Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Keycloak] Customizable Password Error Validator #1265

Closed
kenjikikuchi opened this issue May 7, 2024 · 3 comments · Fixed by #1275
Closed

[Keycloak] Customizable Password Error Validator #1265

kenjikikuchi opened this issue May 7, 2024 · 3 comments · Fixed by #1275

Comments

@kenjikikuchi
Copy link
Contributor

Hello awesome team and contributors,

Thank you for developing and maintaining saml2aws! I have a minor request for the Keycloak module.

Request

Could you please add 2 new parameters below to handle non-English authentication error messages in the Keycloak passwordValid() function? They should keep the current hardcoded values as their default, and only non-English system users will tweak the new parameters in ~/.saml2aws.

  • kc_auth_error_message (Default: "Invalid username or password.")
  • kc_auth_error_element (Default: "span#input-error")
$ view pkg/provider/keycloak/keycloak.go +358
...
358 func passwordValid(doc *goquery.Document) bool {
359         var valid = true
360 ---     doc.Find("span#input-error").Each(func(i int, s *goquery.Selection) {
360 +++     doc.Find(kc_auth_error_element).Each(func(i int, s *goquery.Selection) {
361                 text := s.Text()
362 ---             if strings.Contains(text, "Invalid username or password.") {
362 +++             if strings.Contains(text, kc_auth_error_message) {
363                         valid = false
364                         return
365                 }
366         })
367         return valid
368 }

Background

Since I use Japanese authentication systems, I get Japanese error messages when I mistype my password. However, the current
passwordValid() function only checks the English message hardcoded in the function. The passwordValid() function returns "true" for any non-English authentication error messages, and then the doAuthenticate() function enters into recursive loops and keeps authenticating with the wrong password I mistyped.

107        if err != nil && authCtx.authenticatorIndexValid && passwordValid(doc) {
108                 return kc.doAuthenticate(authCtx, loginDetails)
109         }

My repeated error requests were mistaken for a DoS attack before.

Related Issue

#948

Please take a look at this issue. Thank you.
@mapkon
Copy link
Member

mapkon commented May 8, 2024

@kenjikikuchi Can you submit a PR?

@kenjikikuchi
Copy link
Contributor Author

Thank you for the opportunity to contribute to saml2aws! On it!

@kenjikikuchi kenjikikuchi mentioned this issue May 13, 2024
Closed
@kenjikikuchi
Copy link
Contributor Author

@mapkon PR was sent. Please take a look. Thank you.

@mapkon mapkon linked a pull request May 14, 2024 that will close this issue
[KeyCloak] Customizable password error validator #1268
Closed
@kenjikikuchi kenjikikuchi mentioned this issue May 19, 2024
Merged
@mapkon mapkon linked a pull request May 19, 2024 that will close this issue
Customizable KeyCloak password error validator #1275
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@mapkon @kenjikikuchi