[OAuth] Prefer authorization error on redirect_uri#48553
[OAuth] Prefer authorization error on redirect_uri#48553tdiesler wants to merge 1 commit intokeycloak:mainfrom
Conversation
Unreported flaky test detectedIf the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.adapter.servlet.SAMLLoginResponseHandlingTest#testAttributesKeycloak CI - Adapter IT Strict Cookies |
2c3c43a to
6927d2a
Compare
64cf932 to
b2ea215
Compare
Unreported flaky test detectedIf the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.model.user.UserModelTest#testAddRemoveUserKeycloak CI - Store Model Tests |
4853bfb to
1a960a5
Compare
3d081eb to
0d1663e
Compare
Unreported flaky test detectedIf the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.forms.BruteForceTest#testNoFailureResetForPermanentLockout |
8143546 to
bf8cdad
Compare
| event.detail(Details.CLIENT_POLICY_ERROR, cpe.getError()); | ||
| event.detail(Details.CLIENT_POLICY_ERROR_DETAIL, cpe.getErrorDetail()); | ||
| event.error(cpe.getError()); | ||
| throw new ErrorPageException(session, authenticationSession, cpe.getErrorStatus(), cpe.getErrorDetail()); |
There was a problem hiding this comment.
cpe.getError() gets lost here, so a client policy raising a different OAuth error code than invalid_request will always be overridden by invalid_request now?
There was a problem hiding this comment.
Yes, this is how the translation from ClientPolicyException => ErrorPageException works. Perhaps the html error page does not show the error property from the CPE. This code path has not changed.
There was a problem hiding this comment.
This has been fixed - the error code coming from ErrorPageException and AuthorizationCheckException are now passed on correctly.
508875f to
b40195a
Compare
Signed-off-by: Thomas Diesler <tdiesler@proton.me>
closes #48542
This PR tries to be as unintrusive as possible. While processing an authorization request there are potential errors coming from
most of these errors map to an unchecked ErrorPageException, which then displays an html error page.
When the request passes the above, errors tend to be reported back to the caller via redirect_uri already.
This PR proposes to first catch these ErrorPageExceptions and then (when configured to do so) make a "best effort" to use the redirect_uri path - otherwise, the error is returned to the caller as json object.
Without the
authorization.preferErrorOnRedirectattribute on the realm, this PR changes nothing. As a result, no test cases needed to be touched. That was in fact the hard bit: change nothing, unless the headless error path is wanted.Automated conformance tests are headless - they prefer errors to be delivered on the redirect_uri when possible.
If this approach gets accepted, we would likely want to expose that switch on the admin UI, which is not (yet) part of this PR.
This PR is at the bottom of all other HAIP conformance work.