I think I could, if in order to create that response I would copy-paste the
sendError method of the OIDCLoginProtocol and replace the
translateError(error) call with "server_error". Doing this copy-paste isn't
the best practice in my opinion, but it should be a good work-around.
Thanks for the suggestion.
On Tue, Jan 24, 2017 at 12:37 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
Well, sorry... I wonder if you can handle this by call:
instead of: context.failure()
It seems that then you can send any response you want. So you can also
redirect to your application with any error query parameters you want?
On 24/01/17 11:34, Marek Posolda wrote:
> I think you can create JIRA for your usecase and set the component
> "Authenticator" and fix version "3.0.0.CR1" for that JIRA.
> AFAIK we are going to improve Authentication SPI (and requiredAction SPI
> is treated as the part of it), so this can be done as part of that though.
> On 18/01/17 15:53, Cristi Cioriia wrote:
>> Hi guys,
>> The AuthenticationManager class handles failed required action by sending
>> an access_denied error message back to the client application, instead
>> of a
>> server error, if the required actions detects that it cannot display the
>> required action page and marks the context as failed.
>> The use case I have is the following:
>> 1) I have created and configured a required action that calls an external
>> service to retrieve some data. If that service fails, then I cannot
>> the required action page to the user, so I call
>> 2) Now, when the AuthenticationManager.executionActions method is
>> called to
>> display the required action page, it detects that the status of the
>> required action context is FAILURE (line 641), so it doesn't display the
>> required action page, but instead it calls at line 647 the oidc protocol
>> like this:
>> Response response = protocol.sendError(context.getClientSession(),
>> This creates a response for the client application with
>> error=access_denied, but in my opinion it should be wih server_error,
>> because the user didn't even have the chance to grant consent.
>> Isn't this how it should happen? I noticed that the server_error is not
>> returned to the client at all, as is only the default branch of a switch,
>> and it can't be reached at all, as the Error enum does not have a mapping
>> for it.
>> Looking forward for an answer.
>> keycloak-user mailing list