Well, sorry... I wonder if you can handle this by call:
context.challenge(response)
instead of: context.failure()
It seems that then you can send any response you want. So you can also
redirect to your application with any error query parameters you want?
Marek
On 24/01/17 11:34, Marek Posolda wrote:
I think you can create JIRA for your usecase and set the component
"Authenticator" and fix version "3.0.0.CR1" for that JIRA.
AFAIK we are going to improve Authentication SPI (and requiredAction
SPI is treated as the part of it), so this can be done as part of that
though.
Marek
On 18/01/17 15:53, Cristi Cioriia wrote:
> Hi guys,
>
> The AuthenticationManager class handles failed required action by
> sending
> an access_denied error message back to the client application,
> instead of a
> server error, if the required actions detects that it cannot display the
> required action page and marks the context as failed.
>
> The use case I have is the following:
>
> 1) I have created and configured a required action that calls an
> external
> service to retrieve some data. If that service fails, then I cannot
> display
> the required action page to the user, so I call
>
> context.failure().
>
> 2) Now, when the AuthenticationManager.executionActions method is
> called to
> display the required action page, it detects that the status of the
> required action context is FAILURE (line 641), so it doesn't display the
> required action page, but instead it calls at line 647 the oidc protocol
> like this:
>
> Response response = protocol.sendError(context.getClientSession(),
> Error.CONSENT_DENIED);
>
> This creates a response for the client application with
> error=access_denied, but in my opinion it should be wih server_error,
> because the user didn't even have the chance to grant consent.
>
> Isn't this how it should happen? I noticed that the server_error is not
> returned to the client at all, as is only the default branch of a
> switch,
> and it can't be reached at all, as the Error enum does not have a
> mapping
> for it.
>
> Looking forward for an answer.
>
> Greetings,
> Cristi
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user