diff --git a/services/src/main/java/org/keycloak/protocol/oidc/grants/ciba/endpoints/BackchannelAuthenticationEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/grants/ciba/endpoints/BackchannelAuthenticationEndpoint.java index a3d0996213..af7ae3d8f1 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/grants/ciba/endpoints/BackchannelAuthenticationEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/grants/ciba/endpoints/BackchannelAuthenticationEndpoint.java @@ -38,6 +38,7 @@ import org.keycloak.protocol.oidc.grants.ciba.clientpolicy.context.BackchannelAu import org.keycloak.protocol.oidc.grants.ciba.endpoints.request.BackchannelAuthenticationEndpointRequest; import org.keycloak.protocol.oidc.grants.ciba.endpoints.request.BackchannelAuthenticationEndpointRequestParserProcessor; import org.keycloak.protocol.oidc.grants.ciba.resolvers.CIBALoginUserResolver; +import org.keycloak.representations.idm.OAuth2ErrorRepresentation; import org.keycloak.services.ErrorResponseException; import org.keycloak.services.clientpolicy.ClientPolicyException; import org.keycloak.util.JsonSerialization; @@ -45,6 +46,7 @@ import org.keycloak.util.JsonSerialization; import javax.ws.rs.Consumes; import javax.ws.rs.POST; import javax.ws.rs.Produces; +import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.Context; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; @@ -141,7 +143,13 @@ public class BackchannelAuthenticationEndpoint extends AbstractCibaEndpoint { } private CIBAAuthenticationRequest authorizeClient(MultivaluedMap params) { - ClientModel client = authenticateClient(); + ClientModel client = null; + try { + client = authenticateClient(); + } catch (WebApplicationException wae) { + OAuth2ErrorRepresentation errorRep = (OAuth2ErrorRepresentation)wae.getResponse().getEntity(); + throw new ErrorResponseException(errorRep.getError(), errorRep.getErrorDescription(), Response.Status.UNAUTHORIZED); + } BackchannelAuthenticationEndpointRequest endpointRequest = BackchannelAuthenticationEndpointRequestParserProcessor.parseRequest(event, session, client, params, realm.getCibaPolicy()); UserModel user = resolveUser(endpointRequest, realm.getCibaPolicy().getAuthRequestedUserHint()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/CIBATest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/CIBATest.java index d6a44587b4..2a6929406c 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/CIBATest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/CIBATest.java @@ -1093,7 +1093,7 @@ public class CIBATest extends AbstractClientPoliciesTest { // user Backchannel Authentication Request AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, "gilwekDe3", "acr2"); - assertThat(response.getStatusCode(), is(equalTo(400))); + assertThat(response.getStatusCode(), is(equalTo(401))); assertThat(response.getError(), is(OAuthErrorException.INVALID_GRANT)); assertThat(response.getErrorDescription(), is("Client not allowed OIDC CIBA Grant"));