Error 500 instand of an error message when the user not are in the required group

When I use the option:
oidc.groups.allowed=foo
and the user are not in the group, then exception is logged and the user seen an " HTTP Status 500 – Internal Server Error" error message.
Exception:
2025-06-06T08:14:37+0200 server[1961672]:

org.xwiki.contrib.oidc.provider.internal.OIDCException: The user is not allowed to authenticate because it's not a member of the following groups: [foo]
2025-06-06T08:14:37+0200 server[1961672]:         at org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.checkAllowedGroups(OIDCUserManager.java:257)
2025-06-06T08:14:37+0200 server[1961672]:         at org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.updateUser(OIDCUserManager.java:331)
2025-06-06T08:14:37+0200 server[1961672]:         at org.xwiki.contrib.oidc.auth.internal.endpoint.CallbackOIDCEndpoint.handle(CallbackOIDCEndpoint.java:249)
2025-06-06T08:14:37+0200 server[1961672]:         at org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:138)
2025-06-06T08:14:37+0200 server[1961672]:         at org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:110)
2025-06-06T08:14:37+0200 server[1961672]:         at org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79)
2025-06-06T08:14:37+0200 server[1961672]:         at org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82)
2025-06-06T08:14:37+0200 server[1961672]:         at org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:159)
2025-06-06T08:14:37+0200 server[1961672]:         at org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87)
2025-06-06T08:14:37+0200 server[1961672]:         at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)
2025-06-06T08:14:37+0200 server[1961672]:         at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:661)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:425)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:330)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:294)
2025-06-06T08:14:37+0200 server[1961672]:         at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)
2025-06-06T08:14:37+0200 server[1961672]:         at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)
2025-06-06T08:14:37+0200 server[1961672]:         at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:117)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:424)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1786)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
2025-06-06T08:14:37+0200 server[1961672]:         at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
2025-06-06T08:14:37+0200 server[1961672]:         at java.base/java.lang.Thread.run(Thread.java:840)

I think it will be better, when the user will see an normal error message.
But the second and security relevant error is the fact, that the created session on the IDP are not removed. So the user will logging in for all application in the realm(on Keycloak) or all applications(on Microsoft ADFS) without any notification. So here must be an option witch can force an logout in this case on the IDP. (This must be an option, because not all scenarios requites it)

Thanks

That could be interesting indeed, don’t hesitate to create an improvement issue about that on Loading....

Done

Please avoid creating a single jira issue for several different things (here improving the error reporting display and add an option to force logout on the provider). I created Loading... this time.