auth status: explain why authentication failed instead of a bare "Unauthorized"#86
Open
jordanenglish wants to merge 1 commit into
Open
Conversation
…uthorized"
`auth status` collapsed three distinct failures into one opaque
"Unauthorized for <host>" line: no token configured, a token the server
rejected (401), and the request never reaching the server (network/DNS,
or some other HTTP status). Users could not tell an expired token from a
connectivity blip, and the message suggested no remedy.
Classify the /account/details error with errors.As on the go-tfe
*APIError (it arrives wrapped in a *url.Error) and print a cause-specific,
actionable message:
- no token -> run `tfctl auth login`
- rejected (401) -> token expired/revoked (auth login), or an SSO
session that has lapsed on SSO-protected Terraform
Enterprise (re-authenticate in the browser)
- other status -> "<host> returned HTTP N" (not an auth problem)
- unreachable -> "could not reach <host>: <err>"
JSON/agent output gains a machine-readable `reason` field so scripts can
branch on the cause.
jordanenglish
force-pushed
the
fix/auth-status-401-diagnostics
branch
from
July 17, 2026 05:57
5aac03f to
213cd0a
Compare
jordanenglish
marked this pull request as ready for review
July 17, 2026 05:59
brandonc
reviewed
Jul 17, 2026
brandonc
left a comment
Collaborator
There was a problem hiding this comment.
Once again, a very useful and uncontroversial change. Thanks!
Comment on lines
+210
to
+212
| fmt.Fprintf(w, "%s Token for %s was rejected (HTTP 401).\n", icon, hostname) | ||
| fmt.Fprintf(w, " - The token may be expired or revoked: run '%s auth login' to create a new one.\n", version.Name) | ||
| fmt.Fprintf(w, " - On SSO-protected Terraform Enterprise, your browser SSO session may have lapsed: re-authenticate in the browser, then retry.\n") |
Collaborator
There was a problem hiding this comment.
I'd like to slightly reword this (unless you disagree) and add the Terraform Enterprise condition to simplify the message for HCP Terraform users.
Suggested change
| fmt.Fprintf(w, "%s Token for %s was rejected (HTTP 401).\n", icon, hostname) | |
| fmt.Fprintf(w, " - The token may be expired or revoked: run '%s auth login' to create a new one.\n", version.Name) | |
| fmt.Fprintf(w, " - On SSO-protected Terraform Enterprise, your browser SSO session may have lapsed: re-authenticate in the browser, then retry.\n") | |
| fmt.Fprintf(w, "%s Token for %s was invalid (HTTP 401).\n", icon, hostname) | |
| fmt.Fprintf(w, " - The token may be expired, revoked, or disabled: run '%s auth login' to create a new one.\n", version.Name) | |
| if !strings.HasSuffix(opts.Profile.GetHostname(), ".terraform.io") { | |
| fmt.Fprintf(w, " - Your Terraform Enterprise SSO session may have expired: sign in again, then retry.\n") | |
| } | |
| fmt.Fprintf(w, " - Ensure you are using the intended token configuration by adding '--debug' to this command") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
tfctl auth statuscurrently prints a single opaque line —X Unauthorized for <host>— for three genuinely different failures:You can't tell an expired token from a network blip, and the message points at no remedy.
Change
Classify the
/account/detailserror and print a cause-specific, actionable message. The go-tfe*APIErrorarrives wrapped in a*url.Error, so classification useserrors.Asto walk the chain rather than matching the top-level type.No token configured for <host>. Run 'tfctl auth login' to authenticate.tfctl auth login), or an SSO session that has lapsed on SSO-protected Terraform Enterprise (re-authenticate in the browser, then retry)<host> returned HTTP N (not an authentication problem).Could not reach <host>: <err>JSON/agent output gains a machine-readable
reasonfield (no_token/rejected/server_error/unreachable) so scripts can branch on the cause.The 401 message is the motivating case: on SAML-SSO Terraform Enterprise a user token is gated by the SSO session, so it 401s well before its own expiry — indistinguishable from a truly expired token under the old wording.
Tests
TestStatus_Unauthorized/TestStatus_NoTokento assert the new cause-specific messages (drives a real 401 through the go-tfe client).TestStatus_Unauthorized_JSON(assertsreasonin JSON output) andTestClassifyAuthError(covers the 401 / wrapped-*url.Error/ other-status / unreachable branches).gofmt,go vet, andgo test ./...clean.PR Checklist
npx changie newor install changie to prepare a new changelog entry for the next set of release notes..changes/unreleased/ENHANCEMENTS-*.yaml(kind: ENHANCEMENTS).--json— Force machine readable output to stdout. Does not apply to stderr.--markdown— Force markdown output to stdout. Does not apply to stderr.--dry-run— Don't make any actual writes or other mutations. Describe what would have changed to stderr.--quiet— Don't render output to stdout.auth statusis read-only, so--dry-runis not applicable. The failure messages go to stderr (as before); JSON/agent output gains a machine-readablereasonfield on the existing inactive result.--quietbehavior is unchanged.make gen/screenshotif the root command output changes.auth statusoutput changes; the root command output is unchanged.Autocompletefield to positional arguments and flags to assist shell autocomplete.PCI review checklist
I have documented a clear reason for, and description of, the change I am making.
If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
If applicable, I've documented the impact of any changes to security controls.