Include AuthenticationCompletionException messages in HTTP response in devmode

[sberyozkin]

Fixes #41890.

It really fixes a bug rather than a planned enhancement.

Sometimes, when the user is redirected to the OIDC provider and something goes wrong at the OIDC provider's side, an error code and optional error description is returned.

Awhile back, @FroMage asked about an option to customize such error responses so now users can register error handlers and refer to them with quarkus.oidc.authentication.error-path property.

But if they haven't registered it, they will get a rather obscure warning and 401 in the browser without any further clues.

@maxandersen was concerned about it the other day, but also @Sanne and indeed @FroMage have also been concerned.

So first of all, this PR improves a log message reported when the user is redirected back to Quarkus with the error code.
And it goes over all/most of AuthenticationCompletionException cases, initializes AuthenticationCompletionException with the error message, and allows this error message be reported back to the user, but in devmode only, to avoid accidentally leaking too many details.

[quarkus-bot]

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 74ee216.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

[michalvavrik]

Hey,

first of all, I think returning error message in DEV mode is right step and it will help debugging. As far as AuthenticationCompletionException changes are concerned LGTM.

As you are changing logging level to error and some error messages are verbose, I'd like to check all the logged messages are actionable (provides information on which normally admin will act, but does not describe regular situation). I'll comment on individual changes.

[sberyozkin]

I'll ask for more reviews tomorrow, thanks @michalvavrik

[FroMage]

Looks like a great improvement, thanks!

[maxandersen]

looks good - would be great if you showed a before and after example :)

p.s. I don't have a easy setup atm to try it out atm but let me know if need to and i can try redo it.

[sberyozkin]

Hi @maxandersen, before, in your particular setup, I believe it was an empty screen, due to 401, and you could also see a not clear enough message in the logs that no error handler was registered, without any hints how to register it.

401 itself was caused due to the fact that after Quarkus redirected your to the OIDC provider, something failed at the provider's side, either immediately or due to you choosing some unsupported authentication method at their challenge screen, etc. The consequence of that was that, instead the provider redirecting you back to Quarkus with the code query parameter, which Quarkus would've exchanged for the tokens, the provider redirected you back with the error code and description.

But this error code and description were just lost for the purpose of the logs and all you got was an empty screen.
So, now, you will get a much clearer log message which will show the actual error code and description, and also hint how to register an error handler (to give user a nice HTML page with details or do some local post processing).

And in addition, as you proposed, we'll show the info in the browser in devmode, so it will be much clearer what to do next.

As far as error code and descriptions are concerned, they are standardized, so, in case of errors, users would see something from:

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#section-4.1.2.1

This is a newer OAuth 2.1 spec, but AFAIK, the same codes would be available in the core OAuth 2.0.

[sberyozkin]

There is also an optional error_uri there, but I'd rather avoid suggesting users go to another website to get even a more clearer description than what error_description can provide; using local error handlers to return nice HTML pages if it is what is required would be safer

[sberyozkin]

Let me merge it now