Security: Error messages leak implementation details #3
Description
Description
OAuth error messages reveal internal implementation details that help attackers diagnose configuration issues or enumerate valid configurations.
Location
// auth/handler.go
func (h *OIDCHandler) CallbackHandler(w http.ResponseWriter, r *http.Request) {
// ...
if err != nil {
http.Error(w, "failed to exchange token", http.StatusInternalServerError)
return
}
if err != nil {
http.Error(w, "failed to verify id token", http.StatusUnauthorized)
return
}
// ...
}Similar issues in:
"failed to get user info""failed to resolve user""failed to list memberships""user has no tenant memberships"
Risk
- Information disclosure: Reveals OIDC provider type, database structure, membership system
- User enumeration: "user has no tenant memberships" vs "unauthorized" reveals user existence
- Configuration probing: Different errors for different OIDC misconfigurations help attackers
Recommended Fix
Use generic error messages externally, log detailed errors internally:
func (h *OIDCHandler) CallbackHandler(w http.ResponseWriter, r *http.Request) {
// ...
if err != nil {
slog.Error("oauth token exchange failed", "error", err, "request_id", requestID)
http.Error(w, "authentication failed", http.StatusInternalServerError)
return
}
// ...
}For user enumeration:
// Don't reveal whether user exists or has memberships
if len(memberships) == 0 {
slog.Warn("user has no tenant memberships", "user_id", userRef.UserID)
http.Error(w, "authentication failed", http.StatusForbidden)
return
}Impact
- Severity: Low-Medium
- Likelihood: High (errors are visible to all users)
- Affected: All OAuth error paths