Provide details in the log when a client credential grant fails (#28927)

Closes #28926 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-05-06 09:31:25 +02:00 · 2024-05-06 09:31:25 +02:00 · 2ebad818f9
commit 2ebad818f9
parent a9532274e3
1 changed files with 7 additions and 0 deletions
--- a/services/src/main/java/org/keycloak/protocol/oidc/grants/ClientCredentialsGrantType.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/grants/ClientCredentialsGrantType.java
@ -63,14 +63,17 @@ public class ClientCredentialsGrantType extends OAuth2GrantTypeBase {
        setContext(context);
        
        if (client.isBearerOnly()) {
+            event.detail(Details.REASON, "Bearer-only client not allowed to retrieve service account");
            event.error(Errors.INVALID_CLIENT);
            throw new CorsErrorResponseException(cors, OAuthErrorException.UNAUTHORIZED_CLIENT, "Bearer-only client not allowed to retrieve service account", Response.Status.UNAUTHORIZED);
        }
        if (client.isPublicClient()) {
+            event.detail(Details.REASON, "Public client not allowed to retrieve service account");
            event.error(Errors.INVALID_CLIENT);
            throw new CorsErrorResponseException(cors, OAuthErrorException.UNAUTHORIZED_CLIENT, "Public client not allowed to retrieve service account", Response.Status.UNAUTHORIZED);
        }
        if (!client.isServiceAccountsEnabled()) {
+            event.detail(Details.REASON, "Client not enabled to retrieve service account");
            event.error(Errors.INVALID_CLIENT);
            throw new CorsErrorResponseException(cors, OAuthErrorException.UNAUTHORIZED_CLIENT, "Client not enabled to retrieve service account", Response.Status.UNAUTHORIZED);
        }
@ -89,6 +92,7 @@ public class ClientCredentialsGrantType extends OAuth2GrantTypeBase {
        event.user(clientUser);

        if (!clientUser.isEnabled()) {
+            event.detail(Details.REASON, "User '" + clientUsername + "' disabled");
            event.error(Errors.USER_DISABLED);
            throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "User '" + clientUsername + "' disabled", Response.Status.UNAUTHORIZED);
        }
@ -128,6 +132,7 @@ public class ClientCredentialsGrantType extends OAuth2GrantTypeBase {
        try {
            session.clientPolicy().triggerOnEvent(new ServiceAccountTokenRequestContext(formParams, clientSessionCtx.getClientSession()));
        } catch (ClientPolicyException cpe) {
+            event.detail(Details.REASON, cpe.getErrorDetail());
            event.error(cpe.getError());
            throw new CorsErrorResponseException(cors, cpe.getError(), cpe.getErrorDetail(), Response.Status.BAD_REQUEST);
        }
@ -164,6 +169,8 @@ public class ClientCredentialsGrantType extends OAuth2GrantTypeBase {
        try {
            res = responseBuilder.build();
        } catch (RuntimeException re) {
+            event.detail(Details.REASON, re.getMessage());
+            event.error(Errors.INVALID_REQUEST);
            if ("can not get encryption KEK".equals(re.getMessage())) {
                throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST,
                        "can not get encryption KEK", Response.Status.BAD_REQUEST);