Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-18714

External IDP password reset generates IDENTITY_PROVIDER_LOGIN_ERROR

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Rejected
    • Affects Version/s: RH-SSO-7.4.7
    • Fix Version/s: None
    • Component/s: Core
    • Labels:
      None
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Workflow is as follows:

      1. RH-SSO  is connecting to an external IDP  (via SAML or OpenID)

      2. User is entering his client URL in the browser

      ---> User is redirected to RH-SSO login screen  panel.

      3. User selects the external IDP, and is redirected to the IDP  login screen.

      4.  On the IDP login screen, the user will select the link "password reset"

      ---> An email is send to the user.

      5.  User read his new email box, and will clik on the link to reset his IDP email.

      6.  Customer gets a panel to reset his IDP password, and click submit.

      7.  Once the user has clicked submit the user will gets an error IDENTITY_PROVIDER_LOGIN_ERROR

       

       8. case external IDP using OIDC protocol

      When RH-SSO is connecting to an external IDP and performing password reset,  IDENTITY_PROVIDER_LOGIN_ERROR is only generated if the user reinitialize his password from a different browser window.

       

       

      RH-SSO server log trace provides 

      a) message":"type=IDENTITY_PROVIDER_LOGIN_ERROR

      b) Not found AUTH_SESSION_ID cookie

      c) error=invalid_code

      ~~~~

      07T17:53:01.685Z","sequence":3559,"loggerClassName":"org.jboss.logging.Logger","loggerName":"org.keycloak.events","level":"WARN","message":"type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=ef43b198-b0a9-4cd3-8ba3-3795557f3e5c, clientId=null, userId=null, ipAddress=127.0.01, error=invalid_code","threadName":"default task-12","threadId":224,"mdc":{},"ndc":"","hostName":"415e2338e7be","processName":"jboss-modules.jar","processId":257}.

      ~~~~ 

       

      9. case of external provider using SAML protocol

       

      message displayed is  type

       

      a) IDENTITY_PROVIDER_LOGIN_ERROR

      b)  error=invalidRequestMessage,.

       

      ~~~

      2021-07-12 10:23:57,244 TRACE [org.keycloak.events] (default task-27) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=sp_realm, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalidRequestMessage, requestUri=http://127.0.0.1:8180/auth/realms/sp_realm/broker/test_saml_idp_127/endpoint, cookies=[KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI2YmQwMjk1Yi03NjA2LTQwZDctODAyOC03NjQyMTMwNGIxZTkifQ.eyJjaWQiOiJhY2NvdW50IiwicHR5Ijoib3BlbmlkLWNvbm5lY3QiLCJydXJpIjoiaHR0cDovLzEyNy4wLjAuMTo4MTgwL2F1dGgvcmVhbG1zL3NwX3JlYWxtL2FjY291bnQvbG9naW4tcmVkaXJlY3QiLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCIsImlzcyI6Imh0dHA6Ly8xMjcuMC4wLjE6ODE4MC9hdXRoL3JlYWxtcy9zcF9yZWFsbSIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzEyNy4wLjAuMTo4MTgwL2F1dGgvcmVhbG1zL3NwX3JlYWxtL2FjY291bnQvbG9naW4tcmVkaXJlY3QiLCJzdGF0ZSI6IjAvNzFhYTY3Y2MtOTk4Yy00MTM0LTliYWQtMmRkYjZiMDhmNjJmIn19.nvwx1PwspcRIRA4d831PjptdhmWoh5A0cmfLBPw2Lic, AUTH_SESSION_ID=c2dccec5-6d8e-408a-8403-148b5344f7b3.orivat], stackTrace=
      org.keycloak.events.log.JBossLoggingEventListenerProvider.onEvent(JBossLoggingEventListenerProvider.java:101)
      org.keycloak.events.EventBuilder.send(EventBuilder.java:192)
      org.keycloak.events.EventBuilder.error(EventBuilder.java:169)
      org.keycloak.services.resources.IdentityBrokerService.fireErrorEvent(IdentityBrokerService.java:1304)
      org.keycloak.services.resources.IdentityBrokerService.redirectToErrorPage(IdentityBrokerService.java:1191)
      org.keycloak.services.resources.IdentityBrokerService.redirectToErrorPage(IdentityBrokerService.java:1179)
      org.keycloak.services.resources.IdentityBrokerService.parseSessionCode(IdentityBrokerService.java:1053)
      org.keycloak.services.resources.IdentityBrokerService.parseEncodedSessionCode(IdentityBrokerService.java:1047)
      org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:504)
      org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:501)
      org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:552)
      org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:253)
      org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:168)

       ~~~

       

      10. User getting an error  panel message

      In both cases (external SAML IDP provider or OIDC Provider), after a password reset of the external IDP, the user is getting an error message on his authentication panel.

      The interpretation of this error message for the user is very difficult for him to know what could have gone out of control.

      How could it possible to improve the usability/ergonomy  of the message error returned for the end user ?

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              orivat_redhat Olivier Rivat
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: