fix: Added a "Disconnect" button to an OIDC mismatch error page

shepilov · shepilov · commit ef682989cc70 · 2026-02-04T12:33:30.000+01:00
diff --git a/assets/locales/en.po b/assets/locales/en.po
@@ -485,6 +485,9 @@ msgstr "The FranceConnect authentication has failed"
 msgid "OIDC Domain Mismatch %s %s"
 msgstr "To connect to %s, please disconnect first from %s"
 
+msgid "Disconnect"
+msgstr "Disconnect"
+
 msgid "Instance Blocked Login"
 msgstr "The Twake was blocked because of too many login attempts"
 
diff --git a/assets/locales/fr.po b/assets/locales/fr.po
@@ -553,6 +553,9 @@ msgstr "Le compte FranceConnect utilisé ne correspond pas à votre compte Twake
 msgid "OIDC Domain Mismatch %s %s"
 msgstr "Pour vous connecter à %s, veuillez d'abord vous déconnecter de %s"
 
+msgid "Disconnect"
+msgstr "Déconnexion"
+
 msgid "Instance Blocked Login"
 msgstr "Le Twake a été bloqué à cause de trop nombreux essais de connexion"
 
diff --git a/assets/locales/ru.po b/assets/locales/ru.po
@@ -536,6 +536,9 @@ msgstr "Используемый аккаунт FranceConnect не соотве
 msgid "OIDC Domain Mismatch %s %s"
 msgstr "Чтобы подключиться к %s, сначала отключитесь от %s"
 
+msgid "Disconnect"
+msgstr "Отключиться"
+
 msgid "Instance Blocked Login"
 msgstr "Twake был заблокирован из-за слишком многих попыток входа"
 
diff --git a/assets/locales/vi.po b/assets/locales/vi.po
@@ -487,6 +487,9 @@ msgstr "Xác thực bằng FranceConnect không thành công"
 msgid "OIDC Domain Mismatch %s %s"
 msgstr "Để kết nối với %s, vui lòng đăng xuất khỏi %s trước"
 
+msgid "Disconnect"
+msgstr "Ngắt kết nối"
+
 msgid "Instance Blocked Login"
 msgstr "Twake đã bị khóa do có quá nhiều lần đăng nhập không thành công"
 
diff --git a/assets/templates/error.html b/assets/templates/error.html
@@ -28,7 +28,12 @@
         {{if .Illustration}}<img src="{{asset .Domain .Illustration}}" alt="" class="illustration mb-3" />{{end}}
         <h1 class="h4 h2-md mb-3 text-center">{{if .ErrorTitle}}{{t .ErrorTitle}}{{else}}{{t "Error Title"}}{{end}}</h1>
         <div class="mb-2 mb-md-3">
-          {{$err := t .Error}}
+          {{$err := ""}}
+          {{if .ErrorArgs}}
+            {{$err = tArgs .Error .ErrorArgs}}
+          {{else}}
+            {{$err = t .Error}}
+          {{end}}
           {{$arr := split $err "\n"}}
           {{range $i, $p := $arr}}
             {{if ne $p ""}}<p class="text-center mb-2">{{$p}}</p>{{end}}
diff --git a/web/oidc/oidc.go b/web/oidc/oidc.go
@@ -50,6 +50,16 @@ type DomainMismatchError struct {
 	ActualDomain   string // The instance from the OIDC token
 }
 
+// TranslationKey returns the i18n key for translating this error.
+func (e *DomainMismatchError) TranslationKey() string {
+	return "OIDC Domain Mismatch %s %s"
+}
+
+// TranslationArgs returns the arguments for the translation.
+func (e *DomainMismatchError) TranslationArgs() []interface{} {
+	return []interface{}{e.ExpectedDomain, e.ActualDomain}
+}
+
 func (e *DomainMismatchError) Error() string {
 	return fmt.Sprintf("OIDC Domain Mismatch %s %s", e.ExpectedDomain, e.ActualDomain)
 }
@@ -378,7 +388,18 @@ func Login(c echo.Context) error {
 		}
 
 		if err := checkDomainFromUserInfo(conf, inst, token); err != nil {
-			return renderError(c, inst, http.StatusBadRequest, err.Error())
+			extras := map[string]interface{}{}
+			errMsg := err.Error()
+			var dmErr *DomainMismatchError
+			if errors.As(err, &dmErr) {
+				extras["ErrorArgs"] = dmErr.TranslationArgs()
+				errMsg = dmErr.TranslationKey()
+				if logoutURL := getOIDCLogoutURL(inst.ContextName); logoutURL != "" {
+					extras["Button"] = "Disconnect"
+					extras["ButtonURL"] = logoutURL
+				}
+			}
+			return renderError(c, inst, http.StatusBadRequest, errMsg, extras)
 		}
 	}
 
@@ -454,7 +475,17 @@ func TwoFactor(c echo.Context) error {
 		return renderError(c, inst, http.StatusBadRequest, "No OpenID Connect is configured.")
 	}
 	if err := checkDomainFromUserInfo(conf, inst, accessToken); err != nil {
-		return renderError(c, inst, http.StatusBadRequest, err.Error())
+		extras := map[string]interface{}{}
+		errMsg := err.Error()
+		if dmErr, ok := err.(*DomainMismatchError); ok {
+			extras["ErrorArgs"] = dmErr.TranslationArgs()
+			errMsg = dmErr.TranslationKey()
+			if logoutURL := getOIDCLogoutURL(inst.ContextName); logoutURL != "" {
+				extras["Button"] = "Disconnect"
+				extras["ButtonURL"] = logoutURL
+			}
+		}
+		return renderError(c, inst, http.StatusBadRequest, errMsg, extras)
 	}
 
 	if inst.ValidateTwoFactorTrustedDeviceSecret(c.Request(), trustedDeviceToken) {
@@ -1270,15 +1301,15 @@ func loadKey(raw *jwKey) (interface{}, error) {
 	return &key, nil
 }
 
-func renderError(c echo.Context, inst *instance.Instance, code int, msg string) error {
+func renderError(c echo.Context, inst *instance.Instance, code int, msg string, extras ...map[string]interface{}) error {
 	if inst == nil {
 		inst = &instance.Instance{
 			Domain:      c.Request().Host,
 			ContextName: config.DefaultInstanceContext,
 			Locale:      consts.DefaultLocale,
 		}
 	}
-	return c.Render(code, "error.html", echo.Map{
+	params := echo.Map{
 		"Domain":       inst.ContextualDomain(),
 		"ContextName":  inst.ContextName,
 		"Locale":       inst.Locale,
@@ -1287,7 +1318,22 @@ func renderError(c echo.Context, inst *instance.Instance, code int, msg string)
 		"Illustration": "/images/generic-error.svg",
 		"Error":        msg,
 		"SupportEmail": inst.SupportEmailAddress(),
-	})
+	}
+	// Merge any extra params (Button, ButtonURL, etc.)
+	for _, extra := range extras {
+		for k, v := range extra {
+			params[k] = v
+		}
+	}
+	return c.Render(code, "error.html", params)
+}
+
+func getOIDCLogoutURL(contextName string) string {
+	a := config.GetConfig().Authentication
+	delegated, _ := a[contextName].(map[string]interface{})
+	oidc, _ := delegated["oidc"].(map[string]interface{})
+	u, _ := oidc["logout_url"].(string)
+	return u
 }
 
 // Routes setup routing for OpenID Connect routes.
diff --git a/web/statik/handler.go b/web/statik/handler.go
@@ -106,6 +106,7 @@ func NewDirRenderer(assetsPath string) (AssetRenderer, error) {
 	middlewares.FuncsMap = template.FuncMap{
 		"t":         fmt.Sprintf,
 		"tHTML":     fmt.Sprintf,
+		"tArgs":     func(key string, args interface{}) string { return fmt.Sprintf(key, args.([]interface{})...) },
 		"split":     strings.Split,
 		"replace":   strings.Replace,
 		"hasSuffix": strings.HasSuffix,
@@ -132,6 +133,7 @@ func NewRenderer() (AssetRenderer, error) {
 	middlewares.FuncsMap = template.FuncMap{
 		"t":         fmt.Sprintf,
 		"tHTML":     fmt.Sprintf,
+		"tArgs":     func(key string, args interface{}) string { return fmt.Sprintf(key, args.([]interface{})...) },
 		"split":     strings.Split,
 		"replace":   strings.Replace,
 		"hasSuffix": strings.HasSuffix,
@@ -171,12 +173,18 @@ func (r *renderer) Render(w io.Writer, name string, data interface{}, c echo.Con
 		funcMap = template.FuncMap{
 			"t":     i.Translate,
 			"tHTML": i18n.TranslatorHTML(i.Locale, i.ContextName),
+			"tArgs": func(key string, args []interface{}) string {
+				return i18n.Translate(key, i.Locale, i.ContextName, args...)
+			},
 		}
 	} else {
 		lang := GetLanguageFromHeader(c.Request().Header)
 		funcMap = template.FuncMap{
 			"t":     i18n.Translator(lang, ""),
 			"tHTML": i18n.TranslatorHTML(lang, ""),
+			"tArgs": func(key string, args []interface{}) string {
+				return i18n.Translate(key, lang, "", args...)
+			},
 		}
 	}
 	var t *template.Template
diff --git a/web/statik/statik.go b/web/statik/statik.go
