libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

Use specific error message from required actions for SamlProtocol if available

Browse source 
Closes #34514

Signed-off-by: vramik <vramik@redhat.com>
This commit is contained in:
vramik 2024-10-31 10:34:19 +01:00 committed by Pedro Igor
parent 36b01cbea0
commit d853dcab7d
9 changed files with 11 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
server-spi-private/src/main/java/org/keycloak/protocol/LoginProtocol.java
View file

@ -84,12 +84,8 @@ public interface LoginProtocol extends Provider {
Response authenticated(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx); Response authenticated(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx);
Response sendError(AuthenticationSessionModel authSession, Error error); Response sendError(AuthenticationSessionModel authSession, Error error, String errorMessage);
default Response sendError(AuthenticationSessionModel authSession, Error error, String errorMessage) {
return sendError(authSession, error);
}
/** /**
* Returns client data, which will be wrapped in the "clientData" parameter sent within "authentication flow" requests. The purpose of clientData is to be able to send HTTP error * Returns client data, which will be wrapped in the "clientData" parameter sent within "authentication flow" requests. The purpose of clientData is to be able to send HTTP error
* response back to the client if authentication fails due some error and authenticationSession is not available anymore (was either expired or removed). So clientData need to contain * response back to the client if authentication fails due some error and authenticationSession is not available anymore (was either expired or removed). So clientData need to contain

2
services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java
View file

@ -648,7 +648,7 @@ public class AuthenticationProcessor {
.setHttpHeaders(getHttpRequest().getHttpHeaders()) .setHttpHeaders(getHttpRequest().getHttpHeaders())
.setUriInfo(getUriInfo()) .setUriInfo(getUriInfo())
.setEventBuilder(event); .setEventBuilder(event);
Response response = protocol.sendError(getAuthenticationSession(), Error.CANCELLED_BY_USER); Response response = protocol.sendError(getAuthenticationSession(), Error.CANCELLED_BY_USER, null);
forceChallenge(response); forceChallenge(response);
} }

4
services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java
View file

@ -124,14 +124,14 @@ public abstract class AuthorizationEndpointBase {
return challenge; return challenge;
} }
else { else {
return protocol.sendError(authSession, Error.PASSIVE_LOGIN_REQUIRED); return protocol.sendError(authSession, Error.PASSIVE_LOGIN_REQUIRED, null);
} }
} }
AuthenticationManager.setClientScopesInSession(session, authSession); AuthenticationManager.setClientScopesInSession(session, authSession);
if (processor.nextRequiredAction() != null) { if (processor.nextRequiredAction() != null) {
return protocol.sendError(authSession, Error.PASSIVE_INTERACTION_REQUIRED); return protocol.sendError(authSession, Error.PASSIVE_INTERACTION_REQUIRED, null);
} }
} catch (Exception e) { } catch (Exception e) {

2
services/src/main/java/org/keycloak/protocol/docker/DockerAuthV2Protocol.java
View file

@ -145,7 +145,7 @@ public class DockerAuthV2Protocol implements LoginProtocol {
} }
@Override @Override
public Response sendError(final AuthenticationSessionModel clientSession, final LoginProtocol.Error error) { public Response sendError(final AuthenticationSessionModel clientSession, final LoginProtocol.Error error, String errorMessage) {
return new ResponseBuilderImpl().status(Response.Status.INTERNAL_SERVER_ERROR).build(); return new ResponseBuilderImpl().status(Response.Status.INTERNAL_SERVER_ERROR).build();
} }

5
services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java
View file

@ -340,11 +340,6 @@ public class OIDCLoginProtocol implements LoginProtocol {
return Boolean.valueOf(Optional.ofNullable(client.getAttribute(OIDCConfigAttributes.ID_TOKEN_AS_DETACHED_SIGNATURE)).orElse(Boolean.FALSE.toString())).booleanValue(); return Boolean.valueOf(Optional.ofNullable(client.getAttribute(OIDCConfigAttributes.ID_TOKEN_AS_DETACHED_SIGNATURE)).orElse(Boolean.FALSE.toString())).booleanValue();
} }
@Override
public Response sendError(AuthenticationSessionModel authSession, Error error) {
return sendError(authSession, error, null);
}
@Override @Override
public Response sendError(AuthenticationSessionModel authSession, Error error, String errorMessage) { public Response sendError(AuthenticationSessionModel authSession, Error error, String errorMessage) {
if (isOAuth2DeviceVerificationFlow(authSession)) { if (isOAuth2DeviceVerificationFlow(authSession)) {

4
services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java
View file

@ -219,7 +219,7 @@ public class SamlProtocol implements LoginProtocol {
} }
@Override @Override
public Response sendError(AuthenticationSessionModel authSession, Error error) { public Response sendError(AuthenticationSessionModel authSession, Error error, String errorMessage) {
try { try {
ClientModel client = authSession.getClient(); ClientModel client = authSession.getClient();
@ -233,7 +233,7 @@ public class SamlProtocol implements LoginProtocol {
URI redirect = builder.buildFromMap(params); URI redirect = builder.buildFromMap(params);
return Response.status(302).location(redirect).build(); return Response.status(302).location(redirect).build();
} else { } else {
return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, translateErrorToIdpInitiatedErrorMessage(error)); return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, errorMessage != null ? errorMessage : translateErrorToIdpInitiatedErrorMessage(error));
} }
} else { } else {
return samlErrorMessage( return samlErrorMessage(

2
services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
View file

@ -1311,7 +1311,7 @@ public class AuthenticationManager {
.setHttpHeaders(context.getHttpRequest().getHttpHeaders()) .setHttpHeaders(context.getHttpRequest().getHttpHeaders())
.setUriInfo(context.getUriInfo()) .setUriInfo(context.getUriInfo())
.setEventBuilder(event); .setEventBuilder(event);
Response response = protocol.sendError(context.getAuthenticationSession(), Error.CONSENT_DENIED); Response response = protocol.sendError(context.getAuthenticationSession(), Error.CONSENT_DENIED, null);
event.error(Errors.REJECTED_BY_USER); event.error(Errors.REJECTED_BY_USER);
return response; return response;
} }

2
services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
View file

@ -1207,7 +1207,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
.setHttpHeaders(headers) .setHttpHeaders(headers)
.setUriInfo(session.getContext().getUri()) .setUriInfo(session.getContext().getUri())
.setEventBuilder(event); .setEventBuilder(event);
return protocol.sendError(authSession, error); return protocol.sendError(authSession, error, null);
} }
return null; return null;
} }

4
services/src/main/java/org/keycloak/services/resources/LoginActionsService.java
View file

@ -925,7 +925,7 @@ public class LoginActionsService {
.setHttpHeaders(headers) .setHttpHeaders(headers)
.setUriInfo(session.getContext().getUri()) .setUriInfo(session.getContext().getUri())
.setEventBuilder(event); .setEventBuilder(event);
return protocol.sendError(authSession, Error.PASSIVE_INTERACTION_REQUIRED); return protocol.sendError(authSession, Error.PASSIVE_INTERACTION_REQUIRED, null);
} }
} }
return challenge; return challenge;
@ -1014,7 +1014,7 @@ public class LoginActionsService {
.setHttpHeaders(headers) .setHttpHeaders(headers)
.setUriInfo(session.getContext().getUri()) .setUriInfo(session.getContext().getUri())
.setEventBuilder(event); .setEventBuilder(event);
Response response = protocol.sendError(authSession, Error.CONSENT_DENIED); Response response = protocol.sendError(authSession, Error.CONSENT_DENIED, null);
event.error(Errors.REJECTED_BY_USER); event.error(Errors.REJECTED_BY_USER);
return response; return response;
} }