[keycloak-user] AuthenticationManager send back access_denied error when it should send server_error

Marek Posolda mposolda at redhat.com
Tue Jan 24 05:37:01 EST 2017


Well, sorry...  I wonder if you can handle this by call:

context.challenge(response)

instead of: context.failure()

It seems that then you can send any response you want. So you can also 
redirect to your application with any error query parameters you want?

Marek


On 24/01/17 11:34, Marek Posolda wrote:
> I think you can create JIRA for your usecase and set the component 
> "Authenticator" and fix version "3.0.0.CR1" for that JIRA.
>
> AFAIK we are going to improve Authentication SPI (and requiredAction 
> SPI is treated as the part of it), so this can be done as part of that 
> though.
>
> Marek
>
>
> On 18/01/17 15:53, Cristi Cioriia wrote:
>> Hi guys,
>>
>> The AuthenticationManager class handles failed required action by 
>> sending
>> an access_denied error message back to the client application, 
>> instead of a
>> server error, if the required actions detects that it cannot display the
>> required action page and marks the context as failed.
>>
>> The use case I have is the following:
>>
>> 1) I have created and configured a required action that calls an 
>> external
>> service to retrieve some data. If that service fails, then I cannot 
>> display
>> the required action page to the user, so I call
>>
>> context.failure().
>>
>> 2) Now, when the AuthenticationManager.executionActions method is 
>> called to
>> display the required action page, it detects that the status of the
>> required action context is FAILURE (line 641), so it doesn't display the
>> required action page, but instead it calls at line 647 the oidc protocol
>> like this:
>>
>> Response response = protocol.sendError(context.getClientSession(),
>> Error.CONSENT_DENIED);
>>
>> This creates a response for the client application with
>> error=access_denied, but in my opinion it should be wih server_error,
>> because the user didn't even have the chance to grant consent.
>>
>> Isn't this how it should happen? I noticed that the server_error is not
>> returned to the client at all, as is only the default branch of a 
>> switch,
>> and it can't be reached at all, as the Error enum does not have a 
>> mapping
>> for it.
>>
>> Looking forward for an answer.
>>
>> Greetings,
>> Cristi
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>



More information about the keycloak-user mailing list