-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Users with unauthorized sessions receive cryptic error when retrieving keys #111
Comments
Problem:Users may encounter the following error when retrieving session keys using KeyConjurer:
This error arises because:
Reproduction Steps:
Resolution:
This approach ensures that users receive clear and actionable error messages when the token exchange fails. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
A user who attempts to retrieve session keys using
keyconjurer get
may receive the error:Reproduction steps
keyconjurer accounts
.keyconjurer get [account name of new application]
.Okta may reject a request to exchange tokens using token exchange flow. If it does, the error is silently dropped, and the code continues, ultimately submitting an empty Oauth2 token to the SAML assertion endpoint, which results in the above error.
Resolution
Return an
ErrUnauthorized
error to the end-user if this occurs during the token exchange endpoint. It's not clear if the response code from Okta is HTTP 500, HTTP 403 or simply a non-200 HTTP response code; Standards indicate that the response code should be HTTP 400. We will simply treat any non-200 status code as an unauthorized error.The text was updated successfully, but these errors were encountered: