From 9e41be4bfbd5f3ff8dffff20d7ab27c4674e6809 Mon Sep 17 00:00:00 2001 From: "LocalAI [bot]" <139863280+localai-bot@users.noreply.github.com> Date: Sat, 4 Jul 2026 19:33:53 +0200 Subject: [PATCH] fix(auth): log the real cause of OIDC/OAuth user-info failures (#10679) The OAuth callback discarded the error returned by user-info resolution before sending the generic 500, so real failures were completely opaque in the logs: ID-token verification errors (e.g. issuer/audience mismatch behind a reverse proxy), a missing id_token, claim-parse errors, or a rejecting GitHub userinfo endpoint all collapsed into "failed to fetch user info" with nothing logged. Log the wrapped cause with xlog.Error (provider + error), matching the code-exchange step just above it. The client-facing message is unchanged, so no internal detail leaks to the browser. Refs #10677 Assisted-by: Claude:claude-opus-4-8 [Claude Code] Signed-off-by: Ettore Di Giacinto Co-authored-by: Ettore Di Giacinto --- core/http/auth/oauth.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/core/http/auth/oauth.go b/core/http/auth/oauth.go index a4e53b561..457419301 100644 --- a/core/http/auth/oauth.go +++ b/core/http/auth/oauth.go @@ -202,6 +202,11 @@ func (m *OAuthManager) CallbackHandler(providerName string, db *gorm.DB, adminEm userInfo, err = fetchGitHubUserInfoAsOAuth(ctx, token.AccessToken) } if err != nil { + // Surface the real cause server-side: ID-token verify failures (issuer/ + // audience mismatch behind a reverse proxy), a missing id_token, claim + // parse errors, or the GitHub userinfo HTTP status/body. The client still + // gets the generic message below; details go to logs only. See #10677. + xlog.Error("OAuth callback: failed to resolve user info", "provider", providerName, "error", err) return c.JSON(http.StatusInternalServerError, map[string]string{"error": "failed to fetch user info"}) }