Skip to content

Add remote authorization server indication to OAuth2 error messages#4101

Open
reinkrul wants to merge 1 commit intomasterfrom
iss4096-remote-oauth-error-indication
Open

Add remote authorization server indication to OAuth2 error messages#4101
reinkrul wants to merge 1 commit intomasterfrom
iss4096-remote-oauth-error-indication

Conversation

@reinkrul
Copy link
Member

@reinkrul reinkrul commented Mar 24, 2026
edited
Loading

Summary

Closes #4096

When the local Nuts node acts as a client and the remote OAuth2 authorization server returns an error, the error was propagated as-is to the caller (e.g. EHR), making it impossible to tell whether the error originated locally or remotely.

  • Added RemoteOAuthError wrapper type in auth/oauth/error.go that prefixes error messages with "remote authorization server: "
  • Updated HTTPClient.AccessToken() and HTTPClient.doRequest() to wrap parsed remote OAuth2 errors with RemoteOAuthError
  • Fixed PresentationDefinition() to use errors.As instead of a direct type assertion (needed after wrapping)
  • RemoteOAuthError implements HTTPStatusCodeError (delegates to inner error) and Unwrap() so errors.As still finds the underlying OAuth2Error

Before:

{"detail": "invalid_request - unable to get subject DID from VC: credential subjects have no ID", "status": 400, "title": "RequestServiceAccessToken failed"}

After:

{"detail": "remote authorization server: invalid_request - unable to get subject DID from VC: credential subjects have no ID", "status": 400, "title": "RequestServiceAccessToken failed"}

Test plan

  • Unit tests added for RemoteOAuthError in auth/oauth/error_test.go
  • Existing tests in auth/client/iam/client_test.go and openid4vp_test.go updated to assert RemoteOAuthError wrapping
  • All unit tests pass (go test ./...)
  • OAuth flow e2e tests pass

🤖 Generated with Claude Code

@reinkrul @claude
Add remote authorization server indication to OAuth2 error messages
eca506e 
When the local Nuts node acts as a client and the remote OAuth2 server
returns an error, the error is now wrapped in RemoteOAuthError which
prefixes the message with "remote authorization server: ". This allows
developers and administrators to clearly distinguish whether an error
originated locally or from a remote server.

Fixes #4096

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@qltysh
Copy link

qltysh bot commented Mar 24, 2026

Qlty

Coverage Impact

⬆️ Merging this pull request will increase total coverage on master by 0.03%.

Modified Files with Diff Coverage (2)

RatingFile% DiffUncovered Line #s
Coverage rating: B Coverage rating: B
auth/oauth/error.go100.0%
Coverage rating: B Coverage rating: B
auth/client/iam/client.go100.0%
Total100.0%
🚦 See full report on Qlty Cloud »

🛟 Help

  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@woutslakhorst woutslakhorst Awaiting requested review from woutslakhorst woutslakhorst is a code owner

@gerardsn gerardsn Awaiting requested review from gerardsn gerardsn is a code owner

@stevenvegt stevenvegt Awaiting requested review from stevenvegt stevenvegt is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add client/server indication to OAuth2 error messages

1 participant

@reinkrul