Merge pull request #493 from mozilla-iam/IAM-1269

IAM-1269 sso-dashboard invalid JWT tokens return 500 error

dashboard/app.py

@@ -133,7 +133,6 @@ def forbidden():
         jws = request.args.get("error").encode()
 
     token_verifier = oidc_auth.tokenVerification(jws=jws, public_key=app.config["FORBIDDEN_PAGE_PUBLIC_KEY"])
-    """TODO: add code here to catch when the token is invalid"""
     token_verifier.verify
 
     return render_template("forbidden.html", token_verifier=token_verifier)

dashboard/oidc_auth.py

@@ -1,7 +1,9 @@
 import json
 import logging
+import traceback
 from josepy.jwk import JWK
 from josepy.jws import JWS
+from josepy.error import JWSErrors
 
 """Class that governs all authentication with open id connect."""
 from flask_pyoidc import OIDCAuthentication
@@ -95,6 +97,17 @@ def _verified(self):
                 self.jws_data["connection_name"] = self._get_connection_name(self.jws_data["connection"])
                 return True
         except UnicodeDecodeError:
+            logger.warning("UnicodeDecodeError: The jws {jws}".format(jws=self.jws))
+            return False
+        except JWSErrors.DeserializationError:
+            logger.warning("DeserializationError jws {jws}".format(jws=self.jws))
+            return False
+        except Exception: # pylint: disable=broad-exception-caught
+            # This is a broad except to catch every error.  It's not great but since we're
+            # in _validate, our job is to pass/fail everything, and letting code raise out
+            # of here blows up the website in front of customers.  Let's do something better
+            # as a last-choice, maybe we need more exceptions caught above
+            logger.warning("Unknown error occurred "+traceback.format_exc())
             return False
 
     def error_message(self):