refactor: simplify error handling in oidc authorize handler

[steveiliop56]

Summary by CodeRabbit

• Bug Fixes

  • Improved consistency of authorization error responses and handling across multiple failure scenarios.
  • Enhanced error redirect behavior based on callback URL availability.

• Refactor

  • Centralized OIDC authorization error handling with unified error response generation, improved request binding, and consistent logging across all error paths.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR refactors authorization error handling in the OIDC controller. A new authorizeErrorParams struct centralizes error details across all error paths in Authorize, and the authorizeError helper is rewritten to consume this struct and build redirect responses conditionally based on whether a callback URL is present.

Changes

OIDC Authorization Error Parameter Struct and Helper Refactoring

Layer / File(s)	Summary
Error parameter struct definition internal/controller/oidc_controller.go	authorizeErrorParams struct introduced to carry error details: underlying error, internal reason, public reason, optional callback URL, callback error string, and optional state value.
Authorize method error handling refactoring internal/controller/oidc_controller.go	All error paths in Authorize—early lifecycle (binding, OIDC config, client lookup), parameter validation (invalid request, untrusted redirect), and late-stage persistence (session cleanup, code/userinfo storage, query building)—now populate authorizeErrorParams fields and pass the struct to the helper.
authorizeError helper refactoring internal/controller/oidc_controller.go	Helper signature changed to accept authorizeErrorParams; callback error construction sets error_description and state conditionally; response building returns OAuth error redirect when callback is present, otherwise builds an error screen redirect using the issuer.

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

A rabbit hops through error paths with care,
Gathers reasons, callbacks in one struct fair,
Where early and late errors now align,
The authorizeError flow is clean and fine! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: refactoring error handling in the OIDC authorize handler by introducing a structured error params type and centralized error helper.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch refactor/oidc-authorize-error

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 29.62963% with 57 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/controller/oidc_controller.go	29.62%	57 Missing ⚠️

📢 Thoughts on this report? Let us know!

[coderabbitai]

🧹 Nitpick comments (1)

internal/controller/oidc_controller.go (1)

551-551: ⚡ Quick win

Use warn-level logs for expected authorization denials.

Logging every authorize failure as Error will over-noise alerts for normal client/user mistakes (invalid_request, unauthenticated user, unknown client). Consider logging Warn by default and reserving Error for actual server failures (e.g., server_error paths).

Proposed adjustment

 func (controller *OIDCController) authorizeError(c *gin.Context, params authorizeErrorParams) {
-	controller.log.App.Error().Err(params.err).Str("reason", params.reason).Msg("Authorization error")
+	logEvent := controller.log.App.Warn()
+	if params.callbackError == "server_error" {
+		logEvent = controller.log.App.Error()
+	}
+	logEvent.Err(params.err).Str("reason", params.reason).Msg("Authorization error")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/controller/oidc_controller.go` at line 551, The authorization
failure is being logged at Error level unconditionally; update the log in
oidc_controller.go that currently calls
controller.log.App.Error().Err(params.err).Str("reason",
params.reason).Msg("Authorization error") to use Warn() for expected client/user
denials (e.g., invalid_request, unauthenticated, unknown_client) and only use
Error() for genuine server-side failures (e.g., when params.reason ==
"server_error" or when params.err indicates an internal failure). Implement a
small conditional around controller.log.App to call .Warn() by default and
.Error() when the reason matches server error criteria, preserving
Err(params.err), Str("reason", params.reason) and the same Msg("Authorization
error").

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@internal/controller/oidc_controller.go`:
- Line 551: The authorization failure is being logged at Error level
unconditionally; update the log in oidc_controller.go that currently calls
controller.log.App.Error().Err(params.err).Str("reason",
params.reason).Msg("Authorization error") to use Warn() for expected client/user
denials (e.g., invalid_request, unauthenticated, unknown_client) and only use
Error() for genuine server-side failures (e.g., when params.reason ==
"server_error" or when params.err indicates an internal failure). Implement a
small conditional around controller.log.App to call .Warn() by default and
.Error() when the reason matches server error criteria, preserving
Err(params.err), Str("reason", params.reason) and the same Msg("Authorization
error").

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: adbea7db-1e49-442c-9e74-82a108d9b3d2

📥 Commits

Reviewing files that changed from the base of the PR and between 359000f and 55705cd.

📒 Files selected for processing (1)

• internal/controller/oidc_controller.go