bug(passport-strategy-helper): Better presentation of auth errors

.changeset/spotty-apples-visit.md

@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-auth-backend': patch
+---
+
+Better presentation of authentication errors

plugins/auth-backend/src/lib/passport/PassportStrategyHelper.test.ts

@@ -16,6 +16,7 @@
 
 import express from 'express';
 import passport from 'passport';
+import { InternalOAuthError } from 'passport-oauth2';
 import {
   executeRedirectStrategy,
   executeFrameHandlerStrategy,
@@ -58,7 +59,11 @@ describe('PassportStrategyHelper', () => {
     }
     class MyCustomAuthErrorStrategy extends passport.Strategy {
       authenticate() {
-        this.error(new Error('MyCustomAuth error'));
+        this.error(
+          new InternalOAuthError('MyCustomAuth error', {
+            data: '{ "message": "Custom message" }',
+          }),
+        );
       }
     }
     class MyCustomAuthRedirectStrategy extends passport.Strategy {
@@ -97,7 +102,7 @@ describe('PassportStrategyHelper', () => {
       );
       expect(spyAuthenticate).toBeCalledTimes(1);
       await expect(frameHandlerStrategyPromise).rejects.toThrow(
-        'Authentication failed, Error: MyCustomAuth error',
+        'Authentication failed, MyCustomAuth error - Custom message',
       );
     });
 

plugins/auth-backend/src/lib/passport/PassportStrategyHelper.ts

@@ -18,6 +18,7 @@ import express from 'express';
 import passport from 'passport';
 import jwtDecoder from 'jwt-decode';
 import { ProfileInfo, RedirectInfo } from '../../providers/types';
+import { InternalOAuthError } from 'passport-oauth2';
 
 export type PassportDoneCallback<Res, Private = never> = (
   err?: Error,
@@ -95,8 +96,22 @@ export const executeFrameHandlerStrategy = async <T, PrivateInfo = never>(
       ) => {
         reject(new Error(`Authentication rejected, ${info.message ?? ''}`));
       };
-      strategy.error = (error: Error) => {
-        reject(new Error(`Authentication failed, ${error}`));
+      strategy.error = (error: InternalOAuthError) => {
+        let message = `Authentication failed, ${error.message}`;
+
+        if (error.oauthError?.data) {
+          try {
+            const errorData = JSON.parse(error.oauthError.data);
+
+            if (errorData.message) {
+              message += ` - ${errorData.message}`;
+            }
+          } catch (parseError) {
+            message += ` - ${error.oauthError}`;
+          }
+        }
+
+        reject(new Error(message));
       };
       strategy.redirect = () => {
         reject(new Error('Unexpected redirect'));