fix: resilient social sign in

[aeneasr]

Related issue(s)

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  security@ory.sh) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

[CaptainStandby]

lgtm 👍

[codecov]

Codecov Report

Merging #3011 (fc258f8) into master (b50a222) will increase coverage by 0.93%.
The diff coverage is 79.54%.

@@            Coverage Diff             @@
##           master    #3011      +/-   ##
==========================================
+ Coverage   76.58%   77.52%   +0.93%     
==========================================
  Files         308      310       +2     
  Lines       19229    19216      -13     
==========================================
+ Hits        14727    14897     +170     
+ Misses       3401     3181     -220     
- Partials     1101     1138      +37     

Impacted Files	Coverage Δ
selfservice/strategy/oidc/strategy.go	63.31% <0.00%> (-0.85%)	⬇️
selfservice/strategy/oidc/provider_dingtalk.go	31.52% <50.00%> (+31.52%)	⬆️
selfservice/strategy/oidc/provider_vk.go	73.91% <71.42%> (+73.91%)	⬆️
selfservice/strategy/oidc/error.go	75.00% <75.00%> (ø)
identity/credentials_oidc.go	87.50% <100.00%> (+2.50%)	⬆️
selfservice/strategy/oidc/provider.go	100.00% <100.00%> (ø)
selfservice/strategy/oidc/provider_auth0.go	71.87% <100.00%> (+8.38%)	⬆️
selfservice/strategy/oidc/provider_facebook.go	83.56% <100.00%> (+0.46%)	⬆️
selfservice/strategy/oidc/provider_gitlab.go	81.48% <100.00%> (+9.25%)	⬆️
selfservice/strategy/oidc/provider_microsoft.go	60.00% <100.00%> (+60.00%)	⬆️
... and 11 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[zepatrik]

Looks very reasonable, and much needed 😅

[zepatrik]

Why not

Suggested change

	if resp.StatusCode == http.StatusOK {
	if resp.StatusCode / 100 == 2 {

in case the status code is some other 2XX?

[aeneasr]

Good point. I also thought of doing 200 >= x < 300 but decided against it. As far as I could tell from my research, all userinfo endpoints will return 200. Once exception might be a 3xx redirect, however that should be handled be the roundtripper. One problem with accepting all 200 is that we also accept 204 (no content) which would bring back the issue of an empty response body. 204 might be emitted when the service is having a disruption or something. So I think it makes sense to explicitly test for 200. For any service that doesn't return 200 but instead idk 201 (doesn't make sense though imo), we could adjust the logic. WDYT?

[zepatrik]

Suggested change

	return errors.WithStack(herodot.ErrInternalServerError.WithReasonf("OpenID Connect provider returned a %d status code but 200 is expected.", resp.StatusCode))
	return errors.WithStack(herodot.ErrInternalServerError.WithReasonf("OpenID Connect provider returned a %d status code but 2XX is expected.", resp.StatusCode))