✨ Improve OIDC error feedback and auth page layout

sujoshua · sujoshua · commit aebf319a8fc3 · 2026-01-16T01:01:51.000+08:00
diff --git a/app/appearance/langs/en_US.json b/app/appearance/langs/en_US.json
@@ -1282,6 +1282,9 @@
   "about4": "Open browser",
   "about5": "Access authorization code",
   "about6": "After configuration, it will be used as the access authentication password, leave it blank to close the authentication",
+  "accessAuthBypass": "Bypass access authentication",
+  "accessAuthBypassTip": "Skip all access code, OIDC checks and mandatory safety checks (not recommended)",
+  "accessAuthBypassConfirm": "Are you sure you want to bypass all access authentication and security checks? This will allow anyone to access without credentials.",
   "about7": "Follow system lock screen",
   "about8": "When enabled, the application will be automatically locked when locking the system screen",
   "about11": "Network serving",
@@ -1610,7 +1613,7 @@
     "169": "Uploading data repo file %v/%v",
     "170": "Uploading data repo chunk %v/%v",
     "171": "Uploading data repo reference %s",
-    "172": "If you forget the authorization code, please find help <a href=\"https://liuyun.io/article/1686530886208\" target=\"_blank\">here</a>",
+    "172": "If you forget the authorization, please find help <a href=\"https://liuyun.io/article/1686530886208\" target=\"_blank\">here</a>",
     "173": "Please enter the access auth code",
     "174": "Unlock access",
     "175": "Please enter the verification code",
@@ -1713,6 +1716,9 @@
     "272": "Unnamed field",
     "273": "Do not create the workspace in the partition root path, please create a new folder as the workspace",
     "274": "This folder contains other files, please create a new folder as the workspace",
-    "275": "Cannot open documents created by a newer version. Please upgrade to the latest version and try again"
+    "275": "Cannot open documents created by a newer version. Please upgrade to the latest version and try again",
+    "276": "OIDC authentication failed, please retry.",
+    "277": "OIDC session is invalid or expired, please retry.",
+    "278": "OIDC authentication was rejected by policy."
   }
 }
diff --git a/app/appearance/langs/zh_CN.json b/app/appearance/langs/zh_CN.json
@@ -1282,6 +1282,9 @@
   "about4": "打开浏览器",
   "about5": "访问授权码",
   "about6": "配置后作为访问鉴权密码，留空则关闭鉴权",
+  "accessAuthBypass": "绕过访问认证",
+  "accessAuthBypassTip": "跳过访问授权码、OIDC 等所有认证和强制安全检查（不推荐）",
+  "accessAuthBypassConfirm": "确定要绕过所有访问认证和安全检查吗？这将允许任何人无需凭据即可访问。",
   "about7": "跟随系统锁屏",
   "about8": "启用后将会在系统锁屏时自动锁定应用",
   "about11": "网络伺服",
@@ -1610,7 +1613,7 @@
     "169": "正在上传数据仓库文件 %v/%v",
     "170": "正在上传数据仓库分块 %v/%v",
     "171": "正在上传数据仓库引用 %s",
-    "172": "如果你忘记了授权码，请在<a href=\"https://ld246.com/article/1649901726096\" target=\"_blank\">这里</a>寻求帮助",
+    "172": "如果你忘记了认证方式，请在<a href=\"https://ld246.com/article/1649901726096\" target=\"_blank\">这里</a>寻求帮助",
     "173": "请输入访问授权码",
     "174": "解锁访问",
     "175": "请输入验证码",
@@ -1713,6 +1716,9 @@
     "272": "未命名字段",
     "273": "请勿在分区根路径上创建工作空间，请新建一个文件夹作为工作空间",
     "274": "该文件夹包含了其他文件，请新建一个文件夹作为工作空间",
-    "275": "无法打开新版本创建的文档，请升级到最新版本后再试"
+    "275": "无法打开新版本创建的文档，请升级到最新版本后再试",
+    "276": "OIDC 认证失败，请重试。",
+    "277": "OIDC 会话无效或已过期，请重试。",
+    "278": "OIDC 认证被策略拒绝。"
   }
 }
diff --git a/app/stage/auth.html b/app/stage/auth.html
@@ -173,28 +173,66 @@
             font-size: 12px;
             margin: 16px 0;
         }
+
+        .action-group,
+        .auth-buttons {
+            display: flex;
+            flex-direction: column;
+            align-items: center;
+        }
+
+        .action-group {
+            gap: 10px;
+            margin-top: 8px;
+        }
+
+        .auth-buttons {
+            gap: 6px;
+            width: 100%;
+        }
+
+        .auth-buttons .b3-button {
+            margin: 6px 0;
+        }
     </style>
 </head>
 <body>
 <div style="-webkit-app-region: drag;height: 32px;width: 100%;position: absolute;top: 0;"></div>
 <div style="position: relative;z-index: 2;text-align: center">
     <h1 style="margin-bottom: 48px;color:var(--b3-theme-on-background)">{{.workspace}}</h1>
+    {{if .hasAccessAuthCode}}
     <input class="b3-text-field" id="authCode" type="password" placeholder="{{.l0}}"/><br>
     <div style="position: relative;width: 240px;margin: 8px auto 0;display: none">
         <img id="captchaImg" style="top: 1px;position: absolute;height: 26px;right: 1px;cursor: pointer">
         <input id="captcha" class="b3-text-field" placeholder="{{.l3}}">
     </div>
+    {{end}}
     <div style="width: 240px; margin: 8px auto; text-align: left; display: flex; align-items: center;">
         <input type="checkbox" id="rememberMe" style="margin-right: 8px;">
         <label for="rememberMe" style="color: var(--b3-theme-on-surface); font-size: 14px;">{{.l10}}</label>
     </div>
-    <button class="b3-button" onclick="submitAuth()">{{.l1}}</button>
-    <div class="ft__on-surface">
-        {{.l2}}
-    </div>
-    <button class="b3-button b3-button--white" onclick="exitSiYuan()">{{.l5}}</button>
-    <div class="ft__on-surface">
-        {{.l7}}
+    <div class="action-group">
+        <div class="auth-buttons">
+            {{if .hasAccessAuthCode}}
+            <button class="b3-button" onclick="submitAuth()">{{.l1}}</button>
+            {{end}}
+            {{if .oidcEnabled}}
+            <button class="b3-button" onclick="startOIDC()">{{.oidcProviderName}}</button>
+            {{end}}
+            {{if .authError}}
+            <div class="ft__on-surface" style="color: #d93025;">
+                {{.authError}}
+            </div>
+            {{end}}
+            <div class="ft__on-surface">
+                {{.l2}}
+            </div>
+        </div>
+        <div style="height: 8px;"></div>
+        <button class="b3-button b3-button--white" onclick="exitSiYuan()">{{.l5}}</button>
+        <div class="ft__on-surface">
+            {{.l7}}
+        </div>
     </div>
 </div>
 <div style="overflow: hidden;position: absolute;height: 100%;width: 100%;top: 0;left: 0;">
@@ -487,10 +525,27 @@ <h1 style="margin-bottom: 48px;color:var(--b3-theme-on-background)">{{.workspace
         }, 6000)
     }
 
+    const startOIDC = () => {
+        const rememberMeElement = document.getElementById('rememberMe')
+        const url = new URL('/auth/oidc/login', window.location.origin)
+        const currentUrl = new URL(window.location.href)
+        const toParam = currentUrl.searchParams.get("to")
+        if (toParam) {
+            url.searchParams.set("to", toParam)
+        }
+        if (rememberMeElement && rememberMeElement.checked) {
+            url.searchParams.set("rememberMe", "1")
+        }
+        window.location.href = url.toString()
+    }
+
     const submitAuth = () => {
         const inputElement = document.getElementById('authCode')
         const captchaElement = document.getElementById('captcha')
         const rememberMeElement = document.getElementById('rememberMe')
+        if (!inputElement || !captchaElement) {
+            return
+        }
         let code = inputElement.value.trim();
         if ("" === code) {
             showMessage({{.l9}})
@@ -559,16 +614,18 @@ <h1 style="margin-bottom: 48px;color:var(--b3-theme-on-background)">{{.workspace
 
         const inputElement = document.getElementById('authCode')
         const captchaElement = document.getElementById('captcha')
-        inputElement.focus()
-        inputElement.addEventListener('keydown', (event) => {
-            if (event.key === 'Enter') {
-                submitAuth()
-            }
-        })
+        if (inputElement && captchaElement) {
+            inputElement.focus()
+            inputElement.addEventListener('keydown', (event) => {
+                if (event.key === 'Enter') {
+                    submitAuth()
+                }
+            })
 
-        captchaElement.previousElementSibling.addEventListener('click', function () {
-            this.src = `/api/system/getCaptcha?v=${new Date().getTime()}`
-        })
+            captchaElement.previousElementSibling.addEventListener('click', function () {
+                this.src = `/api/system/getCaptcha?v=${new Date().getTime()}`
+            })
+        }
 
         // 用于授权页保持连接，避免非常驻内存内核自动退出 https://github.com/siyuan-note/insider/issues/1099
         new WebSocket((window.location.protocol === 'https:' ? 'wss' : 'ws') + '://' + window.location.host + '/ws?app=siyuan&id=auth')
diff --git a/kernel/model/oidc/oidc.go b/kernel/model/oidc/oidc.go
@@ -111,7 +111,7 @@ func Login(c *gin.Context, oidcConf *conf.OIDC) {
 	c.Redirect(http.StatusFound, authURL)
 }
 
-func Callback(c *gin.Context, oidcConf *conf.OIDC) {
+func Callback(c *gin.Context, oidcConf *conf.OIDC, lang func(int) string) {
 	if !IsEnabled(oidcConf) {
 		c.Status(http.StatusNotFound)
 		return
@@ -120,28 +120,25 @@ func Callback(c *gin.Context, oidcConf *conf.OIDC) {
 	session := util.GetSession(c)
 	workspaceSession := util.GetWorkspaceSession(session)
 	if "" == workspaceSession.OIDC.State || c.Query("state") != workspaceSession.OIDC.State {
-		logging.LogWarnf("invalid oidc state [ip=%s]", util.GetRemoteAddr(c.Request))
-		c.Status(http.StatusUnauthorized)
+		oidcCallbackError(c, workspaceSession, lang, 277, "invalid oidc state", nil)
 		return
 	}
 
 	code := c.Query("code")
 	if "" == code {
-		logging.LogWarnf("missing oidc code [ip=%s]", util.GetRemoteAddr(c.Request))
-		c.Status(http.StatusUnauthorized)
+		oidcCallbackError(c, workspaceSession, lang, 277, "missing oidc code", nil)
 		return
 	}
 
 	p, err := providerInstance(oidcConf)
 	if err != nil {
 		logging.LogErrorf("init oidc provider failed: %s", err)
-		c.Status(http.StatusInternalServerError)
+		oidcCallbackError(c, workspaceSession, lang, 276, "init oidc provider failed", err)
 		return
 	}
 
 	if "" != workspaceSession.OIDC.Provider && workspaceSession.OIDC.Provider != p.ID() {
-		logging.LogWarnf("oidc provider mismatch [ip=%s]", util.GetRemoteAddr(c.Request))
-		c.Status(http.StatusUnauthorized)
+		oidcCallbackError(c, workspaceSession, lang, 277, "oidc provider mismatch", nil)
 		return
 	}
 
@@ -150,20 +147,17 @@ func Callback(c *gin.Context, oidcConf *conf.OIDC) {
 
 	claims, err := p.HandleCallback(ctx, code, workspaceSession.OIDC.Nonce)
 	if err != nil {
-		logging.LogWarnf("oidc callback failed: %s", err)
-		c.Status(http.StatusUnauthorized)
+		oidcCallbackError(c, workspaceSession, lang, 276, "oidc callback failed", err)
 		return
 	}
 
 	if "" == claims.Subject {
-		logging.LogWarnf("oidc subject missing [ip=%s]", util.GetRemoteAddr(c.Request))
-		c.Status(http.StatusUnauthorized)
+		oidcCallbackError(c, workspaceSession, lang, 276, "oidc subject missing", nil)
 		return
 	}
 
 	if !IsAllowed(oidcConf.Filters, claims) {
-		logging.LogWarnf("oidc filter rejected [ip=%s]", util.GetRemoteAddr(c.Request))
-		c.Status(http.StatusUnauthorized)
+		oidcCallbackError(c, workspaceSession, lang, 278, "oidc filter rejected", nil)
 		return
 	}
 
@@ -182,8 +176,7 @@ func Callback(c *gin.Context, oidcConf *conf.OIDC) {
 	})
 
 	if err = session.Save(c); err != nil {
-		logging.LogErrorf("save session failed: %s", err)
-		c.Status(http.StatusInternalServerError)
+		oidcCallbackError(c, workspaceSession, lang, 276, "save session failed", err)
 		return
 	}
 	logging.LogInfof("oidc auth success [ip=%s, maxAge=%d]", util.GetRemoteAddr(c.Request), maxAge)
@@ -238,3 +231,31 @@ func sanitizeRedirectPath(dest string) string {
 	parsed.User = nil
 	return parsed.String()
 }
+
+func oidcCallbackError(c *gin.Context, workspaceSession *util.WorkspaceSession, lang func(int) string, msgID int, logMsg string, err error) {
+	userMsg := lang(msgID)
+	if "" == userMsg {
+		userMsg = "OIDC authentication failed, please retry."
+	}
+	if 200 < len(userMsg) {
+		userMsg = userMsg[:200] + "..."
+	}
+
+	if err != nil {
+		logging.LogWarnf("oidc callback failed: %s [err=%s, ip=%s]", logMsg, err, util.GetRemoteAddr(c.Request))
+	} else {
+		logging.LogWarnf("oidc callback failed: %s [ip=%s]", logMsg, util.GetRemoteAddr(c.Request))
+	}
+
+	location := url.URL{Path: "/check-auth"}
+	queryParams := url.Values{}
+	if workspaceSession != nil && workspaceSession.OIDC != nil {
+		to := sanitizeRedirectPath(workspaceSession.OIDC.To)
+		if "" != to {
+			queryParams.Set("to", to)
+		}
+	}
+	queryParams.Set("error", userMsg)
+	location.RawQuery = queryParams.Encode()
+	c.Redirect(http.StatusFound, location.String())
+}
diff --git a/kernel/server/serve.go b/kernel/server/serve.go
@@ -423,7 +423,7 @@ func serveOIDC(ginServer *gin.Engine) {
 		oidc.Login(c, model.Conf.OIDC)
 	})
 	ginServer.GET("/auth/oidc/callback", func(c *gin.Context) {
-		oidc.Callback(c, model.Conf.OIDC)
+		oidc.Callback(c, model.Conf.OIDC, model.Conf.Language)
 	})
 }
 
@@ -463,6 +463,7 @@ func serveAuthPage(c *gin.Context) {
 	}
 	oidcEnabled := oidc.IsEnabled(model.Conf.OIDC)
 	oidcProviderName := oidc.ProviderLabel(model.Conf.OIDC)
+	authError := strings.TrimSpace(c.Query("error"))
 	model := map[string]interface{}{
 		"l0":                     model.Conf.Language(173),
 		"l1":                     model.Conf.Language(174),
@@ -485,6 +486,7 @@ func serveAuthPage(c *gin.Context) {
 		"oidcEnabled":            oidcEnabled,
 		"oidcProviderName":       oidcProviderName,
 		"hasAccessAuthCode":      "" != model.Conf.AccessAuthCode,
+		"authError":              authError,
 	}
 	buf := &bytes.Buffer{}
 	if err = tpl.Execute(buf, model); err != nil {
