Skip to content

Fix IAM token endpoint to return 400 for unknown subject #4004

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 1 commit into from
Closed

Fix IAM token endpoint to return 400 for unknown subject #4004

Copilot wants to merge 1 commit into from

Conversation

Copy link

Copilot AI commented Feb 10, 2026
edited
Loading

The IAM token endpoint (/oauth2/{subjectID}/token) was returning HTTP 500 when the subject didn't exist. This should be a client error (400) with a proper OAuth2 error response.

Changes

  • HandleTokenRequest: Convert ErrSubjectNotFound to OAuth2Error with invalid_request code
  • Test coverage: Added test case for unknown subject scenario

This follows the existing pattern in OpenIDConfiguration and other endpoints.

Before

HTTP/1.1 500 Internal Server Error
{"detail":"server returned HTTP 500 (expected: 200)","status":500,"title":"RequestServiceAccessToken failed"}

After

HTTP/1.1 400 Bad Request
{"error":"invalid_request","error_description":"subject not found"}
Original prompt

This section details on the original issue you should resolve

<issue_title>IAM: Requesting access token for unknown subject (on remote server) yields error 500</issue_title>
<issue_description>Client responds:

{"detail":"server returned HTTP 500 (expected: 200)","status":500,"title":"RequestServiceAccessToken failed"}

Server logs:

level=warning msg="HandleTokenRequest failed" error="subject not found" module=Auth/iam operation=HandleTokenRequest operationID=HandleTokenRequest requestURI=/oauth2/d8e49bf4-9b89-42b5-bd5f-05b720eb1e74/token user="<nil>"

This should probably a status 400 with something more explanatory.</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI changed the title [WIP] Fix error 500 when requesting access token for unknown subject Fix IAM token endpoint to return 400 for unknown subject Feb 10, 2026
Copilot AI requested a review from reinkrul February 10, 2026 07:07
@qltysh
Copy link

qltysh bot commented Feb 10, 2026
edited
Loading

Qlty

Coverage Impact

⬆️ Merging this pull request will increase total coverage on master by 0.03%.

Modified Files with Diff Coverage (1)

RatingFile% DiffUncovered Line #s
Coverage rating: B Coverage rating: B
auth/api/iam/api.go100.0%
Total100.0%
🚦 See full report on Qlty Cloud »

🛟 Help

  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

@reinkrul reinkrul marked this pull request as ready for review February 10, 2026 08:16
@qltysh
Copy link

qltysh bot commented Feb 10, 2026

1 new issue

Tool Category Rule Count
qlty Structure Function with many returns (count = 7): HandleTokenRequest 1

@reinkrul reinkrul force-pushed the copilot/fix-unknown-subject-error branch from caef172 to ca7abc6 Compare February 10, 2026 08:19
@reinkrul
#3974: Fix HandleTokenRequest to return OAuth2 error for unknown subject
7498828 
Co-authored-by: reinkrul <1481228+reinkrul@users.noreply.github.com>
@reinkrul reinkrul force-pushed the copilot/fix-unknown-subject-error branch from ca7abc6 to 7498828 Compare February 10, 2026 08:20
@reinkrul
Copy link
Member

reinkrul commented Feb 10, 2026

Fixed by #4003

@reinkrul reinkrul closed this Feb 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reinkrul reinkrul Awaiting requested review from reinkrul reinkrul is a code owner

@woutslakhorst woutslakhorst Awaiting requested review from woutslakhorst woutslakhorst is a code owner

@gerardsn gerardsn Awaiting requested review from gerardsn gerardsn is a code owner

@stevenvegt stevenvegt Awaiting requested review from stevenvegt stevenvegt is a code owner

@confiks confiks Awaiting requested review from confiks confiks is a code owner

Assignees

@reinkrul reinkrul

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

IAM: Requesting access token for unknown subject (on remote server) yields error 500

2 participants

@reinkrul