rebased to latest master

integration/adapter-core/src/main/java/org/keycloak/adapters/OIDCAuthenticationError.java

@@ -36,4 +36,11 @@ public class OIDCAuthenticationError implements AuthenticationError {
     public String getDescription() {
         return description;
     }
+
+    @Override
+    public String toString() {
+        return "OIDCAuthenticationError [reason=" + reason + ", description=" + description + "]";
+    }
+    
+    
 }

saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlAuthenticationError.java

@@ -40,4 +40,10 @@ public class SamlAuthenticationError implements AuthenticationError {
     public StatusResponseType getStatus() {
         return status;
     }
+
+    @Override
+    public String toString() {
+        return "SamlAuthenticationError [reason=" + reason + ", status=" + status + "]";
+    }
+    
 }

saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlAuthenticator.java

@@ -211,25 +211,7 @@ public abstract class SamlAuthenticator {
             return AuthOutcome.FAILED;
         }
         
-        if (statusResponse instanceof ResponseType) {
+        if (statusResponse instanceof ResponseType) {            
-
-            //validate status
-            StatusType status = statusResponse.getStatus();
-            if(status == null){
-                log.error("Missing Status in SAML response");
-                return AuthOutcome.FAILED;
-            }
-            if(!checkStatusCodeValue(status.getStatusCode(), JBossSAMLURIConstants.STATUS_SUCCESS.get())){
-                if(checkStatusCodeValue(status.getStatusCode(), JBossSAMLURIConstants.STATUS_RESPONDER.get()) && checkStatusCodeValue(status.getStatusCode().getStatusCode(), JBossSAMLURIConstants.STATUS_NO_PASSIVE.get())){
-                    // KEYCLOAK-2107 - handle user not authenticated due passive mode 
-                    log.debug("Not authenticated due passive mode Status found in SAML response: " + status.toString());
-                    return AuthOutcome.NOT_AUTHENTICATED;
-                }
-                log.error("Error Status found in SAML response: " + status.toString());
-                return AuthOutcome.FAILED;
-                
-            }
-            
             try {
                 if (deployment.getIDP().getSingleSignOnService().validateResponseSignature()) {
                     try {
@@ -276,7 +258,15 @@ public abstract class SamlAuthenticator {
                 }
 
             } else if (sessionStore.isLoggingIn()) {
+
                 try {
+                    // KEYCLOAK-2107 - handle user not authenticated due passive mode. Return special outcome so different authentication mechanisms can behave accordingly.
+                    StatusType status = statusResponse.getStatus();
+                    if(checkStatusCodeValue(status.getStatusCode(), JBossSAMLURIConstants.STATUS_RESPONDER.get()) && checkStatusCodeValue(status.getStatusCode().getStatusCode(), JBossSAMLURIConstants.STATUS_NO_PASSIVE.get())){
+                        log.debug("Not authenticated due passive mode Status found in SAML response: " + status.toString());
+                        return AuthOutcome.NOT_AUTHENTICATED;
+                    }
+
                     challenge = new AuthChallenge() {
                         @Override
                         public boolean challenge(HttpFacade exchange) {

saml/saml-core/src/main/java/org/keycloak/saml/SAML2ErrorResponseBuilder.java

@@ -1,28 +1,21 @@
 package org.keycloak.saml;
 
-<<<<<<< Upstream, based on keycloak/master
 import org.keycloak.dom.saml.v2.assertion.NameIDType;
 import org.keycloak.dom.saml.v2.protocol.StatusCodeType;
 import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
 import org.keycloak.dom.saml.v2.protocol.StatusType;
 import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
-=======
-import org.keycloak.dom.saml.v2.protocol.ResponseType;
->>>>>>> 9408d08 KEYCLOAK-2107 - support IsPassive mode in SAML SP adapter library KEYCLOAK-2075 - added integration tests for both server and adapter side
 import org.keycloak.saml.common.exceptions.ConfigurationException;
 import org.keycloak.saml.common.exceptions.ParsingException;
 import org.keycloak.saml.common.exceptions.ProcessingException;
 import org.keycloak.saml.processing.api.saml.v2.response.SAML2Response;
 import org.keycloak.saml.processing.core.saml.v2.common.IDGenerator;
 import org.keycloak.saml.processing.core.saml.v2.factories.JBossSAMLAuthnResponseFactory;
-<<<<<<< Upstream, based on keycloak/master
 import org.keycloak.saml.processing.core.saml.v2.holders.IDPInfoHolder;
 import org.keycloak.saml.processing.core.saml.v2.holders.IssuerInfoHolder;
 import org.keycloak.saml.processing.core.saml.v2.holders.SPInfoHolder;
 import org.keycloak.dom.saml.v2.protocol.ResponseType;
 import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
-=======
->>>>>>> 9408d08 KEYCLOAK-2107 - support IsPassive mode in SAML SP adapter library KEYCLOAK-2075 - added integration tests for both server and adapter side
 import org.w3c.dom.Document;
 
 import java.net.URI;
@@ -52,6 +45,7 @@ public class SAML2ErrorResponseBuilder {
         return this;
     }
 
+
     public Document buildDocument() throws ProcessingException {
 
         try {
@@ -71,6 +65,8 @@ public class SAML2ErrorResponseBuilder {
         } catch (ParsingException e) {
             throw new ProcessingException(e);
         }
+
     }
 
+
 }

testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTestStrategy.java

@@ -140,12 +140,13 @@ public class SamlAdapterTestStrategy  extends ExternalResource {
     }
 
     public void testPostPassiveLoginLogout(boolean forbiddenIfNotauthenticated) {
-        // first request on passive app - no login page shown, user not logged in as we are in passive mode
+        // first request on passive app - no login page shown, user not logged in as we are in passive mode.
+        // Shown page depends on used authentication mechanism, some may return forbidden error, some return requested page with anonymous user (not logged in)
         driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-passive/");
         assertEquals(APP_SERVER_BASE_URL + "/sales-post-passive/", driver.getCurrentUrl());
         System.out.println(driver.getPageSource());
         if (forbiddenIfNotauthenticated) {
-            Assert.assertTrue(driver.getPageSource().contains("Forbidden"));
+            Assert.assertTrue(driver.getPageSource().contains("HTTP status code: 403"));
         } else {
             Assert.assertTrue(driver.getPageSource().contains("principal=null"));
         }

testsuite/integration/src/test/java/org/keycloak/testsuite/rule/ErrorServlet.java

@@ -6,7 +6,6 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
 import java.io.IOException;
 import java.io.PrintWriter;
 
@@ -20,10 +19,17 @@ public class ErrorServlet extends HttpServlet {
     protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
         authError = (AuthenticationError)req.getAttribute(AuthenticationError.class.getName());
 
+        Integer statusCode = (Integer) req.getAttribute("javax.servlet.error.status_code");
+
         resp.setContentType("text/html");
         PrintWriter pw = resp.getWriter();
         pw.printf("<html><head><title>%s</title></head><body>", "Error Page");
-        pw.print("<h1>There was an error</h1></body></html>");
+        pw.print("<h1>There was an error</h1>");
+        if (statusCode != null)
+            pw.print("<br/>HTTP status code: " + statusCode);
+        if (authError != null)
+            pw.print("<br/>Error info: " + authError.toString());
+        pw.print("</body></html>");
         pw.flush();