fix(coderd): render HTML error page for OIDC email validation failures#23059
Merged
Conversation
Replace raw JSON httpapi.Write responses with site.RenderStaticErrorPage for three OIDC authentication error cases: - Email address not from an authorized domain - Malformed email (missing @ when domain restrictions are configured) - Email address not verified by the OIDC provider These errors occur during browser redirect flows, so users previously saw ugly JSON in their browser. Now they see the same styled static error page used by group allow-list and signups-disabled errors, with a 'Back to login' action button.
d081153 to
f33087a
Compare
f33087a to
fbc8fc1
Compare
johnstcn
reviewed
Mar 16, 2026
Comment on lines
+2132
to
+2135
| // TestOIDCErrorPageRendering verifies that OIDC authentication errors | ||
| // (unauthorized email domain, unverified email) render a user-friendly | ||
| // HTML error page instead of raw JSON. | ||
| func TestOIDCErrorPageRendering(t *testing.T) { |
Member
There was a problem hiding this comment.
Let's roll these checks into the existing tests instead.
Contributor
Author
There was a problem hiding this comment.
Done — removed TestOIDCErrorPageRendering and rolled the stronger assertions (doctype check, "Back to login" link, no JSON markers) into the existing TestUserOIDC table-driven callbacks and TestOIDCDomainErrorMessage subtests.
Remove standalone TestOIDCErrorPageRendering and roll its checks (doctype, Back to login, no JSON markers) into the existing TestUserOIDC and TestOIDCDomainErrorMessage assertions.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves the OIDC browser login experience by rendering the existing styled static HTML error page (instead of raw JSON) when email validation fails during the redirect/callback flow.
Changes:
- Switch OIDC email-domain and
email_verified=falsefailures fromhttpapi.WriteJSON responses tosite.RenderStaticErrorPage(HTTP 403, hidden status, “Back to login” action). - Update existing OIDC tests to assert HTML Content-Type and key page text for these error cases.
- Add a new focused test (
TestOIDCErrorPageRendering) covering the main OIDC error scenarios and ensuring JSON markers aren’t present.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
coderd/userauth.go |
Render static HTML error pages for OIDC email verification/domain failures. |
coderd/userauth_test.go |
Update/add tests to verify HTML error rendering and content. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
fbc8fc1 to
12231e9
Compare
johnstcn
approved these changes
Mar 16, 2026
Copilot review noted a malformed logging statement. Updated to emit email as apparently intended. Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When the email address returned from an OIDC provider doesn't match the configured allowed domain list (or isn't verified), users previously saw raw JSON dumped directly in the browser — an ugly and confusing experience during a browser-redirect flow.
This PR replaces those JSON responses with the same styled static HTML error page already used for group allow-list errors, signups-disabled, and wrong-login-type errors.
Changes
coderd/userauth.goReplaced 3
httpapi.Writecalls inuserOIDCwithsite.RenderStaticErrorPage:@) with domain restrictionsemail_verifiedisfalseAll render HTTP 403 with
HideStatus: trueand a "Back to login" action button.coderd/userauth_test.goAssertResponsecallbacks on existing table-driven tests (EmailNotVerified,NotInRequiredEmailDomain,EmailDomainForbiddenWithLeadingAt) to verify HTML Content-Type and page content.TestOIDCDomainErrorMessageto additionally assert HTML rendering.TestOIDCErrorPageRenderingwith 3 subtests covering all error scenarios, verifying: HTML doctype, expected title/description, "Back to login" link, and absence of JSON markers.