Declining terms and conditions in account-console results in error

Closes #28328 Signed-off-by: vramik <vramik@redhat.com>
2024-10-10 14:20:26 +02:00 · 2024-10-10 14:20:26 +02:00 · 3d91df42d8
commit 3d91df42d8
parent 8c2bc39418
10 changed files with 89 additions and 17 deletions
--- a/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionContext.java
+++ b/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionContext.java
@ -120,6 +120,8 @@ public interface RequiredActionContext {
    Status getStatus();
    String getErrorMessage();
    /**
     * Send a challenge Response back to user
     *
@ -127,11 +129,19 @@ public interface RequiredActionContext {
     */
    void challenge(Response response);
    /**
     * Abort the authentication with an error, optionally with an erroMessage.
     *
     */
    void failure(String errorMessage);
    /**
     * Abort the authentication with an error
     *
     */
-    void failure();
+    default void failure() {
        failure(null);
    }
    /**
     * Mark this required action as successful.  The required action will be removed from the UserModel
--- a/server-spi-private/src/main/java/org/keycloak/protocol/LoginProtocol.java
+++ b/server-spi-private/src/main/java/org/keycloak/protocol/LoginProtocol.java
@ -86,6 +86,10 @@ public interface LoginProtocol extends Provider {
    Response sendError(AuthenticationSessionModel authSession, Error error);
    default Response sendError(AuthenticationSessionModel authSession, Error error, String errorMessage) {
        return sendError(authSession, error);
    }
    /**
     * Returns client data, which will be wrapped in the "clientData" parameter sent within "authentication flow" requests. The purpose of clientData is to be able to send HTTP error
     * response back to the client if authentication fails due some error and authenticationSession is not available anymore (was either expired or removed). So clientData need to contain
--- a/services/src/main/java/org/keycloak/authentication/RequiredActionContextResult.java
+++ b/services/src/main/java/org/keycloak/authentication/RequiredActionContextResult.java
@ -46,6 +46,7 @@ public class RequiredActionContextResult implements RequiredActionContext {
    protected EventBuilder eventBuilder;
    protected KeycloakSession session;
    protected Status status;
    protected String errorMessage;
    protected Response challenge;
    protected HttpRequest httpRequest;
    protected UserModel user;
@ -66,6 +67,7 @@ public class RequiredActionContextResult implements RequiredActionContext {
        this.config = realm.getRequiredActionConfigByAlias(factory.getId());
    }
    @Override
    public RequiredActionConfigModel getConfig() {
        return config;
    }
@ -119,6 +121,11 @@ public class RequiredActionContextResult implements RequiredActionContext {
        return status;
    }
    @Override
    public String getErrorMessage() {
        return errorMessage;
    }
    @Override
    public void challenge(Response response) {
        status = Status.CHALLENGE;
@ -127,7 +134,8 @@ public class RequiredActionContextResult implements RequiredActionContext {
    }
    @Override
-    public void failure() {
+    public void failure(String errorMessage) {
        this.errorMessage = errorMessage;
        status = Status.FAILURE;
    }
--- a/services/src/main/java/org/keycloak/authentication/requiredactions/TermsAndConditions.java
+++ b/services/src/main/java/org/keycloak/authentication/requiredactions/TermsAndConditions.java
@ -23,6 +23,7 @@ import org.keycloak.common.util.Time;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.models.UserModel;
 import org.keycloak.services.messages.Messages;
 import jakarta.ws.rs.core.Response;
 import java.util.Arrays;
@ -80,7 +81,7 @@ public class TermsAndConditions implements RequiredActionProvider, RequiredActio
        if (context.getHttpRequest().getDecodedFormParameters().containsKey("cancel")) {
            context.getUser().removeAttribute(USER_ATTRIBUTE);
-            context.failure();
+            context.failure(Messages.TERMS_AND_CONDITIONS_DECLINED);
            return;
        }
--- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java
@ -342,6 +342,11 @@ public class OIDCLoginProtocol implements LoginProtocol {
    @Override
    public Response sendError(AuthenticationSessionModel authSession, Error error) {
        return sendError(authSession, error, null);
    }
    @Override
    public Response sendError(AuthenticationSessionModel authSession, Error error, String errorMessage) {
        if (isOAuth2DeviceVerificationFlow(authSession)) {
            return denyOAuth2DeviceAuthorization(authSession, error, session);
        }
@ -352,7 +357,7 @@ public class OIDCLoginProtocol implements LoginProtocol {
        String redirect = authSession.getRedirectUri();
        String state = authSession.getClientNote(OIDCLoginProtocol.STATE_PARAM);
-        OIDCRedirectUriBuilder redirectUri = buildErrorRedirectUri(redirect, state, error);
+        OIDCRedirectUriBuilder redirectUri = buildErrorRedirectUri(redirect, state, error, errorMessage);
        // Remove authenticationSession from current tab
        new AuthenticationSessionManager(session).removeTabIdInAuthenticationSession(realm, authSession);
@ -360,10 +365,10 @@ public class OIDCLoginProtocol implements LoginProtocol {
        return buildRedirectUri(redirectUri, authSession, null, null, null, error);
    }
-    private OIDCRedirectUriBuilder buildErrorRedirectUri(String redirect, String state, Error error) {
+    private OIDCRedirectUriBuilder buildErrorRedirectUri(String redirect, String state, Error error, String errorMessage) {
        OIDCRedirectUriBuilder redirectUri = OIDCRedirectUriBuilder.fromUri(redirect, responseMode, session, null);
-        OAuth2ErrorRepresentation oauthError = translateError(error);
+        OAuth2ErrorRepresentation oauthError = translateError(error, errorMessage);
        if (oauthError.getError() != null) {
            redirectUri.addParam(OAuth2Constants.ERROR, oauthError.getError());
        }
@ -411,11 +416,11 @@ public class OIDCLoginProtocol implements LoginProtocol {
        }
        setupResponseTypeAndMode(clientData.getResponseType(), clientData.getResponseMode());
-        OIDCRedirectUriBuilder redirectUri = buildErrorRedirectUri(clientData.getRedirectUri(), clientData.getState(), error);
+        OIDCRedirectUriBuilder redirectUri = buildErrorRedirectUri(clientData.getRedirectUri(), clientData.getState(), error, null);
        return buildRedirectUri(redirectUri, null, null, null, null, error);
    }
-    private OAuth2ErrorRepresentation translateError(Error error) {
+    private OAuth2ErrorRepresentation translateError(Error error, String errorMessage) {
        switch (error) {
            case CANCELLED_AIA_SILENT:
                return new OAuth2ErrorRepresentation(null, null);
@ -423,7 +428,7 @@ public class OIDCLoginProtocol implements LoginProtocol {
                return new OAuth2ErrorRepresentation(OAuthErrorException.ACCESS_DENIED, "User cancelled application-initiated action.");
            case CANCELLED_BY_USER:
            case CONSENT_DENIED:
-                return new OAuth2ErrorRepresentation(OAuthErrorException.ACCESS_DENIED, "User denied consent");
+                return new OAuth2ErrorRepresentation(OAuthErrorException.ACCESS_DENIED, errorMessage);
            case PASSIVE_INTERACTION_REQUIRED:
                return new OAuth2ErrorRepresentation(OAuthErrorException.INTERACTION_REQUIRED, null);
            case PASSIVE_LOGIN_REQUIRED:
--- a/services/src/main/java/org/keycloak/services/messages/Messages.java
+++ b/services/src/main/java/org/keycloak/services/messages/Messages.java
@ -271,6 +271,8 @@ public class Messages {
    public static final String CONSENT_DENIED="consentDenied";
    public static final String TERMS_AND_CONDITIONS_DECLINED="termsAndConditionsDeclined";
    public static final String ALREADY_LOGGED_IN="alreadyLoggedIn";
    public static final String DIFFERENT_USER_AUTHENTICATED = "differentUserAuthenticated";
--- a/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java
+++ b/services/src/main/java/org/keycloak/services/resources/LoginActionsService.java
@ -1203,7 +1203,7 @@ public class LoginActionsService {
        event.detail(Details.CUSTOM_REQUIRED_ACTION, action);
        event.error(Errors.REJECTED_BY_USER);
-        return protocol.sendError(authSession, error);
+        return protocol.sendError(authSession, error, context.getErrorMessage());
    }
    private boolean isCancelAppInitiatedAction(String providerId, AuthenticationSessionModel authSession, RequiredActionContextResult context) {
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/AppPage.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/AppPage.java
@ -17,6 +17,7 @@
 package org.keycloak.testsuite.pages;
 import org.keycloak.testsuite.util.DroneUtils;
 import org.keycloak.testsuite.util.OAuthClient;
 import org.openqa.selenium.WebElement;
 import org.openqa.selenium.support.FindBy;
@ -34,16 +35,16 @@ public class AppPage extends AbstractPage {
    @Override
    public void open() {
-        driver.navigate().to(OAuthClient.APP_AUTH_ROOT);
+        DroneUtils.getCurrentDriver().navigate().to(OAuthClient.APP_AUTH_ROOT);
    }
    @Override
    public boolean isCurrent() {
-        return removeDefaultPorts(driver.getCurrentUrl()).startsWith(OAuthClient.APP_AUTH_ROOT);
+        return removeDefaultPorts(DroneUtils.getCurrentDriver().getCurrentUrl()).startsWith(OAuthClient.APP_AUTH_ROOT);
    }
    public RequestType getRequestType() {
-        return RequestType.valueOf(driver.getTitle());
+        return RequestType.valueOf(DroneUtils.getCurrentDriver().getTitle());
    }
    public void openAccount() {
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/LoginPage.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/LoginPage.java
@ -199,11 +199,13 @@ public class LoginPage extends LanguageComboboxAwarePage {
        }
    }
    @Override
    public boolean isCurrent() {
        String realm = "test";
        return isCurrent(realm);
    }
    @Override
    public boolean isCurrent(String realm) {
        return DroneUtils.getCurrentDriver().getTitle().equals("Sign in to " + realm) || DroneUtils.getCurrentDriver().getTitle().equals("Anmeldung bei " + realm);
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/TermsAndConditionsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/TermsAndConditionsTest.java
@ -17,6 +17,7 @@
 package org.keycloak.testsuite.actions;
 import org.hamcrest.Matchers;
 import org.jboss.arquillian.drone.api.annotation.Drone;
 import org.jboss.arquillian.graphene.page.Page;
 import org.junit.Assert;
 import org.junit.Before;
@ -26,6 +27,7 @@ import org.keycloak.authentication.requiredactions.TermsAndConditions;
 import org.keycloak.events.Details;
 import org.keycloak.events.Errors;
 import org.keycloak.events.EventType;
 import org.keycloak.models.Constants;
 import org.keycloak.models.UserModel;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.representations.idm.RequiredActionProviderRepresentation;
@ -36,15 +38,24 @@ import org.keycloak.testsuite.pages.AppPage;
 import org.keycloak.testsuite.pages.AppPage.RequestType;
 import org.keycloak.testsuite.pages.LoginPage;
 import org.keycloak.testsuite.pages.TermsAndConditionsPage;
 import org.keycloak.testsuite.util.DroneUtils;
 import org.keycloak.testsuite.util.JavascriptBrowser;
 import org.keycloak.testsuite.util.UIUtils;
 import org.keycloak.testsuite.util.UserBuilder;
 import org.openqa.selenium.By;
 import org.openqa.selenium.WebDriver;
 import org.openqa.selenium.WebElement;
 import java.util.List;
 import java.util.Map;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;
 /**
 * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@ -54,19 +65,34 @@ public class TermsAndConditionsTest extends AbstractTestRealmKeycloakTest {
    @Rule
    public AssertEvents events = new AssertEvents(this);
    @Drone
    @JavascriptBrowser
    private WebDriver jsDriver;
    @Page
    @JavascriptBrowser
    protected AppPage appPage;
    @Page
    @JavascriptBrowser
    protected LoginPage loginPage;
    @Page
    @JavascriptBrowser
    protected TermsAndConditionsPage termsPage;
    @Override
    public void configureTestRealm(RealmRepresentation testRealm) {
    }
    @Before
    public void driver() {
        appPage.setDriver(jsDriver);
        termsPage.setDriver(jsDriver);
        loginPage.setDriver(jsDriver);
        DroneUtils.addWebDriver(jsDriver);
    }
    @Before
    public void addTermsAndConditionRequiredAction() {
        UserRepresentation user = ActionUtil.findUserWithAdminClient(adminClient, "test-user@localhost");
@ -105,16 +131,18 @@ public class TermsAndConditionsTest extends AbstractTestRealmKeycloakTest {
        assertNotNull("expected non-null timestamp for terms acceptance in user attribute "
                + TermsAndConditions.USER_ATTRIBUTE, timestamp);
        try {
-            Integer.parseInt(timestamp);
+            Integer.valueOf(timestamp);
-        }
+        } catch (NumberFormatException e) {
        catch (NumberFormatException e) {
            fail("timestamp for terms acceptance is not a valid integer: '" + timestamp + "'");
        }
    }
    @Test
    public void termsDeclined() {
-        loginPage.open();
+        appPage.open();
        appPage.openAccount();
        loginPage.assertCurrent();
        loginPage.login("test-user@localhost", "password");
@ -126,6 +154,8 @@ public class TermsAndConditionsTest extends AbstractTestRealmKeycloakTest {
                .error(Errors.REJECTED_BY_USER)
                .removeDetail(Details.CONSENT)
                .session(Matchers.nullValue(String.class))
                .client(Constants.ACCOUNT_CONSOLE_CLIENT_ID)
                .detail(Details.REDIRECT_URI, getAuthServerContextRoot() + "/auth/realms/" + TEST_REALM_NAME + "/account")
                .assertEvent();
@ -136,6 +166,15 @@ public class TermsAndConditionsTest extends AbstractTestRealmKeycloakTest {
            assertNull("expected null for terms acceptance user attribute " + TermsAndConditions.USER_ATTRIBUTE,
                    attributes.get(TermsAndConditions.USER_ATTRIBUTE));
        }
        assertThat(DroneUtils.getCurrentDriver().getTitle(), equalTo("Account Management"));
        Assert.assertTrue(DroneUtils.getCurrentDriver().getPageSource().contains("You need to agree to Terms and Conditions"));
        Assert.assertFalse(DroneUtils.getCurrentDriver().getPageSource().contains("An unexpected error occurred"));
        WebElement tryAgainButton = DroneUtils.getCurrentDriver().findElement(By.tagName("button"));
        assertThat(tryAgainButton.getText(), equalTo("Try again"));
        UIUtils.click(tryAgainButton);
        loginPage.assertCurrent();
    }