10:08 a.m.
i agree but you know...if a single-sign-on server is used inside an enterprise
cloud/environment, giving the possibility to handle authentication by a custom
UserFederationProvider implementation, could be very frequent the need to have custom, and
sometimes more meaningful, messages to send to users, not necessarily bringing in security
leak.thanks
Il Lunedì 26 Ottobre 2015 12:29, Marek Posolda <mposolda(a)redhat.com> ha
scritto:
ah, you want to display custom error messages on login screen. It seems you may need to
override the UsernamePasswordForm . Take a look at Authentication SPI documentation and
examples for how to do it.
Btv. not sure if it's very good to create custom messages based on errors as it can
give potential attacker some details about your users. For example we always display
"Invalid username or password" error regardless if tried username exists or not,
so the attacked doesn't have possibility to "guess" usernames (Some sites
display "Invalid user" if username doesn't exist and "Invalid
password" if user exists, but password is incorrect. We display single message in
both cases).
Marek
On 26/10/15 11:32, alex orl wrote:
thanks for your answer. Well, i suddenly tried your suggestion adding a throw new
ModelException("My message"); inside my provider class. The exception is thrown
but the login page is redirected to the standard error page just displaying the message:
We're sorry ...
Unexpected error when handling authentication request to identity provider.
How can i make the "My Message" exception message to be displayed on the login
page? thanks
Il Lunedì 26 Ottobre 2015 8:49, Marek Posolda <mposolda(a)redhat.com> ha
scritto:
On 24/10/15 23:27, alex orl wrote:
I'm using jboss keycloak 1.5 final version. I developed my custom user federation
provider interfacing with keycloak properties and my user enterprise database.
My need is to send up to user the login interface custom error messages based on
particular specific error related to my legacy user db.
I saw keycloak themes have a resources folder by which i can localize and add new
messages. Then i can reference them by angular js using
$myMessage
notation. The problem is i want to rise up a message from keycloak server. My user
federation provider implements UserFederationProvider interface. So i should have to
override:
@Override public CredentialValidationOutput validCredentials(RealmModel realm,
UserCredentialModel credential) { LOGGER.info("validCredentials(realm,
credential)"); return CredentialValidationOutput.failed(); }
In the UserFederationProvider interface i read that validCredentials : Validate
credentials of unknown user. The authenticated user is recognized based on provided
credentials and returned back in CredentialValidationOutput
It seems to be the method i was looking for just because CredentialValidationOutput
contains custom messages to be sent as validation output. The problem is this method is
never called.
This method is called by Keycloak just during use-cases, when you want to authenticate
with unknown user. Which is currently during Kerberos/SPNEGO login. It's not called
during basic flow with username/password authentication.
I think if you want to propagate error messages, you can for example throw ModelException
with the error message you want.
The same happens to the close method. It's never called at the end of each request
so i cannot dispose my objects Why?
Feel free to create JIRA for the close method.
Marek
Thanks a lot
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user