fix: Display error when a user connected with OIDC token from another… (#4646)

shepilov · web-flow · commit 951d332b27c2 · 2026-02-04T14:08:13.000+01:00
### Improve OIDC error message when user has an active session for different account When users try to login to one Twake instance while having an active OIDC session for a different instance, they now see a helpful message, "To connect to X, please disconnect first from Y" instead of the generic "The authentication has failed". This helps users understand why login failed and what action to take. <img width="785" height="178" alt="image" src="https://github.com/user-attachments/assets/a633bfc8-d17a-4c9b-b294-bf4a9fbe9945" />
diff --git a/assets/locales/en.po b/assets/locales/en.po
@@ -482,6 +482,12 @@ msgstr "The authentication has failed"
 msgid "the FranceConnect authentication has failed"
 msgstr "The FranceConnect authentication has failed"
 
+msgid "OIDC Domain Mismatch %s %s"
+msgstr "To connect to %s, please disconnect first from %s"
+
+msgid "Disconnect"
+msgstr "Disconnect"
+
 msgid "Instance Blocked Login"
 msgstr "The Twake was blocked because of too many login attempts"
 
diff --git a/assets/locales/fr.po b/assets/locales/fr.po
@@ -550,6 +550,12 @@ msgstr "L'authentification n'a pu aboutir"
 msgid "the FranceConnect authentication has failed"
 msgstr "Le compte FranceConnect utilisé ne correspond pas à votre compte Twake."
 
+msgid "OIDC Domain Mismatch %s %s"
+msgstr "Pour vous connecter à %s, veuillez d'abord vous déconnecter de %s"
+
+msgid "Disconnect"
+msgstr "Déconnexion"
+
 msgid "Instance Blocked Login"
 msgstr "Le Twake a été bloqué à cause de trop nombreux essais de connexion"
 
diff --git a/assets/locales/ru.po b/assets/locales/ru.po
@@ -533,6 +533,12 @@ msgstr "Аутентификация не удалась"
 msgid "the FranceConnect authentication has failed"
 msgstr "Используемый аккаунт FranceConnect не соответствует вашему аккаунту Twake."
 
+msgid "OIDC Domain Mismatch %s %s"
+msgstr "Чтобы подключиться к %s, сначала отключитесь от %s"
+
+msgid "Disconnect"
+msgstr "Отключиться"
+
 msgid "Instance Blocked Login"
 msgstr "Twake был заблокирован из-за слишком многих попыток входа"
 
diff --git a/assets/locales/vi.po b/assets/locales/vi.po
@@ -484,6 +484,12 @@ msgstr "Xác thực không thành công"
 msgid "the FranceConnect authentication has failed"
 msgstr "Xác thực bằng FranceConnect không thành công"
 
+msgid "OIDC Domain Mismatch %s %s"
+msgstr "Để kết nối với %s, vui lòng đăng xuất khỏi %s trước"
+
+msgid "Disconnect"
+msgstr "Ngắt kết nối"
+
 msgid "Instance Blocked Login"
 msgstr "Twake đã bị khóa do có quá nhiều lần đăng nhập không thành công"
 
diff --git a/assets/templates/error.html b/assets/templates/error.html
@@ -28,7 +28,12 @@
         {{if .Illustration}}<img src="{{asset .Domain .Illustration}}" alt="" class="illustration mb-3" />{{end}}
         <h1 class="h4 h2-md mb-3 text-center">{{if .ErrorTitle}}{{t .ErrorTitle}}{{else}}{{t "Error Title"}}{{end}}</h1>
         <div class="mb-2 mb-md-3">
-          {{$err := t .Error}}
+          {{$err := ""}}
+          {{if .ErrorArgs}}
+            {{$err = tArgs .Error .ErrorArgs}}
+          {{else}}
+            {{$err = t .Error}}
+          {{end}}
           {{$arr := split $err "\n"}}
           {{range $i, $p := $arr}}
             {{if ne $p ""}}<p class="text-center mb-2">{{$p}}</p>{{end}}
diff --git a/web/oidc/oidc.go b/web/oidc/oidc.go
@@ -43,6 +43,27 @@ var (
 	ErrIdentityProvider     = errors.New("error from the identity provider")
 )
 
+// DomainMismatchError is returned when the user tries to connect to an
+// instance but has an active OIDC session for a different instance.
+type DomainMismatchError struct {
+	ExpectedDomain string // The instance the user is trying to access
+	ActualDomain   string // The instance from the OIDC token
+}
+
+// TranslationKey returns the i18n key for translating this error.
+func (e *DomainMismatchError) TranslationKey() string {
+	return "OIDC Domain Mismatch %s %s"
+}
+
+// TranslationArgs returns the arguments for the translation.
+func (e *DomainMismatchError) TranslationArgs() []interface{} {
+	return []interface{}{e.ExpectedDomain, e.ActualDomain}
+}
+
+func (e *DomainMismatchError) Error() string {
+	return fmt.Sprintf("OIDC Domain Mismatch %s %s", e.ExpectedDomain, e.ActualDomain)
+}
+
 // extractSessionID extracts the session ID (sid) from an id_token.
 func extractSessionID(idToken string) string {
 	if idToken == "" {
@@ -367,7 +388,18 @@ func Login(c echo.Context) error {
 		}
 
 		if err := checkDomainFromUserInfo(conf, inst, token); err != nil {
-			return renderError(c, inst, http.StatusBadRequest, err.Error())
+			extras := map[string]interface{}{}
+			errMsg := err.Error()
+			var dmErr *DomainMismatchError
+			if errors.As(err, &dmErr) {
+				extras["ErrorArgs"] = dmErr.TranslationArgs()
+				errMsg = dmErr.TranslationKey()
+				if logoutURL := getOIDCLogoutURL(inst.ContextName); logoutURL != "" {
+					extras["Button"] = "Disconnect"
+					extras["ButtonURL"] = logoutURL
+				}
+			}
+			return renderError(c, inst, http.StatusBadRequest, errMsg, extras)
 		}
 	}
 
@@ -443,7 +475,17 @@ func TwoFactor(c echo.Context) error {
 		return renderError(c, inst, http.StatusBadRequest, "No OpenID Connect is configured.")
 	}
 	if err := checkDomainFromUserInfo(conf, inst, accessToken); err != nil {
-		return renderError(c, inst, http.StatusBadRequest, err.Error())
+		extras := map[string]interface{}{}
+		errMsg := err.Error()
+		if dmErr, ok := err.(*DomainMismatchError); ok {
+			extras["ErrorArgs"] = dmErr.TranslationArgs()
+			errMsg = dmErr.TranslationKey()
+			if logoutURL := getOIDCLogoutURL(inst.ContextName); logoutURL != "" {
+				extras["Button"] = "Disconnect"
+				extras["ButtonURL"] = logoutURL
+			}
+		}
+		return renderError(c, inst, http.StatusBadRequest, errMsg, extras)
 	}
 
 	if inst.ValidateTwoFactorTrustedDeviceSecret(c.Request(), trustedDeviceToken) {
@@ -1054,7 +1096,7 @@ func checkDomainFromUserInfo(conf *Config, inst *instance.Instance, token string
 	}
 	if domain != inst.Domain {
 		logger.WithNamespace("oidc").Errorf("Invalid domains: %s != %s", domain, inst.Domain)
-		return ErrAuthenticationFailed
+		return &DomainMismatchError{ExpectedDomain: inst.Domain, ActualDomain: domain}
 	}
 	return nil
 }
@@ -1259,15 +1301,15 @@ func loadKey(raw *jwKey) (interface{}, error) {
 	return &key, nil
 }
 
-func renderError(c echo.Context, inst *instance.Instance, code int, msg string) error {
+func renderError(c echo.Context, inst *instance.Instance, code int, msg string, extras ...map[string]interface{}) error {
 	if inst == nil {
 		inst = &instance.Instance{
 			Domain:      c.Request().Host,
 			ContextName: config.DefaultInstanceContext,
 			Locale:      consts.DefaultLocale,
 		}
 	}
-	return c.Render(code, "error.html", echo.Map{
+	params := echo.Map{
 		"Domain":       inst.ContextualDomain(),
 		"ContextName":  inst.ContextName,
 		"Locale":       inst.Locale,
@@ -1276,7 +1318,22 @@ func renderError(c echo.Context, inst *instance.Instance, code int, msg string)
 		"Illustration": "/images/generic-error.svg",
 		"Error":        msg,
 		"SupportEmail": inst.SupportEmailAddress(),
-	})
+	}
+	// Merge any extra params (Button, ButtonURL, etc.)
+	for _, extra := range extras {
+		for k, v := range extra {
+			params[k] = v
+		}
+	}
+	return c.Render(code, "error.html", params)
+}
+
+func getOIDCLogoutURL(contextName string) string {
+	a := config.GetConfig().Authentication
+	delegated, _ := a[contextName].(map[string]interface{})
+	oidc, _ := delegated["oidc"].(map[string]interface{})
+	u, _ := oidc["logout_url"].(string)
+	return u
 }
 
 // Routes setup routing for OpenID Connect routes.
diff --git a/web/statik/handler.go b/web/statik/handler.go
@@ -106,6 +106,7 @@ func NewDirRenderer(assetsPath string) (AssetRenderer, error) {
 	middlewares.FuncsMap = template.FuncMap{
 		"t":         fmt.Sprintf,
 		"tHTML":     fmt.Sprintf,
+		"tArgs":     func(key string, args interface{}) string { return fmt.Sprintf(key, args.([]interface{})...) },
 		"split":     strings.Split,
 		"replace":   strings.Replace,
 		"hasSuffix": strings.HasSuffix,
@@ -132,6 +133,7 @@ func NewRenderer() (AssetRenderer, error) {
 	middlewares.FuncsMap = template.FuncMap{
 		"t":         fmt.Sprintf,
 		"tHTML":     fmt.Sprintf,
+		"tArgs":     func(key string, args interface{}) string { return fmt.Sprintf(key, args.([]interface{})...) },
 		"split":     strings.Split,
 		"replace":   strings.Replace,
 		"hasSuffix": strings.HasSuffix,
@@ -171,12 +173,18 @@ func (r *renderer) Render(w io.Writer, name string, data interface{}, c echo.Con
 		funcMap = template.FuncMap{
 			"t":     i.Translate,
 			"tHTML": i18n.TranslatorHTML(i.Locale, i.ContextName),
+			"tArgs": func(key string, args []interface{}) string {
+				return i18n.Translate(key, i.Locale, i.ContextName, args...)
+			},
 		}
 	} else {
 		lang := GetLanguageFromHeader(c.Request().Header)
 		funcMap = template.FuncMap{
 			"t":     i18n.Translator(lang, ""),
 			"tHTML": i18n.TranslatorHTML(lang, ""),
+			"tArgs": func(key string, args []interface{}) string {
+				return i18n.Translate(key, lang, "", args...)
+			},
 		}
 	}
 	var t *template.Template
diff --git a/web/statik/statik.go b/web/statik/statik.go
