Errors
Introduction
Errors can occur in various places: due to invalid client requests or problems on the backend and network side.
Couper specifies some generic error categories (like configuration
, server
, backend
or access_control
) to help you identify the occurring problems faster.
Error messages
Error messages are only sent to the client as a summary. Detailed information is provided via log message. This way, all information can be viewed without accidentally revealing confidential information.
Access control error_handler
Access control errors in particular require special handling, e.g. sending a specific response for missing login credentials.
For this purpose every access control definition of basic_auth
, jwt
, oidc
or saml2
can define one or multiple error_handler
blocks with one or more defined error type labels listed below.
Permissions related error_handler
Required permissions are configured for api
or endpoint
blocks. So errors caused by insufficient permissions can be handled at API or endpoint levels.
Endpoint related error_handler
A sequence, a simple request
or proxy
error can be handled in combination with the expected_status
attribute for request
and proxy
block definitions and an error_handler
block with the related type label.
Error types
All errors have a specific type. You can find it in the log field error_type
. Furthermore, errors can be associated with a list of less specific types. Your error handlers will be evaluated from the most to the least specific one. Only the first matching error handler is executed.
Access control error types
The following table documents error types that can be handled in the respective access control blocks (basic_auth
, jwt
, saml
, beta_oauth2
, oidc
):
Type (and super types) | Description | Default handling |
---|---|---|
access_control | Access control related errors. | Send error template with status 403 . |
basic_auth (access_control ) | All basic_auth related errors, e.g. unknown user or wrong password. | Send error template with status 401 and WWW-Authenticate: Basic header. |
basic_auth_credentials_missing (basic_auth ) | Client does not provide any credentials. | Send error template with status 401 and WWW-Authenticate: Basic header. |
jwt (access_control ) | All jwt related errors. | Send error template with status 401 . |
jwt_token_missing (jwt ) | No token provided with configured token source. | Send error template with status 401 . |
jwt_token_expired (jwt ) | Given token is valid but expired. | Send error template with status 401 . |
jwt_token_invalid (jwt ) | The token is syntactically not a JWT, or not sufficient, e.g. because required claims are missing or have unexpected values. | Send error template with status 401 . |
saml (or saml2 ) (access_control ) | All saml related errors. | Send error template with status 403 . |
oauth2 (access_control ) | All beta_oauth2 /oidc related errors. | Send error template with status 403 . |
API error types
The following table documents error types that can be handled in api
blocks:
Type (and super types) | Description | Default handling |
---|---|---|
backend | All catchable backend related errors. | Send error template with status 502 . |
backend_openapi_validation (backend ) | Backend request or response is invalid. | Send error template with status code 400 for invalid backend request or 502 for invalid backend response. |
backend_timeout (backend ) | A backend request timed out. | Send error template with status 504 . |
backend_unhealthy (backend ) | A backend is unhealthy and will not send the request. | Send error template with status 502 . |
beta_backend_token_request (backend ) | A token request for the backend has failed. | Send error template with status 502 . |
access_control | Access control related errors. | Send error template with status 403 . |
insufficient_permissions (access_control ) | The permission required for the requested operation is not in the permissions granted to the requester. | Send error template with status 403 . |
Endpoint error types
The following table documents error types that can be handled in endpoint
blocks:
Type (and super types) | Description | Default handling |
---|---|---|
backend | All catchable backend related errors. | Send error template with status 502 . |
backend_openapi_validation (backend ) | Backend request or response is invalid. | Send error template with status code 400 for invalid backend request or 502 for invalid backend response. |
backend_timeout (backend ) | A backend request timed out. | Send error template with status 504 . |
backend_unhealthy (backend ) | A backend is unhealthy and will not send the request. | Send error template with status 502 . |
beta_backend_token_request (backend ) | A token request for the backend has failed. | Send error template with status 502 . |
access_control | Access control related errors. | Send error template with status 403 . |
beta_backend_rate_limit_exceeded | Backend rate limit related errors. | Send error template with status 429 . |
insufficient_permissions (access_control ) | The permission required for the requested operation is not in the permissions granted to the requester. | Send error template with status 403 . |
endpoint | All catchable endpoint related errors. | Send error template with status 502 . |
sequence (endpoint ) | A request or proxy block request has been failed while depending on another one. | Send error template with status 502 . |
unexpected_status (endpoint ) | A request or proxy block response status code does not match the to expected_status list. | Send error template with status 502 . |