libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

fix for 21476

Browse source
This commit is contained in:
Daniele Martinoli 2023-07-06 13:14:38 +02:00 committed by Pedro Igor
parent b458356aa9
commit e6d7749cbf
5 changed files with 42 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityBrokerUnmatchedEssentialClaimException.java Normal file
View file

@ -0,0 +1,31 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.broker.provider;
/**
* @author dmartino
*/
public class IdentityBrokerUnmatchedEssentialClaimException extends RuntimeException {
public IdentityBrokerUnmatchedEssentialClaimException(String message) {
super(message);
}
public IdentityBrokerUnmatchedEssentialClaimException(String message, Throwable t) {
super(message, t);
}
}

3
services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
View file

@ -28,6 +28,7 @@ import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.ExchangeExternalToken;
import org.keycloak.broker.provider.ExchangeTokenToIdentityProviderToken;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.IdentityBrokerUnmatchedEssentialClaimException;
import org.keycloak.broker.provider.IdentityProvider;
import org.keycloak.broker.provider.util.IdentityBrokerState;
import org.keycloak.broker.provider.util.SimpleHttp;
@ -518,6 +519,8 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
}
} catch (WebApplicationException e) {
return e.getResponse();
} catch (IdentityBrokerUnmatchedEssentialClaimException e) {
return errorIdentityProviderLogin(Messages.IDENTITY_PROVIDER_UNMATCHED_ESSENTIAL_CLAIM_ERROR);
} catch (Exception e) {
logger.error("Failed to make identity provider oauth callback", e);
}

7
services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
View file

@ -27,6 +27,7 @@ import org.keycloak.broker.provider.AuthenticationRequest;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.ExchangeExternalToken;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.IdentityBrokerUnmatchedEssentialClaimException;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.SecretGenerator;
@ -412,11 +413,11 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
logger.tracef("Found claim %s with values %s", filterName, claimValues);
if (!claimValues.stream().anyMatch(v->v.matches(filterValue))) {
logger.warnf("Claim %s has values \"%s\" that does not match the expected filter \"%s\"", filterName, claimValues, filterValue);
throw new IdentityBrokerException(String.format("Unmatched claim value for %s.", filterName));
throw new IdentityBrokerUnmatchedEssentialClaimException(String.format("Unmatched claim value for %s.", filterName));
}
} else {
logger.debugf("Claim %s was not found", filterName);
throw new IdentityBrokerException(String.format("Claim %s not found", filterName));
throw new IdentityBrokerUnmatchedEssentialClaimException(String.format("Claim %s not found", filterName));
}
}
@ -432,6 +433,8 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
}
return identity;
} catch (IdentityBrokerUnmatchedEssentialClaimException e) {
throw e;
} catch (Exception e) {
throw new IdentityBrokerException("Could not fetch attributes from userinfo endpoint.", e);
}

2
services/src/main/java/org/keycloak/services/messages/Messages.java
View file

@ -181,6 +181,8 @@ public class Messages {
public static final String IDENTITY_PROVIDER_UNEXPECTED_ERROR = "identityProviderUnexpectedErrorMessage";
public static final String IDENTITY_PROVIDER_UNMATCHED_ESSENTIAL_CLAIM_ERROR = "federatedIdentityUnmatchedEssentialClaimMessage";
public static final String IDENTITY_PROVIDER_MISSING_STATE_ERROR = "identityProviderMissingStateMessage";
public static final String IDENTITY_PROVIDER_INVALID_RESPONSE = "identityProviderInvalidResponseMessage";

1
themes/src/main/resources/theme/base/login/messages/messages_en.properties
View file

@ -264,6 +264,7 @@ emailExistsMessage=Email already exists.
federatedIdentityExistsMessage=User with {0} {1} already exists. Please login to account management to link the account.
federatedIdentityUnavailableMessage=User {0} authenticated with identity provider {1} does not exist. Please contact your administrator.
federatedIdentityUnmatchedEssentialClaimMessage=The ID token issued by the identity provider does not match the configured essential claim. Please contact your administrator.
confirmLinkIdpTitle=Account already exists
federatedIdentityConfirmLinkMessage=User with {0} {1} already exists. How do you want to continue?