	"github.com/buzzfeed/sso/internal/auth/circuit"
@@ -206,7 +207,7 @@ func (p *OktaProvider) oktaRequest(method, endpoint string, params url.Values, t
 				ErrorDescription string `json:"error_description"`
 			}
 			e := json.Unmarshal(respBody, &response)
-			if e == nil && response.ErrorDescription == "Token expired or revoked" {
+			if e == nil && strings.Contains(strings.ToLower(response.ErrorDescription), "token is invalid or expired") {
 				p.StatsdClient.Incr("provider.token_revoked", tags, 1.0)
 				return ErrTokenRevoked
 			}
@@ -373,7 +374,6 @@ func (p *OktaProvider) RefreshSessionIfNeeded(s *sessions.SessionState) (bool, e
 	if s == nil || !s.RefreshPeriodExpired() || s.RefreshToken == "" {
 		return false, nil
 	}
-
 	newToken, duration, err := p.RefreshAccessToken(s.RefreshToken)
 	if err != nil {
 		return false, err
diff --git a/internal/proxy/oauthproxy.go b/internal/proxy/oauthproxy.go
@@ -679,6 +679,9 @@ func (p *OAuthProxy) Proxy(rw http.ResponseWriter, req *http.Request) {
 			// We know the user is not authorized for the request, we show them a forbidden page
 			p.ErrorPage(rw, req, http.StatusForbidden, "Forbidden", "You're not authorized to view this page")
 			return
+		case providers.ErrTokenRevoked:
+			p.ErrorPage(rw, req, http.StatusUnauthorized, "Unauthorized", "Token Expired or Revoked")
+			return
 		default:
 			logger.Error(err, "unknown error authenticating user")
 			tags = append(tags, "error:internal_error")
diff --git a/internal/proxy/providers/sso.go b/internal/proxy/providers/sso.go
@@ -31,6 +31,7 @@ var (
 var (
 	ErrMissingRefreshToken     = errors.New("missing refresh token")
 	ErrAuthProviderUnavailable = errors.New("auth provider unavailable")
+	ErrTokenRevoked            = errors.New("token revoked or expired")
 )
 
 var userAgentString string
@@ -321,6 +322,8 @@ func (p *SSOProvider) redeemRefreshToken(refreshToken string) (token string, exp
 	if resp.StatusCode != http.StatusCreated {
 		if isProviderUnavailable(resp.StatusCode) {
 			err = ErrAuthProviderUnavailable
+		} else if resp.StatusCode == http.StatusUnauthorized {
+			err = ErrTokenRevoked
 		} else {
 			err = fmt.Errorf("got %d from %q %s", resp.StatusCode, p.RefreshURL.String(), body)
 		}
