fix(server): handle OIDC token exchange errors gracefully & fix debug log modal

[adambenhassen]

Background

OIDC token exchange errors (i.e. expired Azure AD client secret) cause unhandled 500 responses instead of actionable user-facing messages.

Description

Catches OIDC sign-in errors and returns a GENERAL_ERROR with a user-safe message classified by OAuth 2.0 error code (RFC 6749 5.2), network failure type, or userinfo endpoint error. Full errors are still logged server-side.

This PR also fixes the broken debug modal not displaying the log area.

Closes CONSOLE-1794

[gemini-code-assist]

Summary of Changes

Hello @adambenhassen, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the robustness and user experience of OIDC authentication by transforming cryptic server errors into clear, actionable messages. Instead of generic 500 errors, users will now receive specific guidance when OIDC token exchanges fail, such as due to expired client secrets or network issues. This change improves diagnosability for administrators while maintaining security by preventing sensitive information leakage.

Highlights

• Improved OIDC Error Handling: Implemented graceful error handling for OIDC token exchange failures, preventing unhandled 500 responses and providing more informative feedback to users.
• User-Safe Error Messages: Introduced a new utility function, describeOIDCSignInError, to classify OIDC sign-in errors and generate user-friendly messages, avoiding the exposure of sensitive technical details.
• Enhanced Logging: Ensured that full, detailed OIDC sign-in errors are still logged server-side for debugging purposes, even as user-facing messages are generalized.
• Comprehensive Testing: Added a dedicated test file with extensive unit tests for the describeOIDCSignInError function, covering various OIDC and network error scenarios to ensure robust error classification.

Changelog

• packages/services/server/src/supertokens.ts
  • Imported the new describeOIDCSignInError utility function.
  • Wrapped the thirdPartySignInUpPOST call in a try-catch block to intercept OIDC-related errors.
  • Implemented logic to log OIDC sign-in failures and return a GENERAL_ERROR status with a user-safe message generated by describeOIDCSignInError.
• packages/services/server/src/supertokens/oidc-provider.test.ts
  • Added a new test file to provide comprehensive unit tests for the describeOIDCSignInError function.
  • Included tests for various OIDC error types (e.g., invalid_client, invalid_grant, unauthorized_client), network errors, and user info endpoint issues.
  • Verified that sensitive information is not leaked in the generated error messages.
• packages/services/server/src/supertokens/oidc-provider.ts
  • Introduced the describeOIDCSignInError function, which classifies OIDC sign-in errors based on their message content.
  • Provided specific, user-friendly error descriptions for common OIDC issues (e.g., invalid client credentials, expired authorization codes, network failures, user info endpoint problems).
  • Ensured that the generated error messages are user-safe and do not expose internal system details.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🚀 Snapshot Release (alpha)

The latest changes of this PR are available as alpha on npm (based on the declared changesets):

Package	Version	Info
hive	9.4.1-alpha-20260212153140-7d8be2208c89ae1549e7d43820c3562311bdde34	npm ↗︎ unpkg ↗︎

[gemini-code-assist]

Code Review

This pull request effectively addresses the issue of unhandled OIDC token exchange errors by introducing a try-catch block to gracefully handle them. The new describeOIDCSignInError function provides clear, user-safe error messages, and it is well-covered by a comprehensive set of unit tests. I have one suggestion to improve the readability of the error description logic, aligning with our guidelines to prioritize readability.

[github-actions]

🐋 This PR was built and pushed to the following Docker images:

Targets: build

Platforms: linux/amd64

Image Tag: 7d8be2208c89ae1549e7d43820c3562311bdde34

[github-actions]

💻 Website Preview

The latest changes are available as preview in: https://pr-7673.hive-landing-page.pages.dev

[jdolle]

There error messages are great. This is a major improvement.

I'd feel better if we had more defined error codes rather than relying on the error messages. Otherwise 🅰️ ➕

Minor: Where appropriate, we might also want to mention the OIDC Logs we expose in the settings. These often help people resolve issues with their OIDC provider/config.

[jdolle]

generally I try to avoid matching on message text. Are there any other fields we can match on that have more guarantees than the message?

[adambenhassen]

Valid concern in general, but I've investigated the supertokens source and exchangeAuthCodeForOAuthTokens throws plain Error objects with this format {"error":"invalid_client","error_description":"..."}

There are no structured fields (error.code, typed subclasses, etc..), everything is embedded in the message string. the OAuth2 error codes (invalid_client, invalid_grant, etc) only exist inside the stringified response body within the message.

[jdolle]

why contact org admin instead of review your OIDC integration settings here?

[n1ru4l]

On a note we should also consider that this is end user facing, people seeing this might not even have access to OIDC settings. So I think it might be okay to say, something like "please contact your organization admin about the OIDC configuration"?

[adambenhassen]

Also fix the debug modal