Jetty version(s)
12.0.22

Jetty Environment
jetty-12 jetty-openid

Java version/vendor (use: java -version)
openjdk version "21.0.2" 2024-01-16
OpenJDK Runtime Environment GraalVM CE 21.0.2+13.1 (build 21.0.2+13-jvmci-23.1-b30)
OpenJDK 64-Bit Server VM GraalVM CE 21.0.2+13.1 (build 21.0.2+13-jvmci-23.1-b30, mixed mode, sharing)

OS type/version
Windows 10.

Description
Errors from the open id provider are swallowed and replaced with an exception saying "new AuthenticationException("no id_token")"

1. jetty-openid makes a webservices call to the provider (eg. microsoft) to get an auth code.
   org.eclipse.jetty.security.openid.OpenIdCredentials.redeemAuthCode()

2. If the provider returns an error the response looks like eg.
   { "trace_id" -> "<some trace id>" "error_description" -> "<error description>" "correlation_id" -> "<correlation id>" "error_codes" -> {Object[1]@8736} "error" -> "invalid_grant" "error_uri" -> "https://login.microsoftonline.com/error?code=70008" "timestamp" -> "2025-06-20 06:21:23Z" }

3. Then there's a check for an "id_token" in the response and an exception thrown
   String idToken = (String)response.get("id_token"); if (idToken == null) throw new AuthenticationException("no id_token");