[keycloak-user] AuthenticationManager send back access_denied error when it should send server_error

Cristi Cioriia cristi.cioriia at gmail.com
Wed Jan 25 10:17:38 EST 2017


Hi,

I think I could, if in order to create that response I would copy-paste the
sendError method of the OIDCLoginProtocol and replace the
translateError(error) call with "server_error". Doing this copy-paste isn't
the best practice in my opinion, but it should be a good work-around.

Thanks for the suggestion.

Greetings,
Cristi

On Tue, Jan 24, 2017 at 12:37 PM, Marek Posolda <mposolda at redhat.com> wrote:

> Well, sorry...  I wonder if you can handle this by call:
>
> context.challenge(response)
>
> instead of: context.failure()
>
> It seems that then you can send any response you want. So you can also
> redirect to your application with any error query parameters you want?
>
> Marek
>
>
>
> On 24/01/17 11:34, Marek Posolda wrote:
>
>> I think you can create JIRA for your usecase and set the component
>> "Authenticator" and fix version "3.0.0.CR1" for that JIRA.
>>
>> AFAIK we are going to improve Authentication SPI (and requiredAction SPI
>> is treated as the part of it), so this can be done as part of that though.
>>
>> Marek
>>
>>
>> On 18/01/17 15:53, Cristi Cioriia wrote:
>>
>>> Hi guys,
>>>
>>> The AuthenticationManager class handles failed required action by sending
>>> an access_denied error message back to the client application, instead
>>> of a
>>> server error, if the required actions detects that it cannot display the
>>> required action page and marks the context as failed.
>>>
>>> The use case I have is the following:
>>>
>>> 1) I have created and configured a required action that calls an external
>>> service to retrieve some data. If that service fails, then I cannot
>>> display
>>> the required action page to the user, so I call
>>>
>>> context.failure().
>>>
>>> 2) Now, when the AuthenticationManager.executionActions method is
>>> called to
>>> display the required action page, it detects that the status of the
>>> required action context is FAILURE (line 641), so it doesn't display the
>>> required action page, but instead it calls at line 647 the oidc protocol
>>> like this:
>>>
>>> Response response = protocol.sendError(context.getClientSession(),
>>> Error.CONSENT_DENIED);
>>>
>>> This creates a response for the client application with
>>> error=access_denied, but in my opinion it should be wih server_error,
>>> because the user didn't even have the chance to grant consent.
>>>
>>> Isn't this how it should happen? I noticed that the server_error is not
>>> returned to the client at all, as is only the default branch of a switch,
>>> and it can't be reached at all, as the Error enum does not have a mapping
>>> for it.
>>>
>>> Looking forward for an answer.
>>>
>>> Greetings,
>>> Cristi
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>


More information about the keycloak-user mailing list