ForestAdmin · matthv · Feb 27, 2025 · Feb 27, 2025 · Feb 27, 2025
diff --git a/Gemfile b/Gemfile
@@ -5,9 +5,9 @@ gemspec
 group :development, :tests do
   gem "overcommit", "~> 0.60"
   gem "rspec", "~> 3.0"
-  gem "rubocop"
-  gem "rubocop-performance"
-  gem "rubocop-rspec"
+  gem "rubocop", "1.72.2"
+  gem "rubocop-performance", "1.24.0"
+  gem "rubocop-rspec", "3.5.0"
   gem 'simplecov', "~> 0.22", require: false
   gem 'simplecov_json_formatter', "~> 0.1.4"
 end
diff --git a/packages/forest_admin_agent/lib/forest_admin_agent/auth/oauth2/forest_provider.rb b/packages/forest_admin_agent/lib/forest_admin_agent/auth/oauth2/forest_provider.rb
@@ -47,6 +47,9 @@ def check_response
             raise OpenIDConnect::BadRequest.new('API Access Failed', response)
           when 401
             raise OpenIDConnect::Unauthorized.new(Utils::ErrorMessages::AUTHORIZATION_FAILED, response)
+          when 403
+            error = response.body['errors'].first
+            raise OpenIDConnect::Forbidden.new(error['name'], error['detail'])
           when 404
             raise OpenIDConnect::HttpError.new(response.status, Utils::ErrorMessages::SECRET_NOT_FOUND, response)
           when 422

diff --git a/...orest_admin_agent/lib/forest_admin_agent/http/Exceptions/authentication_open_id_client.rb b/...orest_admin_agent/lib/forest_admin_agent/http/Exceptions/authentication_open_id_client.rb
@@ -2,13 +2,10 @@ module ForestAdminAgent
   module Http
     module Exceptions
       class AuthenticationOpenIdClient < HttpException
-        attr_reader :error, :message, :state
-
-        def initialize(error, error_description, state)
-          super(error, 401, error_description)
-          @error = error
-          @message = error_description
-          @state = state
+        def initialize(status = 401,
+                       message = 'Authentication failed with OpenID Client',
+                       name = 'AuthenticationOpenIdClient')
+          super
         end
       end
     end

diff --git a/packages/forest_admin_agent/lib/forest_admin_agent/routes/security/authentication.rb b/packages/forest_admin_agent/lib/forest_admin_agent/routes/security/authentication.rb
@@ -42,8 +42,9 @@ def handle_authentication(args = {})
 
         def handle_authentication_callback(args = {})
           if args[:params].key?(:error)
-            raise AuthenticationOpenIdClient.new(args[:params][:error], args[:params][:error_description],
-                                                 args[:params][:state])
+            raise AuthenticationOpenIdClient.new(args[:params][:state],
+                                                 args[:params][:error],
+                                                 args[:params][:error_description])
           end
 
           if args.dig(:headers, 'action_dispatch.remote_ip')

diff --git a/packages/forest_admin_rails/app/controllers/forest_admin_rails/forest_controller.rb b/packages/forest_admin_rails/app/controllers/forest_admin_rails/forest_controller.rb
@@ -38,11 +38,12 @@ def forest_response(data = {})
     end
 
     def exception_handler(exception)
-      if exception.is_a? ForestAdminAgent::Http::Exceptions::AuthenticationOpenIdClient
+      if exception.is_a?(ForestAdminAgent::Http::Exceptions::AuthenticationOpenIdClient) ||
+         exception.is_a?(OpenIDConnect::Exception)
         data = {
-          error: exception.error,
-          error_description: exception.error_description,
-          state: exception.state
+          error: exception.message,
+          error_description: exception.response,
+          state: exception.status
         }
       else
         data = {