fix for 21476

server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityBrokerUnmatchedEssentialClaimException.java

@@ -0,0 +1,31 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.broker.provider;
+
+/**
+ * @author dmartino
+ */
+public class IdentityBrokerUnmatchedEssentialClaimException extends RuntimeException {
+
+    public IdentityBrokerUnmatchedEssentialClaimException(String message) {
+        super(message);
+    }
+
+    public IdentityBrokerUnmatchedEssentialClaimException(String message, Throwable t) {
+        super(message, t);
+    }
+}

services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java

@@ -28,6 +28,7 @@ import org.keycloak.broker.provider.BrokeredIdentityContext;
 import org.keycloak.broker.provider.ExchangeExternalToken;
 import org.keycloak.broker.provider.ExchangeTokenToIdentityProviderToken;
 import org.keycloak.broker.provider.IdentityBrokerException;
+import org.keycloak.broker.provider.IdentityBrokerUnmatchedEssentialClaimException;
 import org.keycloak.broker.provider.IdentityProvider;
 import org.keycloak.broker.provider.util.IdentityBrokerState;
 import org.keycloak.broker.provider.util.SimpleHttp;
@@ -518,6 +519,8 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
                 }
             } catch (WebApplicationException e) {
                 return e.getResponse();
+            } catch (IdentityBrokerUnmatchedEssentialClaimException e) {
+                return errorIdentityProviderLogin(Messages.IDENTITY_PROVIDER_UNMATCHED_ESSENTIAL_CLAIM_ERROR);
             } catch (Exception e) {
                 logger.error("Failed to make identity provider oauth callback", e);
             }

services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java

@@ -27,6 +27,7 @@ import org.keycloak.broker.provider.AuthenticationRequest;
 import org.keycloak.broker.provider.BrokeredIdentityContext;
 import org.keycloak.broker.provider.ExchangeExternalToken;
 import org.keycloak.broker.provider.IdentityBrokerException;
+import org.keycloak.broker.provider.IdentityBrokerUnmatchedEssentialClaimException;
 import org.keycloak.broker.provider.util.SimpleHttp;
 import org.keycloak.common.util.Base64Url;
 import org.keycloak.common.util.SecretGenerator;
@@ -412,11 +413,11 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
                     logger.tracef("Found claim %s with values %s", filterName, claimValues);
                     if (!claimValues.stream().anyMatch(v->v.matches(filterValue))) {
                         logger.warnf("Claim %s has values \"%s\" that does not match the expected filter \"%s\"", filterName, claimValues, filterValue);
-                        throw new IdentityBrokerException(String.format("Unmatched claim value for %s.", filterName));
+                        throw new IdentityBrokerUnmatchedEssentialClaimException(String.format("Unmatched claim value for %s.", filterName));
                     }
                 } else {
                     logger.debugf("Claim %s was not found", filterName);
-                    throw new IdentityBrokerException(String.format("Claim %s not found", filterName));
+                    throw new IdentityBrokerUnmatchedEssentialClaimException(String.format("Claim %s not found", filterName));
                 }
             }
 
@@ -432,6 +433,8 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
             }
 
             return identity;
+        } catch (IdentityBrokerUnmatchedEssentialClaimException e) {
+            throw e;
         } catch (Exception e) {
             throw new IdentityBrokerException("Could not fetch attributes from userinfo endpoint.", e);
         }

services/src/main/java/org/keycloak/services/messages/Messages.java

@@ -181,6 +181,8 @@ public class Messages {
 
     public static final String IDENTITY_PROVIDER_UNEXPECTED_ERROR = "identityProviderUnexpectedErrorMessage";
     
+    public static final String IDENTITY_PROVIDER_UNMATCHED_ESSENTIAL_CLAIM_ERROR = "federatedIdentityUnmatchedEssentialClaimMessage";
+
     public static final String IDENTITY_PROVIDER_MISSING_STATE_ERROR = "identityProviderMissingStateMessage";
 
     public static final String IDENTITY_PROVIDER_INVALID_RESPONSE = "identityProviderInvalidResponseMessage";

themes/src/main/resources/theme/base/login/messages/messages_en.properties

@@ -264,6 +264,7 @@ emailExistsMessage=Email already exists.
 
 federatedIdentityExistsMessage=User with {0} {1} already exists. Please login to account management to link the account.
 federatedIdentityUnavailableMessage=User {0} authenticated with identity provider {1} does not exist. Please contact your administrator.
+federatedIdentityUnmatchedEssentialClaimMessage=The ID token issued by the identity provider does not match the configured essential claim. Please contact your administrator.
 
 confirmLinkIdpTitle=Account already exists
 federatedIdentityConfirmLinkMessage=User with {0} {1} already exists. How do you want to continue?