[keycloak-user] UserFederationProvider CredentialValidationOutput validCredentials and close method never called

Tue Oct 27 02:29:21 EDT 2015

Ok. Still the error message on login screen is not the responsibility of 
federation provider though. Federation provider is more low level SPI 
for user's operations. You can handle this with Authentication SPI.

For example you can throw the exception from federation provider and 
catch it in authenticator and display some message based on that.

Marek

On 26/10/15 16:08, alex orl wrote:
> i agree but you know...if a single-sign-on server is used inside an 
> enterprise cloud/environment, giving the possibility to handle 
> authentication by a custom UserFederationProvider implementation, 
> could be very frequent the need to have custom, and sometimes more 
> meaningful, messages to send to users, not necessarily bringing in 
> security leak.
> thanks
>
>
>
> Il Lunedì 26 Ottobre 2015 12:29, Marek Posolda <mposolda at redhat.com> 
> ha scritto:
>
>
> ah, you want to display custom error messages on login screen. It 
> seems you may need to override the UsernamePasswordForm . Take a look 
> at Authentication SPI documentation and examples for how to do it.
>
> Btv. not sure if it's very good to create custom messages based on 
> errors as it can give potential attacker some details about your 
> users. For example we always display "Invalid username or password" 
> error regardless if tried username exists or not, so the attacked 
> doesn't have possibility to "guess" usernames (Some sites display 
> "Invalid user" if username doesn't exist and "Invalid password" if 
> user exists, but password is incorrect. We display single message in 
> both cases).
>
> Marek
>
> On 26/10/15 11:32, alex orl wrote:
>> thanks for your answer. Well, i suddenly tried your suggestion adding 
>> a throw new ModelException("My message"); inside my provider class.
>> The exception is thrown but the login page is redirected to the 
>> standard error page just displaying the message:
>>
>> We're *sorry* ...
>>
>> Unexpected error when handling authentication request to identity 
>> provider.
>>
>>
>> How can i make the "My Message" exception message to be displayed on 
>> the login page?
>> thanks
>>
>>
>>
>> Il Lunedì 26 Ottobre 2015 8:49, Marek Posolda <mposolda at redhat.com> 
>> <mailto:mposolda at redhat.com> ha scritto:
>>
>>
>> On 24/10/15 23:27, alex orl wrote:
>>> I'm using jboss keycloak 1.5 final version.
>>> I developed my custom user federation provider interfacing with 
>>> keycloak properties and my user enterprise database.
>>>
>>> My need is to send up to user the login interface custom error 
>>> messages based on particular specific error related to my legacy 
>>> user db.
>>>
>>> I saw keycloak themes have a resources folder by which i can 
>>> localize and add new messages. Then i can reference them by angular 
>>> js using
>>>
>>>     $myMessage
>>>
>>> notation. The problem is i want to rise up a message from keycloak 
>>> server. My user federation provider implements 
>>> UserFederationProvider interface. So i should have to override:
>>>
>>>     @Override
>>> public CredentialValidationOutput validCredentials(RealmModel realm, 
>>> UserCredentialModel credential) {
>>> LOGGER.info("validCredentials(realm, credential)");
>>> return CredentialValidationOutput.failed();
>>> }
>>>
>>> In the UserFederationProvider interface i read that validCredentials :
>>> Validate credentials of unknown user. The authenticated user is 
>>> recognized based on provided credentials and returned back in 
>>> CredentialValidationOutput
>>>
>>> It seems to be the method i was looking for just because 
>>> CredentialValidationOutput contains custom messages to be sent as 
>>> validation output. The problem is this method is never called.
>> This method is called by Keycloak just during use-cases, when you 
>> want to authenticate with unknown user. Which is currently during 
>> Kerberos/SPNEGO login. It's not called during basic flow with 
>> username/password authentication.
>>
>> I think if you want to propagate error messages, you can for example 
>> throw ModelException with the error message you want.
>>>
>>> The same happens to the close method. It's never called at the end 
>>> of each request so i cannot dispose my objects
>>> Why?
>> Feel free to create JIRA for the close method.
>>
>> Marek
>>
>>> Thanks a lot
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151027/e843786d/attachment-0001.html 