Safely handling error/error_description query string parameters

There are a number of times the login flow results in the error and error_description being passed to the callback URL. These messages can be helpful in diagnosing login problems. It might say the user’s password expired, etc. So it is tempting to display it on the login page.

Here is an example:

/login/callback?error=access_denied&error_description=User%20has%20not%20been%20provisioned.&state=SFNENTVzWXJ4aGtqY2NMSGQ1WXVoY0NNT3Rza0FRY3U4OEcza05wSU5WZA%3D%3D

However, a bad guy can pass whatever they want to this URL. Imagine something like “Your account has been locked. Please call customer service at 1-800-SCA-MERS.” The bad guy includes the link in a phishing email. User can see it links to a trusted website, clicks link, sees this error message and calls customer service.

This falls under the security focused rule of thumb “never display user input.”

Is there a way to determine if this error_description was invented by a bad guy, or was generated by Auth0? Should we use the state parameter in some way?

Is there a documented best practice people recommend?

2 Likes