Set status code to internal server error on error pages

services/src/main/java/org/keycloak/services/resources/RequiredActionsService.java

@@ -90,7 +90,7 @@ public class RequiredActionsService {
     public Response updateProfile(final MultivaluedMap<String, String> formData) {
         AccessCodeEntry accessCode = getAccessCodeEntry(RequiredAction.UPDATE_PROFILE);
         if (accessCode == null) {
-            return forwardToErrorPage();
+            return unauthorized();
         }
 
         UserModel user = getUser(accessCode);
@@ -116,7 +116,7 @@ public class RequiredActionsService {
     public Response updateTotp(final MultivaluedMap<String, String> formData) {
         AccessCodeEntry accessCode = getAccessCodeEntry(RequiredAction.CONFIGURE_TOTP);
         if (accessCode == null) {
-            return forwardToErrorPage();
+            return unauthorized();
         }
 
         UserModel user = getUser(accessCode);
@@ -152,7 +152,7 @@ public class RequiredActionsService {
         AccessCodeEntry accessCode = getAccessCodeEntry(RequiredAction.UPDATE_PASSWORD);
         if (accessCode == null) {
             logger.debug("updatePassword access code is null");
-            return forwardToErrorPage();
+            return unauthorized();
         }
         logger.debug("updatePassword has access code");
 
@@ -196,7 +196,7 @@ public class RequiredActionsService {
             AccessCodeEntry accessCode = tokenManager.getAccessCode(uriInfo.getQueryParameters().getFirst("key"));
             if (accessCode == null || accessCode.isExpired()
                     || !accessCode.getRequiredActions().contains(RequiredAction.VERIFY_EMAIL)) {
-                return forwardToErrorPage();
+                return unauthorized();
             }
 
             UserModel user = getUser(accessCode);
@@ -209,7 +209,7 @@ public class RequiredActionsService {
         } else {
             AccessCodeEntry accessCode = getAccessCodeEntry(RequiredAction.VERIFY_EMAIL);
             if (accessCode == null) {
-                return forwardToErrorPage();
+                return unauthorized();
             }
 
             return Flows.forms(realm, request, uriInfo).setAccessCode(accessCode).setUser(accessCode.getUser())
@@ -224,7 +224,7 @@ public class RequiredActionsService {
             AccessCodeEntry accessCode = tokenManager.getAccessCode(uriInfo.getQueryParameters().getFirst("key"));
             if (accessCode == null || accessCode.isExpired()
                     || !accessCode.getRequiredActions().contains(RequiredAction.UPDATE_PASSWORD)) {
-                return forwardToErrorPage();
+                return unauthorized();
             }
             return Flows.forms(realm, request, uriInfo).setAccessCode(accessCode).forwardToAction(RequiredAction.UPDATE_PASSWORD);
         } else {
@@ -378,8 +378,8 @@ public class RequiredActionsService {
         }
     }
 
-    private Response forwardToErrorPage() {
-        return Flows.forms(realm, request, uriInfo).forwardToErrorPage();
+    private Response unauthorized() {
+        return Flows.forms(realm, request, uriInfo).setError("Unauthorized request").forwardToErrorPage();
     }
 
 }

services/src/main/java/org/keycloak/services/resources/TokenService.java

@@ -489,23 +489,17 @@ public class TokenService {
 
         if (!realm.isEnabled()) {
             logger.warn("Realm not enabled");
-            oauth.forwardToSecurityFailure("Realm not enabled");
-            return null;
+            return oauth.forwardToSecurityFailure("Realm not enabled");
         }
         UserModel client = realm.getUser(clientId);
         if (client == null) {
             logger.warn("Unknown login requester: " + clientId);
-            oauth.forwardToSecurityFailure("Unknown login requester.");
-            transaction.rollback();
-            return null;
+            return oauth.forwardToSecurityFailure("Unknown login requester.");
         }
 
         if (!client.isEnabled()) {
             logger.warn("Login requester not enabled.");
-            oauth.forwardToSecurityFailure("Login requester not enabled.");
-            transaction.rollback();
-            session.close();
-            return null;
+            return oauth.forwardToSecurityFailure("Login requester not enabled.");
         }
         redirect = verifyRedirectUri(redirect, client);
         if (redirect == null) {
@@ -518,10 +512,7 @@ public class TokenService {
         boolean isResource = realm.hasRole(client, resourceRole);
         if (!isResource && !realm.hasRole(client, identityRequestRole)) {
             logger.warn("Login requester not allowed to request login.");
-            oauth.forwardToSecurityFailure("Login requester not allowed to request login.");
-            transaction.rollback();
-            session.close();
-            return null;
+            return oauth.forwardToSecurityFailure("Login requester not allowed to request login.");
         }
         logger.info("Checking cookie...");
         UserModel user = authManager.authenticateIdentityCookie(realm, uriInfo, headers);

services/src/main/java/org/keycloak/services/resources/flows/FormFlows.java

@@ -105,7 +105,7 @@ public class FormFlows {
         return forwardToForm(Pages.ACCOUNT);
     }
 
-    private Response forwardToForm(String template, FormService.FormServiceDataBean formDataBean) {
+    private Response forwardToForm(String template, FormService.FormServiceDataBean formDataBean, Response.Status status) {
 
         // Getting URI needed by form processing service
         ResteasyUriInfo uriInfo = request.getUri();
@@ -142,10 +142,10 @@ public class FormFlows {
         while (itr.hasNext()) {
             FormService provider = itr.next();
             if (provider.getId().equals("FormServiceId"))
-                return Response.status(200).type(MediaType.TEXT_HTML).entity(provider.process(template, formDataBean)).build();
+                return Response.status(status).type(MediaType.TEXT_HTML).entity(provider.process(template, formDataBean)).build();
         }
 
-        return Response.status(200).entity("form provider not found").build();
+        return Response.status(status).entity("form provider not found").build();
     }
 
     public Response forwardToForm(String template) {
@@ -153,7 +153,15 @@ public class FormFlows {
         FormService.FormServiceDataBean formDataBean = new FormService.FormServiceDataBean(realm, userModel, formData, queryParams, message);
         formDataBean.setMessageType(messageType);
 
-        return forwardToForm(template, formDataBean);
+        return forwardToForm(template, formDataBean, Response.Status.OK);
+    }
+
+    public Response forwardToForm(String template, Response.Status status) {
+
+        FormService.FormServiceDataBean formDataBean = new FormService.FormServiceDataBean(realm, userModel, formData, queryParams, message);
+        formDataBean.setMessageType(messageType);
+
+        return forwardToForm(template, formDataBean, status);
     }
 
     private Response forwardToActionForm(String template, String warningSummary) {
@@ -201,7 +209,7 @@ public class FormFlows {
     }
 
     public Response forwardToErrorPage() {
-        return forwardToForm(Pages.ERROR);
+        return forwardToForm(Pages.ERROR, Response.Status.INTERNAL_SERVER_ERROR);
     }
 
     public Response forwardToOAuthGrant(){
@@ -214,7 +222,7 @@ public class FormFlows {
         formDataBean.setOAuthCode((String)request.getAttribute("code"));
         formDataBean.setOAuthAction((String)request.getAttribute("action"));
 
-        return forwardToForm(Pages.OAUTH_GRANT, formDataBean);
+        return forwardToForm(Pages.OAUTH_GRANT, formDataBean, Response.Status.OK);
     }
 
     public FormFlows setAccessCode(AccessCodeEntry accessCode) {