Merge remote-tracking branch 'upstream/master'

broker/kerberos/src/main/java/org/keycloak/broker/kerberos/KerberosIdentityProvider.java

@@ -107,9 +107,11 @@ public class KerberosIdentityProvider extends AbstractIdentityProvider<KerberosI
         Response response = request.getSession().getProvider(LoginFormsProvider.class)
                 .setRealm(request.getRealm())
                 .setUriInfo(request.getUriInfo())
-                .setError("errorKerberosLogin")
+                .setClient(request.getClientSession().getClient())
+                .setClientSessionCode(getRelayState(request))
+                .setWarning("errorKerberosLogin")
                 .setStatus(Response.Status.UNAUTHORIZED)
-                .createErrorPage();
+                .createLogin();
 
         response.getMetadata().putSingle(HttpHeaders.WWW_AUTHENTICATE, negotiateHeader);
         return AuthenticationResponse.fromResponse(response);

events/api/src/main/java/org/keycloak/events/Errors.java

@@ -27,6 +27,7 @@ public interface Errors {
     String INVALID_SIGNATURE = "invalid_signature";
     String INVALID_REGISTRATION = "invalid_registration";
     String INVALID_FORM = "invalid_form";
+    String EXPIRED_CODE = "expired_code";
 
     String REGISTRATION_DISABLED = "registration_disabled";
 

forms/common-themes/src/main/resources/theme/login/base/messages/messages.properties

@@ -34,6 +34,7 @@ invalidPassword=Invalid username or password.
 invalidEmail=Invalid email address
 accountDisabled=Account is disabled, contact admin
 accountTemporarilyDisabled=Account is temporarily disabled, contact admin or try again later
+expiredCode=Login timeout or unknown action. Please login again
 
 missingFirstName=Please specify first name
 missingLastName=Please specify last name
@@ -97,7 +98,7 @@ actionPasswordWarning=You need to change your password to activate your account.
 actionEmailWarning=You need to verify your email address to activate your account.
 actionFollow=Please fill in the fields below.
 
-errorKerberosLogin=Unable to login with Kerberos
+errorKerberosLogin=Unable to login with Kerberos. Request Kerberos ticket or use different login mechanism
 
 successHeader=Success!
 errorHeader=Error!

services/src/main/java/org/keycloak/services/messages/Messages.java

@@ -39,6 +39,8 @@ public class Messages {
 
     public static final String INVALID_USER = "invalidUser";
 
+    public static final String EXPIRED_CODE = "expiredCode";
+
     public static final String READ_ONLY_USER = "readOnlyUser";
 
     public static final String READ_ONLY_PASSWORD = "readOnlyPassword";

services/src/main/java/org/keycloak/services/resources/LoginActionsService.java

@@ -275,8 +275,8 @@ public class LoginActionsService {
         ClientSessionModel clientSession = clientCode.getClientSession();
         if (!clientCode.isValid(ClientSessionModel.Action.AUTHENTICATE) || clientSession.getUserSession() != null) {
             clientCode.setAction(ClientSessionModel.Action.AUTHENTICATE);
-            event.client(clientSession.getClient()).error(Errors.INVALID_CODE);
-            return Flows.forms(this.session, realm, clientSession.getClient(), uriInfo).setError(Messages.INVALID_USER)
+            event.client(clientSession.getClient()).error(Errors.EXPIRED_CODE);
+            return Flows.forms(this.session, realm, clientSession.getClient(), uriInfo).setError(Messages.EXPIRED_CODE)
                     .setClientSessionCode(clientCode.getCode())
                     .createLogin();
         }

testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java

@@ -42,6 +42,7 @@ import org.keycloak.testsuite.pages.LoginPage;
 import org.keycloak.testsuite.rule.KeycloakRule;
 import org.keycloak.testsuite.rule.WebResource;
 import org.keycloak.testsuite.rule.WebRule;
+import org.keycloak.util.Time;
 import org.openqa.selenium.WebDriver;
 
 import javax.ws.rs.client.Client;
@@ -276,4 +277,22 @@ public class LoginTest {
         events.expectLogin().error("rejected_by_user").user((String) null).session((String) null).removeDetail(Details.USERNAME).removeDetail(Details.CODE_ID).assertEvent();
     }
 
+    // KEYCLOAK-1037
+    @Test
+    public void loginExpiredCode() {
+        try {
+            loginPage.open();
+            Time.setOffset(5000);
+            loginPage.login("login@test.com", "password");
+
+            loginPage.assertCurrent();
+            Assert.assertEquals("Login timeout or unknown action. Please login again", loginPage.getError());
+
+            events.expectLogin().user((String) null).session((String) null).error("expired_code").clearDetails().assertEvent();
+
+        } finally {
+            Time.setOffset(0);
+        }
+    }
+
 }

testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTotpTest.java

@@ -164,9 +164,9 @@ public class LoginTotpTest {
             loginTotpPage.login(totp.generate("totpSecret"));
 
             loginPage.assertCurrent();
-            Assert.assertEquals("Invalid username or password.", loginPage.getError());
+            Assert.assertEquals("Login timeout or unknown action. Please login again", loginPage.getError());
 
-            AssertEvents.ExpectedEvent expectedEvent = events.expectLogin().error("invalid_code")
+            AssertEvents.ExpectedEvent expectedEvent = events.expectLogin().error("expired_code")
                     .user((String)null)
                     .clearDetails()
                     .session((String) null);