From 852e3f6ebef21ececcc43c6559e71fcb79f7fce6 Mon Sep 17 00:00:00 2001
From: Eitol <hector.oliveros.leon@gmail.com>
Date: Tue, 15 Oct 2024 23:09:28 -0300
Subject: [PATCH] Handle Okta authentication failures more gracefully

Introduce detailed error handling for Okta authentication failures, providing specific messages when an "invalid_grant" error occurs. Offer user guidance to resolve the issue by logging out and back into Okta if multiple attempts fail.
---
 cmd/root/web/web.go | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/cmd/root/web/web.go b/cmd/root/web/web.go
index 4ed7483..99cf795 100644
--- a/cmd/root/web/web.go
+++ b/cmd/root/web/web.go
@@ -99,14 +99,18 @@ func NewWebCommand() *cobra.Command {
 				return err
 			}
 
+			var apiErr *okta.APIError
+
 			for attempt := 1; attempt <= 2; attempt++ {
 				wsa, err := webssoauth.NewWebSSOAuthentication(cfg)
 				if err != nil {
 					return err
 				}
 
+				var ok bool
 				err = wsa.EstablishIAMCredentials()
-				if apiErr, ok := err.(*okta.APIError); ok {
+				apiErr, ok = err.(*okta.APIError)
+				if ok {
 					if apiErr.ErrorType == "invalid_grant" && webssoauth.RemoveCachedAccessToken() {
 						webssoauth.ConsolePrint(cfg, "Cached access token appears to be stale, removing token and retrying device authorization ...\n\n")
 						continue
@@ -119,7 +123,14 @@ func NewWebCommand() *cobra.Command {
 				break
 			}
 
-			return err
+			if err != nil {
+				if apiErr != nil && apiErr.ErrorType == "invalid_grant" {
+					webssoauth.ConsolePrint(cfg, "Authentication failed after multiple attempts. Please log out of Okta in your browser and log back in to resolve the issue.\n")
+				}
+				return err
+			}
+
+			return nil
 		},
 	}