I think you can create JIRA for your usecase and set the component
"Authenticator" and fix version "3.0.0.CR1" for that JIRA.
AFAIK we are going to improve Authentication SPI (and requiredAction SPI
is treated as the part of it), so this can be done as part of that though.
Marek
On 18/01/17 15:53, Cristi Cioriia wrote:
Hi guys,
The AuthenticationManager class handles failed required action by sending
an access_denied error message back to the client application, instead of a
server error, if the required actions detects that it cannot display the
required action page and marks the context as failed.
The use case I have is the following:
1) I have created and configured a required action that calls an external
service to retrieve some data. If that service fails, then I cannot display
the required action page to the user, so I call
context.failure().
2) Now, when the AuthenticationManager.executionActions method is called to
display the required action page, it detects that the status of the
required action context is FAILURE (line 641), so it doesn't display the
required action page, but instead it calls at line 647 the oidc protocol
like this:
Response response = protocol.sendError(context.getClientSession(),
Error.CONSENT_DENIED);
This creates a response for the client application with
error=access_denied, but in my opinion it should be wih server_error,
because the user didn't even have the chance to grant consent.
Isn't this how it should happen? I noticed that the server_error is not
returned to the client at all, as is only the default branch of a switch,
and it can't be reached at all, as the Error enum does not have a mapping
for it.
Looking forward for an answer.
Greetings,
Cristi
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user