[keycloak-user] AuthenticationManager send back access_denied error when it should send server_error
Marek Posolda
mposolda at redhat.com
Tue Jan 24 05:34:51 EST 2017
I think you can create JIRA for your usecase and set the component
"Authenticator" and fix version "3.0.0.CR1" for that JIRA.
AFAIK we are going to improve Authentication SPI (and requiredAction SPI
is treated as the part of it), so this can be done as part of that though.
Marek
On 18/01/17 15:53, Cristi Cioriia wrote:
> Hi guys,
>
> The AuthenticationManager class handles failed required action by sending
> an access_denied error message back to the client application, instead of a
> server error, if the required actions detects that it cannot display the
> required action page and marks the context as failed.
>
> The use case I have is the following:
>
> 1) I have created and configured a required action that calls an external
> service to retrieve some data. If that service fails, then I cannot display
> the required action page to the user, so I call
>
> context.failure().
>
> 2) Now, when the AuthenticationManager.executionActions method is called to
> display the required action page, it detects that the status of the
> required action context is FAILURE (line 641), so it doesn't display the
> required action page, but instead it calls at line 647 the oidc protocol
> like this:
>
> Response response = protocol.sendError(context.getClientSession(),
> Error.CONSENT_DENIED);
>
> This creates a response for the client application with
> error=access_denied, but in my opinion it should be wih server_error,
> because the user didn't even have the chance to grant consent.
>
> Isn't this how it should happen? I noticed that the server_error is not
> returned to the client at all, as is only the default branch of a switch,
> and it can't be reached at all, as the Error enum does not have a mapping
> for it.
>
> Looking forward for an answer.
>
> Greetings,
> Cristi
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list