[BUG] regression on error scenarios #17
Description
Mock OAuth Server v0.0.5 Test Results
Date: October 26, 2025
Mock OAuth Server Version: 0.0.5 (commit: 335c556, build: 2025-10-26T21:53:23Z)
Image Digest: sha256:4ff5a7b52afd673d771a4cf90d75bc28633ce7c449857c5dea4f65a0301eae4b
Summary
Retested all previously skipped OAuth error scenario tests with the updated mock OAuth server v0.0.5. Unfortunately, all error scenario tests still fail with the same issue: the mock server continues to auto-approve authentication requests even when error scenarios are configured.
Test Results
✅ Tests Passing (7 tests)
Basic OAuth Flow:
- ✅ should complete OAuth flow with mock server
- ✅ should receive session cookie after authentication
- ✅ should show user information on dashboard
- ✅ should be able to logout
- ✅ should redirect to dashboard after login
- ✅ Basic Page Navigation: should load home page
- ✅ Basic Page Navigation: should have navigation links on home page
⏭️ Tests Still Skipped (10 tests - ALL STILL FAILING)
OAuth Error Scenarios (10 tests):
| Test | Status | Issue |
|---|---|---|
| should redirect to login when accessing dashboard without authentication | ❌ FAILS | Auto-approves despite error scenario |
| should handle OAuth access denied error | ❌ FAILS | Auth succeeds instead of returning error |
| should handle unauthorized client error | ❌ FAILS | Auth succeeds instead of returning error |
| should handle invalid scope error | ❌ FAILS | Auth succeeds instead of returning error |
| should handle server error from OAuth provider | ❌ FAILS | Auth succeeds instead of returning error |
| should handle temporarily unavailable error | ❌ FAILS | Auth succeeds instead of returning error |
| should handle invalid request error | ❌ FAILS | Auth succeeds instead of returning error |
| should handle unsupported response type error | ❌ FAILS | Auth succeeds instead of returning error |
| should handle token endpoint error | ❌ FAILS | Token exchange succeeds, user gets authenticated |
| should recover from error scenario when disabled | ❌ FAILS | Depends on error scenarios working |
Comparison with Previous Version
v0.0.4 (October 25, 2025)
- 10 tests passing (7 basic + 3 error scenarios)
- 7 tests skipped (6 error scenarios + 1 recovery test)
- Error scenarios working:
access_denied,server_error, token endpoint errors
v0.0.5 (October 26, 2025) - REGRESSION
- 7 tests passing (only basic flow tests)
- 10 tests skipped (all error scenarios + recovery test)
- Error scenarios working: NONE ❌
Result: v0.0.5 is a regression - it lost support for the 3 error scenarios that were working in v0.0.4!
Server Behavior Analysis
What the Server Receives
Looking at the logs, the server IS receiving the error scenario configuration:
[WebServer] Received config request: {ErrorScenario:0xc00002a280}
[WebServer] Received config request: {ErrorScenario:0xc0000b0340}
What the Server Does
Despite receiving the error configuration, the server continues to:
- Return successful authorization codes:
?code=fd95a170-e39b-40e2-b2d0-4afa3e29d919 - Allow token exchange to succeed
- Create authenticated sessions (session cookies are set)
Expected Behavior
When error_scenario.enabled=true with error='access_denied', the server should:
- Return an error redirect:
?error=access_denied&error_description=... - NOT issue an authorization code
- NOT allow authentication to succeed
Root Cause
The mock OAuth server v0.0.5 is:
- ✅ Accepting the
/configendpoint requests - ✅ Parsing the
error_scenarioconfiguration - ❌ NOT using the configuration to modify authorization behavior
- ❌ Still auto-approving all requests regardless of error scenario settings
Recommendations
For Mock OAuth Server Development
The v0.0.5 update appears to have broken the partial error scenario support that was working in v0.0.4. Recommendations:
- Revert to v0.0.4 or investigate what changed between v0.0.4 and v0.0.5
- Add unit tests in the mock OAuth server repository to prevent regressions
- Implement proper error handling at the
/authorizeendpoint:if errorScenario.Enabled { // Return error redirect redirectURL := fmt.Sprintf("%s?error=%s&error_description=%s&state=%s", redirectURI, errorScenario.Error, errorScenario.ErrorDescription, state) http.Redirect(w, r, redirectURL, http.StatusFound) return } // Normal flow...
Version History
| Version | Date | Error Scenarios Working | Notes |
|---|---|---|---|
| v0.0.4 | Oct 25, 2025 | 3 scenarios | access_denied, server_error, token errors ✅ |
| v0.0.5 | Oct 26, 2025 | 0 scenarios | REGRESSION - all scenarios broken ❌ |