hydra: No way to handle 409 GetLoginRequestConflict.
Describe the bug
Sometimes we experience 409 GetLoginRequestConflict errors when calling Admin API GetLoginRequest. Logically, there is no error, as used login request cannot be used anymore. But the problem is that there is no way to handle it from the Identity Provider point of view:
- Identity Provider gets request e.g.
/login?login_challenge=abc123from the user. - Identity Provider gets response with 409 error with no helpful details from Hydra Admin API.
- Identity Provider does not know anything about OAuth Client, he can get this info only doing
GetLoginRequestto Admin API. - Identity Provider cannot redirect the user back to the beginning of the login process (OAuth Client), so the user can either re-authenticate or continue using the Resource Provider is authenticated.
- Identity Provider can only fail the user request, showing typical “Something went wrong, go back where you started” or something.
Note that while we should not get this error in “normal” flow, our users still getting them occasionally, maybe due to “double-click” phenomena or other client-side issues, which we cannot always control.
Reproducing the bug
This can be trivially reproduced by doing typical login/consent flow, and then trying to call GetLoginRequest again with the same login challenge.
Server logs
"error":"[GET /oauth2/auth/requests/login][409] getLoginRequestConflict &{Code:0 Debug:Login request has been used already Hint: Name:0xc00066e9f0}"
Expected behavior
One solution can be returning 200 response from Hydra even if the login challenge is used. The response can contain WasUsed field to indicate that this login challenge is not available for accepting, but at least we can extract client info and redirect the user back to restart the login process.
Note: I think that returning 200 response instead of 409 will be a breaking change.
Or, somehow include client info in the error response.
Or, maybe, the redirect field should be included into all 4xx responses so Identity Provider can at least redirect the user back to restart the login process on any similar errors.
Additional context
Code reference: https://github.com/ory/hydra/blob/master/consent/handler.go#L266
Am I missing something? If so, please point me how to handle this problem.
Or, if this should be fixed, please let me know if any help wanted, so I can provide a PR.
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 8
- Comments: 22 (17 by maintainers)
Commits related to this issue
- fix: handled requests respond with 410 Gone and include redirect URL (#2473) Closes #1569 BREAKING CHANGE: This patch makes it so that already handled consent/login/logout requests respond with 41... — committed to ory/hydra by svrakitin 3 years ago
- fix: handled requests respond with 410 Gone and include redirect URL (#2473) Closes #1569 BREAKING CHANGE: This patch makes it so that already handled consent/login/logout requests respond with 41... — committed to mitar/hydra by svrakitin 3 years ago
It’s referenced and closed so yes 😃
Just adding my voice here as another user who is affected. The use case we are seeing is
In the context of this second request, we ideally would like to know where to send the user to continue on with the flow.
One thing we can do at this point is redirect back to the initial request URL which will generate a new login flow, however this isn’t a great experience for the user as they would then be back on the page they started with.
Note: I realise this can be solved via the browser, i.e. debouncing the login form so it doesn’t send twice, but other use cases exist which are outside of control, such as a failed network request etc. that leads the user to reload the page.