Improve errors for token exchange functions

welteki · alexellis · commit f28717cc8215 · 2024-06-14T09:09:19.000+01:00
Signed-off-by: Han Verstraete (OpenFaaS Ltd) &lt;han@openfaas.com&gt;
diff --git a/client_credentials_auth.go b/client_credentials_auth.go
@@ -111,7 +111,7 @@ func obtainClientCredentialsToken(clientID, clientSecret, tokenURL, scope, grant
 	}
 
 	if code := res.StatusCode; code < 200 || code > 299 {
-		return nil, fmt.Errorf("cannot fetch token: %v\nResponse: %s", res.Status, body)
+		return nil, fmt.Errorf("unexpected status code: %v\nResponse: %s", res.Status, body)
 	}
 
 	tj := &tokenJSON{}
diff --git a/exchange.go b/exchange.go
@@ -55,8 +55,15 @@ func ExchangeIDToken(tokenURL, rawIDToken string, options ...ExchangeOption) (*T
 		return nil, fmt.Errorf("cannot fetch token: %v", err)
 	}
 
+	if res.StatusCode == http.StatusBadRequest {
+		authErr := &OAuthError{}
+		if err := json.Unmarshal(body, authErr); err == nil {
+			return nil, authErr
+		}
+	}
+
 	if code := res.StatusCode; code < 200 || code > 299 {
-		return nil, fmt.Errorf("cannot fetch token: %v\nResponse: %s", res.Status, body)
+		return nil, fmt.Errorf("unexpected status code: %v\nResponse: %s", res.Status, body)
 	}
 
 	tj := &tokenJSON{}
diff --git a/iam_auth.go b/iam_auth.go
@@ -1,6 +1,7 @@
 package sdk
 
 import (
+	"errors"
 	"fmt"
 	"net/http"
 	"os"
@@ -56,9 +57,15 @@ func (a *TokenAuth) getToken() (string, error) {
 		}
 
 		token, err := ExchangeIDToken(a.TokenURL, idToken)
+
+		var authError *OAuthError
+		if errors.As(err, &authError) {
+			return "", fmt.Errorf("failed to exchange token for an OpenFaaS token: %s", authError.Description)
+		}
 		if err != nil {
-			return "", err
+			return "", fmt.Errorf("failed to exchange token for an OpenFaaS token: %s", err)
 		}
+
 		a.token = token
 	}
 
diff --git a/token.go b/token.go
@@ -1,6 +1,7 @@
 package sdk
 
 import (
+	"fmt"
 	"strings"
 	"time"
 )
@@ -58,3 +59,16 @@ func (t *tokenJSON) scope() []string {
 
 	return []string{}
 }
+
+// OAuthError represents an OAuth error response.
+type OAuthError struct {
+	Err         string `json:"error"`
+	Description string `json:"error_description,omitempty"`
+}
+
+func (e *OAuthError) Error() string {
+	if len(e.Description) > 0 {
+		return fmt.Sprintf("%s: %s", e.Err, e.Description)
+	}
+	return e.Err
+}

Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ func obtainClientCredentialsToken(clientID, clientSecret, tokenURL, scope, grant`
`111`	`111`	`}`
`112`	`112`
`113`	`113`	`if code := res.StatusCode; code < 200 \|\| code > 299 {`
`114`		`- return nil, fmt.Errorf("cannot fetch token: %v\nResponse: %s", res.Status, body)`
	`114`	`+ return nil, fmt.Errorf("unexpected status code: %v\nResponse: %s", res.Status, body)`
`115`	`115`	`}`
`116`	`116`
`117`	`117`	`tj := &tokenJSON{}`