libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Provide details in the log when a client credential grant fails (#28927)

Browse source 
Closes #28926

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
This commit is contained in:
Alexander Schwartz 2024-05-06 09:31:25 +02:00 committed by GitHub
parent a9532274e3
commit 2ebad818f9
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
services/src/main/java/org/keycloak/protocol/oidc/grants/ClientCredentialsGrantType.java
View file

@ -63,14 +63,17 @@ public class ClientCredentialsGrantType extends OAuth2GrantTypeBase {
setContext(context); setContext(context);
if (client.isBearerOnly()) { if (client.isBearerOnly()) {
event.detail(Details.REASON, "Bearer-only client not allowed to retrieve service account");
event.error(Errors.INVALID_CLIENT); event.error(Errors.INVALID_CLIENT);
throw new CorsErrorResponseException(cors, OAuthErrorException.UNAUTHORIZED_CLIENT, "Bearer-only client not allowed to retrieve service account", Response.Status.UNAUTHORIZED); throw new CorsErrorResponseException(cors, OAuthErrorException.UNAUTHORIZED_CLIENT, "Bearer-only client not allowed to retrieve service account", Response.Status.UNAUTHORIZED);
} }
if (client.isPublicClient()) { if (client.isPublicClient()) {
event.detail(Details.REASON, "Public client not allowed to retrieve service account");
event.error(Errors.INVALID_CLIENT); event.error(Errors.INVALID_CLIENT);
throw new CorsErrorResponseException(cors, OAuthErrorException.UNAUTHORIZED_CLIENT, "Public client not allowed to retrieve service account", Response.Status.UNAUTHORIZED); throw new CorsErrorResponseException(cors, OAuthErrorException.UNAUTHORIZED_CLIENT, "Public client not allowed to retrieve service account", Response.Status.UNAUTHORIZED);
} }
if (!client.isServiceAccountsEnabled()) { if (!client.isServiceAccountsEnabled()) {
event.detail(Details.REASON, "Client not enabled to retrieve service account");
event.error(Errors.INVALID_CLIENT); event.error(Errors.INVALID_CLIENT);
throw new CorsErrorResponseException(cors, OAuthErrorException.UNAUTHORIZED_CLIENT, "Client not enabled to retrieve service account", Response.Status.UNAUTHORIZED); throw new CorsErrorResponseException(cors, OAuthErrorException.UNAUTHORIZED_CLIENT, "Client not enabled to retrieve service account", Response.Status.UNAUTHORIZED);
} }
@ -89,6 +92,7 @@ public class ClientCredentialsGrantType extends OAuth2GrantTypeBase {
event.user(clientUser); event.user(clientUser);
if (!clientUser.isEnabled()) { if (!clientUser.isEnabled()) {
event.detail(Details.REASON, "User '" + clientUsername + "' disabled");
event.error(Errors.USER_DISABLED); event.error(Errors.USER_DISABLED);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "User '" + clientUsername + "' disabled", Response.Status.UNAUTHORIZED); throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "User '" + clientUsername + "' disabled", Response.Status.UNAUTHORIZED);
} }
@ -128,6 +132,7 @@ public class ClientCredentialsGrantType extends OAuth2GrantTypeBase {
try { try {
session.clientPolicy().triggerOnEvent(new ServiceAccountTokenRequestContext(formParams, clientSessionCtx.getClientSession())); session.clientPolicy().triggerOnEvent(new ServiceAccountTokenRequestContext(formParams, clientSessionCtx.getClientSession()));
} catch (ClientPolicyException cpe) { } catch (ClientPolicyException cpe) {
event.detail(Details.REASON, cpe.getErrorDetail());
event.error(cpe.getError()); event.error(cpe.getError());
throw new CorsErrorResponseException(cors, cpe.getError(), cpe.getErrorDetail(), Response.Status.BAD_REQUEST); throw new CorsErrorResponseException(cors, cpe.getError(), cpe.getErrorDetail(), Response.Status.BAD_REQUEST);
} }
@ -164,6 +169,8 @@ public class ClientCredentialsGrantType extends OAuth2GrantTypeBase {
try { try {
res = responseBuilder.build(); res = responseBuilder.build();
} catch (RuntimeException re) { } catch (RuntimeException re) {
event.detail(Details.REASON, re.getMessage());
event.error(Errors.INVALID_REQUEST);
if ("can not get encryption KEK".equals(re.getMessage())) { if ("can not get encryption KEK".equals(re.getMessage())) {
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST,
"can not get encryption KEK", Response.Status.BAD_REQUEST); "can not get encryption KEK", Response.Status.BAD_REQUEST);