Provide details in the log when a client credential grant fails (#28927)
Closes #28926 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
This commit is contained in:
parent
a9532274e3
commit
2ebad818f9
1 changed files with 7 additions and 0 deletions
|
@ -63,14 +63,17 @@ public class ClientCredentialsGrantType extends OAuth2GrantTypeBase {
|
||||||
setContext(context);
|
setContext(context);
|
||||||
|
|
||||||
if (client.isBearerOnly()) {
|
if (client.isBearerOnly()) {
|
||||||
|
event.detail(Details.REASON, "Bearer-only client not allowed to retrieve service account");
|
||||||
event.error(Errors.INVALID_CLIENT);
|
event.error(Errors.INVALID_CLIENT);
|
||||||
throw new CorsErrorResponseException(cors, OAuthErrorException.UNAUTHORIZED_CLIENT, "Bearer-only client not allowed to retrieve service account", Response.Status.UNAUTHORIZED);
|
throw new CorsErrorResponseException(cors, OAuthErrorException.UNAUTHORIZED_CLIENT, "Bearer-only client not allowed to retrieve service account", Response.Status.UNAUTHORIZED);
|
||||||
}
|
}
|
||||||
if (client.isPublicClient()) {
|
if (client.isPublicClient()) {
|
||||||
|
event.detail(Details.REASON, "Public client not allowed to retrieve service account");
|
||||||
event.error(Errors.INVALID_CLIENT);
|
event.error(Errors.INVALID_CLIENT);
|
||||||
throw new CorsErrorResponseException(cors, OAuthErrorException.UNAUTHORIZED_CLIENT, "Public client not allowed to retrieve service account", Response.Status.UNAUTHORIZED);
|
throw new CorsErrorResponseException(cors, OAuthErrorException.UNAUTHORIZED_CLIENT, "Public client not allowed to retrieve service account", Response.Status.UNAUTHORIZED);
|
||||||
}
|
}
|
||||||
if (!client.isServiceAccountsEnabled()) {
|
if (!client.isServiceAccountsEnabled()) {
|
||||||
|
event.detail(Details.REASON, "Client not enabled to retrieve service account");
|
||||||
event.error(Errors.INVALID_CLIENT);
|
event.error(Errors.INVALID_CLIENT);
|
||||||
throw new CorsErrorResponseException(cors, OAuthErrorException.UNAUTHORIZED_CLIENT, "Client not enabled to retrieve service account", Response.Status.UNAUTHORIZED);
|
throw new CorsErrorResponseException(cors, OAuthErrorException.UNAUTHORIZED_CLIENT, "Client not enabled to retrieve service account", Response.Status.UNAUTHORIZED);
|
||||||
}
|
}
|
||||||
|
@ -89,6 +92,7 @@ public class ClientCredentialsGrantType extends OAuth2GrantTypeBase {
|
||||||
event.user(clientUser);
|
event.user(clientUser);
|
||||||
|
|
||||||
if (!clientUser.isEnabled()) {
|
if (!clientUser.isEnabled()) {
|
||||||
|
event.detail(Details.REASON, "User '" + clientUsername + "' disabled");
|
||||||
event.error(Errors.USER_DISABLED);
|
event.error(Errors.USER_DISABLED);
|
||||||
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "User '" + clientUsername + "' disabled", Response.Status.UNAUTHORIZED);
|
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "User '" + clientUsername + "' disabled", Response.Status.UNAUTHORIZED);
|
||||||
}
|
}
|
||||||
|
@ -128,6 +132,7 @@ public class ClientCredentialsGrantType extends OAuth2GrantTypeBase {
|
||||||
try {
|
try {
|
||||||
session.clientPolicy().triggerOnEvent(new ServiceAccountTokenRequestContext(formParams, clientSessionCtx.getClientSession()));
|
session.clientPolicy().triggerOnEvent(new ServiceAccountTokenRequestContext(formParams, clientSessionCtx.getClientSession()));
|
||||||
} catch (ClientPolicyException cpe) {
|
} catch (ClientPolicyException cpe) {
|
||||||
|
event.detail(Details.REASON, cpe.getErrorDetail());
|
||||||
event.error(cpe.getError());
|
event.error(cpe.getError());
|
||||||
throw new CorsErrorResponseException(cors, cpe.getError(), cpe.getErrorDetail(), Response.Status.BAD_REQUEST);
|
throw new CorsErrorResponseException(cors, cpe.getError(), cpe.getErrorDetail(), Response.Status.BAD_REQUEST);
|
||||||
}
|
}
|
||||||
|
@ -164,6 +169,8 @@ public class ClientCredentialsGrantType extends OAuth2GrantTypeBase {
|
||||||
try {
|
try {
|
||||||
res = responseBuilder.build();
|
res = responseBuilder.build();
|
||||||
} catch (RuntimeException re) {
|
} catch (RuntimeException re) {
|
||||||
|
event.detail(Details.REASON, re.getMessage());
|
||||||
|
event.error(Errors.INVALID_REQUEST);
|
||||||
if ("can not get encryption KEK".equals(re.getMessage())) {
|
if ("can not get encryption KEK".equals(re.getMessage())) {
|
||||||
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST,
|
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST,
|
||||||
"can not get encryption KEK", Response.Status.BAD_REQUEST);
|
"can not get encryption KEK", Response.Status.BAD_REQUEST);
|
||||||
|
|
Loading…
Reference in a new issue