Merge pull request #1326 from govuk-one-login/ATO-331/fix-redirect

ATO-331: Redirect to RP on identity error, not orchestration
govuk-one-login · Jan 26, 2024 · ec37c62 · ec37c62
2 parents 6d7881a + 6e45a43
commit ec37c62
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 1 deletion.
diff --git a/src/components/authorize/authorize-controller.ts b/src/components/authorize/authorize-controller.ts
@@ -107,6 +107,7 @@ export function authorizeGet(
     req.session.client.state = claims.state;
     req.session.client.isOneLoginService = claims.is_one_login_service;
     req.session.client.rpSectorHost = claims.rp_sector_host;
+    req.session.client.rpRedirectUri = claims.rp_redirect_uri;
 
     req.session.client.consentEnabled =
       startAuthResponse.data.user.consentRequired;

diff --git a/src/components/authorize/claims-config.ts b/src/components/authorize/claims-config.ts
@@ -30,6 +30,7 @@ export type Claims = {
   client_id: string;
   redirect_uri: string;
   rp_sector_host: string;
+  rp_redirect_uri: string;
   reauthenticate?: string;
   claim?: string;
 };

diff --git a/src/components/prove-identity-callback/prove-identity-callback-controller.ts b/src/components/prove-identity-callback/prove-identity-callback-controller.ts
@@ -9,6 +9,7 @@ import {
 import { proveIdentityCallbackService } from "./prove-identity-callback-service";
 import { IPV_ERROR_CODES, OIDC_ERRORS } from "../../app.constants";
 import { createServiceRedirectErrorUrl } from "../../utils/error";
+import { supportAuthOrchSplit } from "../../config";
 
 export function proveIdentityCallbackGet(
   service: ProveIdentityCallbackServiceInterface = proveIdentityCallbackService()
@@ -46,7 +47,9 @@ export function proveIdentityCallbackGet(
       );
     } else {
       redirectPath = createServiceRedirectErrorUrl(
-        req.session.client.redirectUri,
+        supportAuthOrchSplit()
+          ? req.session.client.rpRedirectUri
+          : req.session.client.redirectUri,
         OIDC_ERRORS.ACCESS_DENIED,
         IPV_ERROR_CODES.IDENTITY_PROCESSING_TIMEOUT,
         req.session.client.state

diff --git a/src/components/prove-identity-callback/tests/prove-identity-callback-controller.test.ts b/src/components/prove-identity-callback/tests/prove-identity-callback-controller.test.ts
@@ -33,6 +33,7 @@ describe("prove identity callback controller", () => {
       session: {
         client: {
           redirectUri: "http://someservice.com/auth",
+          rpRedirectUri: "http://rpservice.com/auth",
           clientName: "test service",
           state: STATE,
         },
@@ -108,5 +109,31 @@ describe("prove identity callback controller", () => {
         )}&state=${encodeURIComponent(STATE)}`
       );
     });
+
+    it("should redirect back to service when identity processing has errored and split is enabled", async () => {
+      process.env.SUPPORT_AUTH_ORCH_SPLIT = "1";
+      const fakeProveIdentityService: ProveIdentityCallbackServiceInterface = {
+        processIdentity: sinon.fake.returns({
+          success: true,
+          data: {
+            status: IdentityProcessingStatus.ERROR,
+          },
+        }),
+      } as unknown as ProveIdentityCallbackServiceInterface;
+
+      await proveIdentityCallbackGet(fakeProveIdentityService)(
+        req as Request,
+        res as Response
+      );
+
+      expect(res.redirect).to.have.been.calledWith(
+        `http://rpservice.com/auth?error=${
+          OIDC_ERRORS.ACCESS_DENIED
+        }&error_description=${encodeURIComponent(
+          IPV_ERROR_CODES.IDENTITY_PROCESSING_TIMEOUT
+        )}&state=${encodeURIComponent(STATE)}`
+      );
+      process.env.SUPPORT_AUTH_ORCH_SPLIT = "0";
+    });
   });
 });
diff --git a/src/types.ts b/src/types.ts
@@ -93,4 +93,5 @@ export interface UserSessionClient {
   isOneLoginService?: boolean;
   claim?: string[];
   rpSectorHost?: string;
+  rpRedirectUri?: string;
 }