refactor security page flow

services/src/main/java/org/keycloak/services/resources/RequiredActionsService.java

@@ -282,11 +282,11 @@ public class RequiredActionsService {
 
         ClientModel client = realm.findClient(clientId);
         if (client == null) {
-            return Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager).forwardToSecurityFailure(
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo,
                     "Unknown login requester.");
         }
         if (!client.isEnabled()) {
-            return Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager).forwardToSecurityFailure(
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo,
                     "Login requester not enabled.");
         }
 

services/src/main/java/org/keycloak/services/resources/SocialResource.java

@@ -132,7 +132,7 @@ public class SocialResource {
 
         if (!realm.isEnabled()) {
             event.error(Errors.REALM_DISABLED);
-            return oauth.forwardToSecurityFailure("Realm not enabled.");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Realm not enabled.");
         }
 
         String clientId = initialRequest.get(OAuth2Constants.CLIENT_ID);
@@ -146,11 +146,11 @@ public class SocialResource {
         ClientModel client = realm.findClient(clientId);
         if (client == null) {
             event.error(Errors.CLIENT_NOT_FOUND);
-            return oauth.forwardToSecurityFailure("Unknown login requester.");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown login requester.");
         }
         if (!client.isEnabled()) {
             event.error(Errors.CLIENT_DISABLED);
-            return oauth.forwardToSecurityFailure("Login requester not enabled.");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Login requester not enabled.");
         }
 
         String key = realm.getSocialConfig().get(provider.getId() + ".key");
@@ -178,7 +178,7 @@ public class SocialResource {
             return  Flows.forms(session, realm, client, uriInfo).setQueryParams(queryParms).setWarning("Access denied").createLogin();
         } catch (SocialProviderException e) {
             logger.error("Failed to process social callback", e);
-            return oauth.forwardToSecurityFailure("Failed to process social callback");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Failed to process social callback");
         }
 
         event.detail(Details.USERNAME, socialUser.getId() + "@" + provider.getId());
@@ -196,22 +196,22 @@ public class SocialResource {
 
                 if (user != null) {
                     event.error(Errors.SOCIAL_ID_IN_USE);
-                    return oauth.forwardToSecurityFailure("This social account is already linked to other user");
+                    return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "This social account is already linked to other user");
                 }
 
                 if (!authenticatedUser.isEnabled()) {
                     event.error(Errors.USER_DISABLED);
-                    return oauth.forwardToSecurityFailure("User is disabled");
+                    return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "User is disabled");
                 }
 
                 if (!authenticatedUser.hasRole(realm.getApplicationByName(Constants.ACCOUNT_MANAGEMENT_APP).getRole(AccountRoles.MANAGE_ACCOUNT))) {
                     event.error(Errors.NOT_ALLOWED);
-                    return oauth.forwardToSecurityFailure("Insufficient permissions to link social account");
+                    return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Insufficient permissions to link social account");
                 }
 
                 if (redirectUri == null) {
                     event.error(Errors.INVALID_REDIRECT_URI);
-                    return oauth.forwardToSecurityFailure("Unknown redirectUri");
+                    return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown redirectUri");
                 }
 
                 session.users().addSocialLink(realm, authenticatedUser, socialLink);
@@ -245,7 +245,7 @@ public class SocialResource {
 
             if (!user.isEnabled()) {
                 event.error(Errors.USER_DISABLED);
-                return oauth.forwardToSecurityFailure("Your account is not enabled.");
+                return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Your account is not enabled.");
             }
 
             String username = socialLink.getSocialUserId() + "@" + socialLink.getSocialProvider();

services/src/main/java/org/keycloak/services/resources/TokenService.java

@@ -493,27 +493,27 @@ public class TokenService {
         OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager);
 
         if (!checkSsl()) {
-            return oauth.forwardToSecurityFailure("HTTPS required");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "HTTPS required");
         }
 
         if (!realm.isEnabled()) {
             event.error(Errors.REALM_DISABLED);
-            return oauth.forwardToSecurityFailure("Realm not enabled.");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Realm not enabled.");
         }
         ClientModel client = realm.findClient(clientId);
         if (client == null) {
             event.error(Errors.CLIENT_NOT_FOUND);
-            return oauth.forwardToSecurityFailure("Unknown login requester.");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown login requester.");
         }
         if (!client.isEnabled()) {
             event.error(Errors.CLIENT_NOT_FOUND);
-            return oauth.forwardToSecurityFailure("Login requester not enabled.");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Login requester not enabled.");
         }
 
         redirect = verifyRedirectUri(uriInfo, redirect, realm, client);
         if (redirect == null) {
             event.error(Errors.INVALID_REDIRECT_URI);
-            return oauth.forwardToSecurityFailure("Invalid redirect_uri.");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid redirect_uri.");
         }
 
         if (formData.containsKey("cancel")) {
@@ -603,28 +603,28 @@ public class TokenService {
 
         if (!realm.isEnabled()) {
             event.error(Errors.REALM_DISABLED);
-            return oauth.forwardToSecurityFailure("Realm not enabled");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Realm not enabled");
         }
         ClientModel client = realm.findClient(clientId);
         if (client == null) {
             event.error(Errors.CLIENT_NOT_FOUND);
-            return oauth.forwardToSecurityFailure("Unknown login requester.");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown login requester.");
         }
 
         if (!client.isEnabled()) {
             event.error(Errors.CLIENT_DISABLED);
-            return oauth.forwardToSecurityFailure("Login requester not enabled.");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Login requester not enabled.");
         }
 
         redirect = verifyRedirectUri(uriInfo, redirect, realm, client);
         if (redirect == null) {
             event.error(Errors.INVALID_REDIRECT_URI);
-            return oauth.forwardToSecurityFailure("Invalid redirect_uri.");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid redirect_uri.");
         }
 
         if (!realm.isRegistrationAllowed()) {
             event.error(Errors.REGISTRATION_DISABLED);
-            return oauth.forwardToSecurityFailure("Registration not allowed");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Registration not allowed");
         }
 
         List<String> requiredCredentialTypes = new LinkedList<String>();
@@ -917,35 +917,35 @@ public class TokenService {
         OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager);
 
         if (!checkSsl()) {
-            return oauth.forwardToSecurityFailure("HTTPS required");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "HTTPS required");
         }
 
         if (!realm.isEnabled()) {
             event.error(Errors.REALM_DISABLED);
-            return oauth.forwardToSecurityFailure("Realm not enabled");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Realm not enabled");
         }
         ClientModel client = realm.findClient(clientId);
         if (client == null) {
             event.error(Errors.CLIENT_NOT_FOUND);
-            return oauth.forwardToSecurityFailure("Unknown login requester.");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown login requester.");
         }
 
         if (!client.isEnabled()) {
             event.error(Errors.CLIENT_DISABLED);
-            return oauth.forwardToSecurityFailure("Login requester not enabled.");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Login requester not enabled.");
         }
         if ( (client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) {
             event.error(Errors.NOT_ALLOWED);
-            return oauth.forwardToSecurityFailure("Bearer-only applications are not allowed to initiate browser login");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Bearer-only applications are not allowed to initiate browser login");
         }
         if (client.isDirectGrantsOnly()) {
             event.error(Errors.NOT_ALLOWED);
-            return oauth.forwardToSecurityFailure("direct-grants-only clients are not allowed to initiate browser login");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "direct-grants-only clients are not allowed to initiate browser login");
         }
         redirect = verifyRedirectUri(uriInfo, redirect, realm, client);
         if (redirect == null) {
             event.error(Errors.INVALID_REDIRECT_URI);
-            return oauth.forwardToSecurityFailure("Invalid redirect_uri.");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid redirect_uri.");
         }
 
         AuthenticationManager.AuthResult authResult = authManager.authenticateIdentityCookie(session, realm, uriInfo, clientConnection, headers);
@@ -1007,33 +1007,33 @@ public class TokenService {
         OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager);
 
         if (!checkSsl()) {
-            return oauth.forwardToSecurityFailure("HTTPS required");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "HTTPS required");
         }
 
         if (!realm.isEnabled()) {
             event.error(Errors.REALM_DISABLED);
-            return oauth.forwardToSecurityFailure("Realm not enabled");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Realm not enabled");
         }
         ClientModel client = realm.findClient(clientId);
         if (client == null) {
             event.error(Errors.CLIENT_NOT_FOUND);
-            return oauth.forwardToSecurityFailure("Unknown login requester.");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown login requester.");
         }
 
         if (!client.isEnabled()) {
             event.error(Errors.CLIENT_DISABLED);
-            return oauth.forwardToSecurityFailure("Login requester not enabled.");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Login requester not enabled.");
         }
 
         redirect = verifyRedirectUri(uriInfo, redirect, realm, client);
         if (redirect == null) {
             event.error(Errors.INVALID_REDIRECT_URI);
-            return oauth.forwardToSecurityFailure("Invalid redirect_uri.");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid redirect_uri.");
         }
 
         if (!realm.isRegistrationAllowed()) {
             event.error(Errors.REGISTRATION_DISABLED);
-            return oauth.forwardToSecurityFailure("Registration not allowed");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Registration not allowed");
         }
 
         authManager.expireIdentityCookie(realm, uriInfo, clientConnection);
@@ -1065,7 +1065,7 @@ public class TokenService {
             String validatedRedirect = verifyRealmRedirectUri(uriInfo, redirectUri, realm);
             if (validatedRedirect == null) {
                 OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager);
-                return oauth.forwardToSecurityFailure("Invalid redirect uri.");
+                return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid redirect uri.");
             }
             return Response.status(302).location(UriBuilder.fromUri(validatedRedirect).build()).build();
         } else {
@@ -1145,7 +1145,7 @@ public class TokenService {
         OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager);
 
         if (!checkSsl()) {
-            return oauth.forwardToSecurityFailure("HTTPS required");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "HTTPS required");
         }
 
         String code = formData.getFirst(OAuth2Constants.CODE);
@@ -1153,7 +1153,7 @@ public class TokenService {
         AccessCode accessCode = AccessCode.parse(code, session, realm);
         if (accessCode == null || !accessCode.isValid(ClientSessionModel.Action.OAUTH_GRANT)) {
             event.error(Errors.INVALID_CODE);
-            return oauth.forwardToSecurityFailure("Invalid access code.");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid access code.");
         }
         event.detail(Details.CODE_ID, accessCode.getCodeId());
 
@@ -1177,7 +1177,7 @@ public class TokenService {
         if (!AuthenticationManager.isSessionValid(realm, userSession)) {
             AuthenticationManager.logout(session, realm, userSession, uriInfo, clientConnection);
             event.error(Errors.INVALID_CODE);
-            return oauth.forwardToSecurityFailure("Session not active");
+            return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Session not active");
         }
         event.session(userSession);
 

services/src/main/java/org/keycloak/services/resources/flows/ErrorFlows.java

@@ -22,4 +22,6 @@ public class ErrorFlows {
         return Response.status(status).entity(error).type(MediaType.APPLICATION_JSON).build();
     }
 
+
+
 }

services/src/main/java/org/keycloak/services/resources/flows/Flows.java

@@ -31,6 +31,7 @@ import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.managers.TokenManager;
 import org.keycloak.social.SocialProvider;
 
+import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriInfo;
 
 /**
@@ -58,4 +59,9 @@ public class Flows {
         return new ErrorFlows();
     }
 
+    public static Response forwardToSecurityFailurePage(KeycloakSession session, RealmModel realm, UriInfo uriInfo, String message) {
+        return Flows.forms(session, realm, null, uriInfo).setError(message).createErrorPage();
+    }
+
+
 }

services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java

@@ -179,9 +179,11 @@ public class OAuthFlows {
         }
     }
 
+    /*
     public Response forwardToSecurityFailure(String message) {
         return Flows.forms(session, realm, null, uriInfo).setError(message).createErrorPage();
     }
+    */
 
     private void isTotpConfigurationRequired(UserModel user) {
         for (RequiredCredentialModel c : realm.getRequiredCredentials()) {