Skip to content

Fix domain verification error handling using CallbackError #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pauldruziak wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix domain verification error handling using CallbackError #48

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
98bf51a
Fix domain verification error handling using CallbackError
pauldruziak Oct 16, 2025
d902d69
Fix test to use CallbackError instead of DomainVerificationError
pauldruziak Oct 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 9 additions & 4 deletions lib/omniauth/microsoft_graph/domain_verifier.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# frozen_string_literal: true

require 'jwt' # for token signature validation
require 'omniauth' # to inherit from OmniAuth::Error
require 'omniauth-oauth2' # to use CallbackError
require 'oauth2' # to rescue OAuth2::Error

module OmniAuth
Expand All @@ -11,8 +12,6 @@ module MicrosoftGraph
OIDC_CONFIG_URL = 'https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration'
COMMON_JWKS_URL = 'https://login.microsoftonline.com/common/discovery/v2.0/keys'

class DomainVerificationError < OmniAuth::Error; end

class DomainVerifier
def self.verify!(auth_hash, access_token, options)
new(auth_hash, access_token, options).verify!
Expand Down Expand Up @@ -41,7 +40,13 @@ def verify!
skip_verification == true ||
(skip_verification.is_a?(Array) && skip_verification.include?(email_domain)) ||
domain_verified_jwt_claim
raise DomainVerificationError, verification_error_message

# Use CallbackError to ensure the error is properly caught by the callback_phase
# rescue clause and converted to an OmniAuth failure instead of bubbling up as a 500 error.
raise OmniAuth::Strategies::OAuth2::CallbackError.new(
:domain_verification_failed,
verification_error_message
)
end

private
Expand Down
7 changes: 5 additions & 2 deletions spec/omniauth/microsoft_graph/domain_verifier_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,8 +105,11 @@
context 'when all verification strategies fail' do
before { allow(access_token).to receive(:get).and_raise(::OAuth2::Error.new('whoops')) }

it 'raises a DomainVerificationError' do
expect { result }.to raise_error OmniAuth::MicrosoftGraph::DomainVerificationError
it 'raises a CallbackError with domain_verification_failed' do
expect { result }.to raise_error(OmniAuth::Strategies::OAuth2::CallbackError) do |error|
expect(error.error).to eq(:domain_verification_failed)
expect(error.error_reason).to include('not a verified domain')
end
end
end
end
Expand Down
7 changes: 6 additions & 1 deletion spec/omniauth/strategies/microsoft_graph_oauth2_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -282,7 +282,12 @@

context 'when email verification fails' do
let(:response_hash) { { mail: 'something@domain.invalid' } }
let(:error) { OmniAuth::MicrosoftGraph::DomainVerificationError.new }
let(:error) do
OmniAuth::Strategies::OAuth2::CallbackError.new(
:domain_verification_failed,
'Domain verification failed'
)
end

before do
allow(OmniAuth::MicrosoftGraph::DomainVerifier).to receive(:verify!).and_raise(error)
Expand Down