Do not show domain match message in the identity-first login when no login hint is provided
Closes #34069 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
parent
ee38d551ce
commit
d1dba15964
2 changed files with 7 additions and 3 deletions
|
@ -111,7 +111,7 @@ public class OrganizationAuthenticator extends IdentityProviderAuthenticator {
|
|||
}
|
||||
|
||||
if (user == null) {
|
||||
unknownUserChallenge(context, organization, realm);
|
||||
unknownUserChallenge(context, organization, realm, domain != null);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -241,7 +241,7 @@ public class OrganizationAuthenticator extends IdentityProviderAuthenticator {
|
|||
return user;
|
||||
}
|
||||
|
||||
private void unknownUserChallenge(AuthenticationFlowContext context, OrganizationModel organization, RealmModel realm) {
|
||||
private void unknownUserChallenge(AuthenticationFlowContext context, OrganizationModel organization, RealmModel realm, boolean domainMatch) {
|
||||
// the user does not exist and is authenticating in the scope of the organization, show the identity-first login page and the
|
||||
// public organization brokers for selection
|
||||
LoginFormsProvider form = context.form()
|
||||
|
@ -267,7 +267,10 @@ public class OrganizationAuthenticator extends IdentityProviderAuthenticator {
|
|||
return attributes;
|
||||
});
|
||||
|
||||
form.addError(new FormMessage("Your email domain matches the " + organization.getName() + " organization but you don't have an account yet."));
|
||||
if (domainMatch) {
|
||||
form.addError(new FormMessage("Your email domain matches the " + organization.getName() + " organization but you don't have an account yet."));
|
||||
}
|
||||
|
||||
context.challenge(form.createLoginUsername());
|
||||
}
|
||||
|
||||
|
|
|
@ -141,6 +141,7 @@ public class OrganizationOIDCProtocolMapperTest extends AbstractOrganizationTest
|
|||
org.keycloak.testsuite.Assert.assertFalse(loginPage.isPasswordInputPresent());
|
||||
org.keycloak.testsuite.Assert.assertTrue(loginPage.isSocialButtonPresent(orgA.getAlias() + "-identity-provider"));
|
||||
org.keycloak.testsuite.Assert.assertFalse(loginPage.isSocialButtonPresent(orgB.getAlias() + "-identity-provider"));
|
||||
assertFalse(driver.getPageSource().contains("Your email domain matches"));
|
||||
|
||||
// identity-first login will respect the organization provided in the scope even though the user email maps to a different organization
|
||||
oauth.clientId("broker-app");
|
||||
|
|
Loading…
Reference in a new issue