[keycloak-user] AuthenticationManager send back access_denied error when it should send server_error

Cristi Cioriia cristi.cioriia at gmail.com
Wed Jan 18 09:53:32 EST 2017


Hi guys,

The AuthenticationManager class handles failed required action by sending
an access_denied error message back to the client application, instead of a
server error, if the required actions detects that it cannot display the
required action page and marks the context as failed.

The use case I have is the following:

1) I have created and configured a required action that calls an external
service to retrieve some data. If that service fails, then I cannot display
the required action page to the user, so I call

context.failure().

2) Now, when the AuthenticationManager.executionActions method is called to
display the required action page, it detects that the status of the
required action context is FAILURE (line 641), so it doesn't display the
required action page, but instead it calls at line 647 the oidc protocol
like this:

Response response = protocol.sendError(context.getClientSession(),
Error.CONSENT_DENIED);

This creates a response for the client application with
error=access_denied, but in my opinion it should be wih server_error,
because the user didn't even have the chance to grant consent.

Isn't this how it should happen? I noticed that the server_error is not
returned to the client at all, as is only the default branch of a switch,
and it can't be reached at all, as the Error enum does not have a mapping
for it.

Looking forward for an answer.

Greetings,
Cristi


More information about the keycloak-user mailing list