fix for 21476
This commit is contained in:
parent
b458356aa9
commit
e6d7749cbf
5 changed files with 42 additions and 2 deletions
|
@ -0,0 +1,31 @@
|
|||
/*
|
||||
* Copyright 2016 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.keycloak.broker.provider;
|
||||
|
||||
/**
|
||||
* @author dmartino
|
||||
*/
|
||||
public class IdentityBrokerUnmatchedEssentialClaimException extends RuntimeException {
|
||||
|
||||
public IdentityBrokerUnmatchedEssentialClaimException(String message) {
|
||||
super(message);
|
||||
}
|
||||
|
||||
public IdentityBrokerUnmatchedEssentialClaimException(String message, Throwable t) {
|
||||
super(message, t);
|
||||
}
|
||||
}
|
|
@ -28,6 +28,7 @@ import org.keycloak.broker.provider.BrokeredIdentityContext;
|
|||
import org.keycloak.broker.provider.ExchangeExternalToken;
|
||||
import org.keycloak.broker.provider.ExchangeTokenToIdentityProviderToken;
|
||||
import org.keycloak.broker.provider.IdentityBrokerException;
|
||||
import org.keycloak.broker.provider.IdentityBrokerUnmatchedEssentialClaimException;
|
||||
import org.keycloak.broker.provider.IdentityProvider;
|
||||
import org.keycloak.broker.provider.util.IdentityBrokerState;
|
||||
import org.keycloak.broker.provider.util.SimpleHttp;
|
||||
|
@ -518,6 +519,8 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
|
|||
}
|
||||
} catch (WebApplicationException e) {
|
||||
return e.getResponse();
|
||||
} catch (IdentityBrokerUnmatchedEssentialClaimException e) {
|
||||
return errorIdentityProviderLogin(Messages.IDENTITY_PROVIDER_UNMATCHED_ESSENTIAL_CLAIM_ERROR);
|
||||
} catch (Exception e) {
|
||||
logger.error("Failed to make identity provider oauth callback", e);
|
||||
}
|
||||
|
|
|
@ -27,6 +27,7 @@ import org.keycloak.broker.provider.AuthenticationRequest;
|
|||
import org.keycloak.broker.provider.BrokeredIdentityContext;
|
||||
import org.keycloak.broker.provider.ExchangeExternalToken;
|
||||
import org.keycloak.broker.provider.IdentityBrokerException;
|
||||
import org.keycloak.broker.provider.IdentityBrokerUnmatchedEssentialClaimException;
|
||||
import org.keycloak.broker.provider.util.SimpleHttp;
|
||||
import org.keycloak.common.util.Base64Url;
|
||||
import org.keycloak.common.util.SecretGenerator;
|
||||
|
@ -412,11 +413,11 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
|
|||
logger.tracef("Found claim %s with values %s", filterName, claimValues);
|
||||
if (!claimValues.stream().anyMatch(v->v.matches(filterValue))) {
|
||||
logger.warnf("Claim %s has values \"%s\" that does not match the expected filter \"%s\"", filterName, claimValues, filterValue);
|
||||
throw new IdentityBrokerException(String.format("Unmatched claim value for %s.", filterName));
|
||||
throw new IdentityBrokerUnmatchedEssentialClaimException(String.format("Unmatched claim value for %s.", filterName));
|
||||
}
|
||||
} else {
|
||||
logger.debugf("Claim %s was not found", filterName);
|
||||
throw new IdentityBrokerException(String.format("Claim %s not found", filterName));
|
||||
throw new IdentityBrokerUnmatchedEssentialClaimException(String.format("Claim %s not found", filterName));
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -432,6 +433,8 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
|
|||
}
|
||||
|
||||
return identity;
|
||||
} catch (IdentityBrokerUnmatchedEssentialClaimException e) {
|
||||
throw e;
|
||||
} catch (Exception e) {
|
||||
throw new IdentityBrokerException("Could not fetch attributes from userinfo endpoint.", e);
|
||||
}
|
||||
|
|
|
@ -180,6 +180,8 @@ public class Messages {
|
|||
public static final String STALE_VERIFY_EMAIL_LINK = "staleEmailVerificationLink";
|
||||
|
||||
public static final String IDENTITY_PROVIDER_UNEXPECTED_ERROR = "identityProviderUnexpectedErrorMessage";
|
||||
|
||||
public static final String IDENTITY_PROVIDER_UNMATCHED_ESSENTIAL_CLAIM_ERROR = "federatedIdentityUnmatchedEssentialClaimMessage";
|
||||
|
||||
public static final String IDENTITY_PROVIDER_MISSING_STATE_ERROR = "identityProviderMissingStateMessage";
|
||||
|
||||
|
|
|
@ -264,6 +264,7 @@ emailExistsMessage=Email already exists.
|
|||
|
||||
federatedIdentityExistsMessage=User with {0} {1} already exists. Please login to account management to link the account.
|
||||
federatedIdentityUnavailableMessage=User {0} authenticated with identity provider {1} does not exist. Please contact your administrator.
|
||||
federatedIdentityUnmatchedEssentialClaimMessage=The ID token issued by the identity provider does not match the configured essential claim. Please contact your administrator.
|
||||
|
||||
confirmLinkIdpTitle=Account already exists
|
||||
federatedIdentityConfirmLinkMessage=User with {0} {1} already exists. How do you want to continue?
|
||||
|
|
Loading…
Reference in a new issue