Handle oauth error scenarios for staff

app/controllers/auth_failures_controller.rb

@@ -8,9 +8,17 @@ def failure
     when :identity
       handle_failure_then_redirect_to qualifications_root_path
     when :dfe
-      return redirect_to(check_records_dsi_sign_out_path(id_token_hint: session[:id_token])) if session_expired?
+      return redirect_to(
+        check_records_dsi_sign_out_path(id_token_hint: session[:id_token])
+      ) if session_expired?
 
       handle_failure_then_redirect_to check_records_sign_in_path(oauth_failure: true)
+    when :staff
+      return redirect_to(
+        support_interface_dsi_sign_out_path(id_token_hint: session[:id_token])
+      ) if session_expired?
+
+      handle_failure_then_redirect_to support_interface_sign_in_path(oauth_failure: true)
     end
   end
 

spec/system/support/staff_user_has_oauth_error_signing_in_spec.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+RSpec.describe "DSI authentication", type: :system do
+  include AuthorizationSteps
+  include AuthenticationSteps
+
+  before do
+    when_i_am_authorized_with_basic_auth
+    allow(Sentry).to receive(:capture_exception)
+  end
+
+  scenario "Staff user has oauth error when signing in", test: :with_stubbed_auth do
+    given_dsi_auth_is_mocked_with_a_failure("invalid_credentials") do
+      when_i_visit_the_sign_in_page
+      and_click_the_dsi_sign_in_button
+      then_i_see_a_sign_in_error
+    end
+  end
+
+  scenario "Staff user has sessionexpiry oauth error", test: :with_stubbed_auth do
+    given_dsi_auth_is_mocked_with_a_failure("sessionexpired") do
+      when_i_visit_the_sign_in_page
+      and_click_the_dsi_sign_in_button
+      then_i_am_redirected_to_sign_in
+    end
+  end
+
+  private
+
+  def then_i_see_a_sign_in_error
+    expect(page).to have_content "There was a problem signing you in. Please try again."
+  end
+
+  def then_i_am_redirected_to_sign_in
+    expect(page).to have_current_path(support_interface_sign_in_path)
+  end
+end