Evergreen

RemoteAuth: support more diverse auth failures

Bug #1936422 reported by Jeff Davis on 2021-07-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Evergreen	New	Wishlist	Unassigned

Bug Description

With RemoteAuth, you can prevent users from authenticating if they lack a certain permission or have certain types of standing penalties. However, these authentication failures are not distinguished from other types of failures: a user without the required perm is treated as not found, and a user with penalties is treated as blocked. There ought to be distinct error handling for these auth failures, so that (for example) you can explain to community borrowers that access is restricted to students and faculty instead of telling them their account doesn't exist, or tell them to check with the circ desk about overdue fines instead of simply saying they're blocked.

Tags:

Jeff Davis (jdavis-sitka) on 2021-07-15

Changed in evergreen:
importance:	Undecided → Wishlist
tags:	added: authentication

Revision history for this message

Jeff Davis (jdavis-sitka) wrote on 2021-07-15:

Working branch user/jeffdavis/lp1936422-remoteauth-more-error-codes has a first pass at handling "not permitted" and "has penalties" failures separately, but I need to do some testing before adding a pull request.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.