Compare commits

...

1 Commits

Author SHA1 Message Date
LocalAI [bot]
9e41be4bfb fix(auth): log the real cause of OIDC/OAuth user-info failures (#10679)
The OAuth callback discarded the error returned by user-info resolution
before sending the generic 500, so real failures were completely opaque
in the logs: ID-token verification errors (e.g. issuer/audience mismatch
behind a reverse proxy), a missing id_token, claim-parse errors, or a
rejecting GitHub userinfo endpoint all collapsed into
"failed to fetch user info" with nothing logged.

Log the wrapped cause with xlog.Error (provider + error), matching the
code-exchange step just above it. The client-facing message is unchanged,
so no internal detail leaks to the browser.

Refs #10677


Assisted-by: Claude:claude-opus-4-8 [Claude Code]

Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
Co-authored-by: Ettore Di Giacinto <mudler@localai.io>
2026-07-04 19:33:53 +02:00

View File

@@ -202,6 +202,11 @@ func (m *OAuthManager) CallbackHandler(providerName string, db *gorm.DB, adminEm
userInfo, err = fetchGitHubUserInfoAsOAuth(ctx, token.AccessToken)
}
if err != nil {
// Surface the real cause server-side: ID-token verify failures (issuer/
// audience mismatch behind a reverse proxy), a missing id_token, claim
// parse errors, or the GitHub userinfo HTTP status/body. The client still
// gets the generic message below; details go to logs only. See #10677.
xlog.Error("OAuth callback: failed to resolve user info", "provider", providerName, "error", err)
return c.JSON(http.StatusInternalServerError, map[string]string{"error": "failed to fetch user info"})
}