snowflakedb · sfc-gh-ext-simba-jy · Aug 6, 2025 · Aug 6, 2025 · Aug 6, 2025 · Aug 7, 2025
@@ -153,6 +153,12 @@ extern "C" {
     try
     {
       static_cast<Snowflake::Client::IAuthenticator*>(conn->auth_object)->authenticate();
+
+      // Based on the Okta and external browser implementation, we avoid using try-catch in order to follow the Google C++ Style Guide.
+      // As a result, we handle errors using boolean flags and defer final error handling to the C API level.
+      if ((conn->error).error_code != SF_STATUS_SUCCESS) {
+          return SF_STATUS_ERROR_GENERAL;
+      }
     }
     catch (...)
     {
@@ -438,7 +444,7 @@ namespace Client
   void AuthenticatorOKTA::authenticate()
   {
       IAuthenticatorOKTA::authenticate();
-      if ((m_connection->error).error_code == SF_STATUS_SUCCESS && (isError() || m_idp->isError()))
+      if (isError() || m_idp->isError())
       {
           const char* err = isError() ? getErrorMessage() : m_idp->getErrorMessage();
           SET_SNOWFLAKE_ERROR(&m_connection->error, SF_STATUS_ERROR_GENERAL, err, SF_SQLSTATE_GENERAL_ERROR);

@@ -77,7 +77,7 @@ namespace Client
             }
             else {
                 CXX_LOG_INFO("sf::IDPAuthenticator::getIDPInfo::Fail to get authenticator info.");
-                m_errMsg = "Fail to get authenticator info.";
+                m_errMsg = "Fail to get authenticator info in getIDPInfo.";
                 ret = false;
             }
             return ret;
@@ -359,6 +359,8 @@ namespace Client
                 {
                     CXX_LOG_WARN("sf::IAuthenticatorOKTA::authenticate::Fail to get one time token response, response body=%s.",
                         picojson::value(respData).serialize().c_str());
+                    m_errMsg = "SFAuthenticatorVerificationFailed::authenticate::Fail to get one time token response.";
+
                     return;
                 }
 
@@ -379,6 +381,8 @@ namespace Client
                             m_idp->m_retriedCount, m_idp->m_retryTimeout);
                         continue;
                     }
+                    CXX_LOG_ERROR("SF::IAuthenticatorOKTA::authenticate::Failed to get the saml response. response body=%s.", picojson::value(resp).serialize().c_str());
+                    m_errMsg = "SFAuthenticatorVerificationFailed::authenticate::Failed to get the saml response.";
                     return;
                 }
                 break;
@@ -391,10 +395,10 @@ namespace Client
             if ((!m_disableSamlUrlCheck) &&
                 (!urlHasSamePrefix(post_back_url, server_url)))
             {
-                CXX_LOG_ERROR("sf","IAuthenticatorOKTA::authenticate::The specified authenticator and destination URL in Saml Assertion did not match, expected=%s, post back=%s.",
+                CXX_LOG_ERROR("sf::IAuthenticatorOKTA::authenticate::The specified authenticator and destination URL in Saml Assertion did not match, expected=%s, post back=%s.",
                     server_url.c_str(),
                     post_back_url.c_str());
-                m_errMsg = "SFSamlResponseVerificationFailed.";
+                m_errMsg = "SFSamlResponseVerificationFailed: The specified authenticator and destination URL in Saml Assertion did not match.";
             }
         }
 

@@ -186,7 +186,7 @@ void test_idp_authenticator(void**)
 
     idp.isCurrentCallFailed = true;
     idp.getIDPInfo(dataMap);
-    assert_string_equal(idp.getErrorMessage(), "Fail to get authenticator info.");
+    assert_string_equal(idp.getErrorMessage(), "Fail to get authenticator info in getIDPInfo.");
 
     snowflake_term(sf);
 }
@@ -271,7 +271,7 @@ void test_okta_authenticator_fail(void**)
 
     MockOkta okta = MockOkta(sf);
     okta.authenticate();
-    assert_string_equal(okta.getErrorMessage(), "SFSamlResponseVerificationFailed.");
+    assert_string_equal(okta.getErrorMessage(), "SFSamlResponseVerificationFailed: The specified authenticator and destination URL in Saml Assertion did not match.");
 
     okta.setCurlGetRequestFailed(true);
     okta.authenticate();