Do not show domain match message in the identity-first login when no login hint is provided

Closes #34069

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Pedro Igor 2024-10-17 18:18:22 -03:00 committed by Alexander Schwartz
parent ee38d551ce
commit d1dba15964
2 changed files with 7 additions and 3 deletions

View file

@ -111,7 +111,7 @@ public class OrganizationAuthenticator extends IdentityProviderAuthenticator {
}
if (user == null) {
unknownUserChallenge(context, organization, realm);
unknownUserChallenge(context, organization, realm, domain != null);
return;
}
@ -241,7 +241,7 @@ public class OrganizationAuthenticator extends IdentityProviderAuthenticator {
return user;
}
private void unknownUserChallenge(AuthenticationFlowContext context, OrganizationModel organization, RealmModel realm) {
private void unknownUserChallenge(AuthenticationFlowContext context, OrganizationModel organization, RealmModel realm, boolean domainMatch) {
// the user does not exist and is authenticating in the scope of the organization, show the identity-first login page and the
// public organization brokers for selection
LoginFormsProvider form = context.form()
@ -267,7 +267,10 @@ public class OrganizationAuthenticator extends IdentityProviderAuthenticator {
return attributes;
});
form.addError(new FormMessage("Your email domain matches the " + organization.getName() + " organization but you don't have an account yet."));
if (domainMatch) {
form.addError(new FormMessage("Your email domain matches the " + organization.getName() + " organization but you don't have an account yet."));
}
context.challenge(form.createLoginUsername());
}

View file

@ -141,6 +141,7 @@ public class OrganizationOIDCProtocolMapperTest extends AbstractOrganizationTest
org.keycloak.testsuite.Assert.assertFalse(loginPage.isPasswordInputPresent());
org.keycloak.testsuite.Assert.assertTrue(loginPage.isSocialButtonPresent(orgA.getAlias() + "-identity-provider"));
org.keycloak.testsuite.Assert.assertFalse(loginPage.isSocialButtonPresent(orgB.getAlias() + "-identity-provider"));
assertFalse(driver.getPageSource().contains("Your email domain matches"));
// identity-first login will respect the organization provided in the scope even though the user email maps to a different organization
oauth.clientId("broker-app");