KEYCLOAK-16076 added new warining when cookies are disabled -with new branch- (#7632)
* KEYCLOAK-16076 added new warining when cookies are disabled Co-authored-by: David Hellwig <david.hellwig@bosch.com> Co-authored-by: Christoph Leistert <christoph.leistert@bosch-si.com>
This commit is contained in:
David Hellwig
GitHub
parent
655d66b03f
commit
a6cd80c933
7 changed files with 40 additions and 4 deletions
|
|
@ -62,6 +62,7 @@ public interface Errors {
|
|||
String INVALID_CONFIG = "invalid_config";
|
||||
String EXPIRED_CODE = "expired_code";
|
||||
String INVALID_INPUT = "invalid_input";
|
||||
String COOKIE_NOT_FOUND = "cookie_not_found";
|
||||
|
||||
String REGISTRATION_DISABLED = "registration_disabled";
|
||||
String RESET_CREDENTIAL_DISABLED = "reset_credential_disabled";
|
||||
|
|
|
|||
|
|
@ -133,14 +133,19 @@ public class RestartLoginCookie implements Token {
|
|||
CookieHelper.addCookie(KC_RESTART, "", path, null, null, 0, secureOnly, true);
|
||||
}
|
||||
|
||||
|
||||
public static AuthenticationSessionModel restartSession(KeycloakSession session, RealmModel realm,
|
||||
RootAuthenticationSessionModel rootSession, String expectedClientId) throws Exception {
|
||||
public static Cookie getRestartCookie(KeycloakSession session){
|
||||
Cookie cook = session.getContext().getRequestHeaders().getCookies().get(KC_RESTART);
|
||||
if (cook == null) {
|
||||
logger.debug("KC_RESTART cookie doesn't exist");
|
||||
return null;
|
||||
}
|
||||
return cook;
|
||||
}
|
||||
|
||||
public static AuthenticationSessionModel restartSession(KeycloakSession session, RealmModel realm,
|
||||
RootAuthenticationSessionModel rootSession, String expectedClientId,
|
||||
Cookie cook) throws Exception {
|
||||
|
||||
String encodedCookie = cook.getValue();
|
||||
|
||||
RestartLoginCookie cookie = session.tokens().decode(encodedCookie, RestartLoginCookie.class);
|
||||
|
|
|
|||
|
|
@ -62,6 +62,8 @@ public class Messages {
|
|||
|
||||
public static final String MISSING_TOTP_DEVICE_NAME = "missingTotpDeviceNameMessage";
|
||||
|
||||
public static final String COOKIE_NOT_FOUND = "cookieNotFoundMessage";
|
||||
|
||||
public static final String NOTMATCH_PASSWORD = "notMatchPasswordMessage";
|
||||
|
||||
public static final String INVALID_PASSWORD_EXISTING = "invalidPasswordExistingMessage";
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@
|
|||
package org.keycloak.services.resources;
|
||||
|
||||
import java.net.URI;
|
||||
import javax.ws.rs.core.Cookie;
|
||||
import javax.ws.rs.core.Response;
|
||||
import javax.ws.rs.core.UriBuilder;
|
||||
import javax.ws.rs.core.UriInfo;
|
||||
|
|
@ -367,8 +368,14 @@ public class SessionCodeChecks {
|
|||
logger.debug("Authentication session not found. Trying to restart from cookie.");
|
||||
AuthenticationSessionModel authSession = null;
|
||||
|
||||
Cookie cook = RestartLoginCookie.getRestartCookie(session);
|
||||
if(cook == null){
|
||||
event.error(Errors.COOKIE_NOT_FOUND);
|
||||
return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.COOKIE_NOT_FOUND);
|
||||
}
|
||||
|
||||
try {
|
||||
authSession = RestartLoginCookie.restartSession(session, realm, existingRootSession, clientId);
|
||||
authSession = RestartLoginCookie.restartSession(session, realm, existingRootSession, clientId, cook);
|
||||
} catch (Exception e) {
|
||||
ServicesLogger.LOGGER.failedToParseRestartLoginCookie(e);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -840,7 +840,26 @@ public class LoginTest extends AbstractTestRealmKeycloakTest {
|
|||
Assert.assertNotNull(link, thirdParty.getBaseUrl());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loginWithDisabledCookies() {
|
||||
String userId = adminClient.realm("test").users().search("test-user@localhost").get(0).getId();
|
||||
oauth.clientId("test-app");
|
||||
oauth.openLoginForm();
|
||||
|
||||
driver.manage().deleteAllCookies();
|
||||
|
||||
|
||||
// Cookie has been deleted or disabled, the error shown in the UI should be Errors.COOKIE_NOT_FOUND
|
||||
loginPage.login("login@test.com", "password");
|
||||
|
||||
events.expect(EventType.LOGIN_ERROR)
|
||||
.user(new UserRepresentation())
|
||||
.client(new ClientRepresentation())
|
||||
.error(Errors.COOKIE_NOT_FOUND)
|
||||
.assertEvent();
|
||||
|
||||
errorPage.assertCurrent();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void openLoginFormWithDifferentApplication() throws Exception {
|
||||
|
|
|
|||
|
|
@ -273,6 +273,7 @@ unexpectedErrorHandlingRequestMessage=Unerwarteter Fehler w\u00E4hrend der Bearb
|
|||
invalidAccessCodeMessage=Ung\u00FCltiger Access-Code.
|
||||
sessionNotActiveMessage=Session nicht aktiv.
|
||||
invalidCodeMessage=Ung\u00FCltiger Code, bitte melden Sie sich erneut \u00FCber die Applikation an.
|
||||
cookieNotFoundMessage=Cookie konnte nicht gefunden werden. Bitte stellen Sie sicher, dass Cookies in Ihrem Browser aktiviert sind.
|
||||
identityProviderUnexpectedErrorMessage=Unerwarteter Fehler w\u00E4hrend der Authentifizierung mit dem Identity Provider.
|
||||
identityProviderMissingStateMessage=Fehlender state Parameter in der Antwort vom Identit\u00E4tsanbieter.
|
||||
identityProviderNotFoundMessage=Konnte keinen Identity Provider zu der Identit\u00E4t finden.
|
||||
|
|
|
|||
|
|
@ -309,6 +309,7 @@ unexpectedErrorHandlingRequestMessage=Unexpected error when handling authenticat
|
|||
invalidAccessCodeMessage=Invalid access code.
|
||||
sessionNotActiveMessage=Session not active.
|
||||
invalidCodeMessage=An error occurred, please login again through your application.
|
||||
cookieNotFoundMessage=Cookie not found. Please make sure cookies are enabled in your browser.
|
||||
identityProviderUnexpectedErrorMessage=Unexpected error when authenticating with identity provider
|
||||
identityProviderMissingStateMessage=Missing state parameter in response from identity provider.
|
||||
identityProviderNotFoundMessage=Could not find an identity provider with the identifier.
|
||||
|
|
|
|||
Loading…
Reference in a new issue