Tell the user why a log-in attmept failed.

scimma_admin/hopskotch_auth/auth.py

@@ -30,30 +30,38 @@ def get_username(self, claims):
 
     def verify_claims(self, claims):
         logger.info(f"all claims: {claims}")
-        if "is_member_of" not in claims:
+
+        def failWithError(user_msg, log_msg):
             log_event_id = secrets.token_hex(8)
-            msg = f"Your account is missing LDAP claims. Are you sure you used the account you use for SCIMMA? Error ID: {log_event_id}"
-            logger.error(f"account is missing LDAP claims, error_id={log_event_id}, claims={claims}")
-            raise PermissionDenied(msg)
+            user_msg += f" Error ID: {log_event_id}"
+            log_msg += f", error_id={log_event_id}"
+            logger.error(log_msg)
+            self.request.session["login_failure_reason"] = user_msg
+            raise PermissionDenied(user_msg)
+
+        if "is_member_of" not in claims or "vo_person_id" not in claims:
+            failWithError("Your identity is missing LDAP claims. "
+                          "Are you sure you used the account you use for SCIMMA?",
+                          f"account is missing LDAP claims, claims={claims}"
+                          )
 
         for group in [self.kafka_user_auth_group]:
             if not is_member_of(claims, group):
                 name = claims.get('vo_display_name', 'Unknown')
                 id = claims.get('vo_person_id', 'Unknown')
                 email = claims.get('email', 'Unknown')
-                msg = f"User vo_display_name={name}, vo_person_id={id}, email={email} is not in {group}, but requested access"
-                logger.error(msg)
-                raise NotInKafkaUsers(msg)
+                failWithError(f"Your account is not a member of the {group} group "
+                              "and so is not authorized to access Hopskotch",
+                              f"User vo_display_name={name}, vo_person_id={id}, "
+                              "email={email} is not in {group}, but requested access")
 
         if "email" in claims:
             return True
         if "email_list" in claims and len(claims.get("email_list", [])) > 0:
             return True
 
-        log_event_id = secrets.token_hex(8)
-        msg = f"Your account is missing an email claim. Error ID: {log_event_id}"
-        logger.error(f"account is missing LDAP email claims, error_id={log_event_id}, claims={claims}")
-        raise PermissionDenied(msg)
+        failWithError("Your account is missing an email claim.",
+                      f"account is missing LDAP email claims, claims={claims}")
 
     def create_user(self, claims):
         if "email" in claims:

scimma_admin/hopskotch_auth/templates/hopskotch_auth/login.html

@@ -8,11 +8,14 @@
   <body>
     <h1>SCiMMA Auth</h1>
     <a href="{% url 'oidc_authentication_init' %}?next={% url 'index' %}" class="btn btn-primary">Login</a>
+    {% if signup_url %}
     <p>If you do not yet have an account, click
-        <a href="https://registry.scimma.org/registry/co_petitions/start/coef:127">here</a>
-        to create one. You should be able to sign up with your institutional single sign-on
+        <a href="{{ signup_url }}">here</a> to create one.
+    <p>You should be able to sign up with your institutional single sign-on
         credentials, or with another identity provider such as
-        <a href="http://orcid.org">http://orcid.org</a>. If using ORCID, please ensure that your
-        privacy settings allow your email address to be shared with 'trusted parties'.
+        <a href="http://orcid.org">http://orcid.org</a>.
+    <p>If using ORCID, please ensure that your privacy settings allow your email
+        address to be shared with 'trusted parties'.
+    {% endif %}
   </body>
 </html>

scimma_admin/hopskotch_auth/templates/hopskotch_auth/login_failure.html

@@ -2,5 +2,11 @@
 
 {% block page-body %}
     <h3>Login Failure</h3>
+    {% if reason %}
+    <p>Reason: {{ reason }}</p>
+    {% endif %}
+    {% if signup_url %}
+    <p>If you have not previously signed up for an account, you can do so <a href="{{ signup_url }}">here</a>.</p>
+    {% endif %}
     <a href="{% url 'oidc_authentication_init' %}?next={% url 'index' %}" class="btn btn-primary">Login</a>
 {% endblock %}

scimma_admin/hopskotch_auth/views.py

@@ -52,15 +52,21 @@ def index(request):
 def login(request):
     if request.user.is_authenticated:
         return redirect(settings.LOGIN_REDIRECT_URL)
-    return render(request, 'hopskotch_auth/login.html',)
+    return render(request, 'hopskotch_auth/login.html',
+                  {"signup_url":settings.USER_SIGNUP_URL})
 
 
 def logout(request):
     return HttpResponse("you're logged out!")
 
 
 def login_failure(request):
-    return render(request, 'hopskotch_auth/login_failure.html')
+    if "login_failure_reason" in request.session:
+        reason = request.session["login_failure_reason"]
+    else:
+        reason = None
+    return render(request, 'hopskotch_auth/login_failure.html',
+                  {"reason":reason, "signup_url":settings.USER_SIGNUP_URL})
 
 
 @require_POST

scimma_admin/scimma_admin/settings.py

@@ -249,6 +249,9 @@ def middleware(request):
 
 KAFKA_USER_AUTH_GROUP = os.environ.get("KAFKA_USER_AUTH_GROUP", default="kafkaUsers")
 
+# This URL will be shown to users as the place they should go to create accounts
+USER_SIGNUP_URL = os.environ.get("USER_SIGNUP_URL", default=None)
+
 try:
     from local_settings import *
 except ImportError: