Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Error Message for unvalidated Email Addresses #131

Closed
1 task done
pawl1234 opened this issue Jan 10, 2023 · 3 comments
Closed
1 task done

[Feature] Error Message for unvalidated Email Addresses #131

pawl1234 opened this issue Jan 10, 2023 · 3 comments
Assignees
@sventorben
Labels
enhancement New feature or request

Comments

@pawl1234
Copy link

Is there an existing feature request for this?

  • I have searched the existing issues

Is your feature related to a problem? Please describe.

I had the issue that my authentication flow worked in the first run, but I was not able to login after logout. I received the console error. I guess I spent too much time for debugging as I'm new to keycloak, but the reason for this issue was that the email address was not validated.

keycloak    | 2023-01-10 14:53:08,218 WARN  [de.sventorben.keycloak.authentication.hidpd.HomeIdpDiscoverer] (executor-thread-217) Could not extract domain from email address user1@idpa.com
keycloak    | 2023-01-10 14:53:08,218 WARN  [org.keycloak.services] (executor-thread-217) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
keycloak    |   at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:983)
keycloak    |   at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:311)
keycloak    |   at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:282)
keycloak    |   at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:274)
keycloak    |   at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:339)
keycloak    |   at jdk.internal.reflect.GeneratedMethodAccessor599.invoke(Unknown Source)
keycloak    |   at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
keycloak    |   at java.base/java.lang.reflect.Method.invoke(Method.java:566)
keycloak    |   at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
keycloak    |   at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
keycloak    |   at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
keycloak    |   at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
keycloak    |   at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
keycloak    |   at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
keycloak    |   at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
keycloak    |   at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
keycloak    |   at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
keycloak    |   at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
keycloak    |   at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
keycloak    |   at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
keycloak    |   at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
keycloak    |   at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
keycloak    |   at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
keycloak    |   at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
keycloak    |   at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
keycloak    |   at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
keycloak    |   at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
keycloak    |   at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
keycloak    |   at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
keycloak    |   at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
keycloak    |   at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
keycloak    |   at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
keycloak    |   at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:84)
keycloak    |   at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:71)
keycloak    |   at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
keycloak    |   at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
keycloak    |   at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
keycloak    |   at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:430)
keycloak    |   at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:408)
keycloak    |   at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
keycloak    |   at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
keycloak    |   at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
keycloak    |   at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$0(QuarkusRequestFilter.java:82)
keycloak    |   at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:564)
keycloak    |   at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
keycloak    |   at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
keycloak    |   at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
keycloak    |   at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
keycloak    |   at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
keycloak    |   at java.base/java.lang.Thread.run(Thread.java:829)

Describe the solution you'd like

I think this code line is not run. Haven't checked how to solve it and wanted to ask first. If wanted I can offer to investigate further.

keycloak-home-idp-discovery/src/main/java/de/sventorben/keycloak/authentication/hidpd/DomainExtractor.java

Line 29 in 9b743b6

if (EMAIL_ATTRIBUTE.equalsIgnoreCase(config.userAttribute()) && !user.isEmailVerified()) {

Describe alternatives you've considered

No response

Anything else?

Thanks for your Keycloak Plugin! :-)
@sventorben
Copy link
Owner

Hello @pawl1234

I think you are facing the same issue as mentioned in #35, right?

The problem with showing an error message when email has not been validated yet, is that it would not allow for executing alternative authenticators. For example, Keycloak would not be able to fallback to password authentication.

Can you show me what your login flow looks like and elaborate a little more how you would like it to behave, please?

I am currently trying to collect as many use cases as I can, before adding additional features.

Thanks and regards
Sven-Torben

@pawl1234
Copy link
Author

Hi @sventorben

Yes, thats the same thing and that "Trust Email" helps me to permanently solve the issue. Thanks.

I opened the ticket because the error message on the console was not very helpful to me. While debugging I looked at the code to understand whats happening. From this line of code I was not directly thinking of an issue with "Trust Email" because there is this part which should print the right error message

keycloak-home-idp-discovery/src/main/java/de/sventorben/keycloak/authentication/hidpd/DomainExtractor.java

Line 29 in 9b743b6

if (EMAIL_ATTRIBUTE.equalsIgnoreCase(config.userAttribute()) && !user.isEmailVerified()) {
(at least I tought so)

What I want to achieve is very basic I think. We want to use Keycloak as a central Broker and each of our Tenants for the service we will provide, will have its own Keycloak Instance which then acts as IdP. So we will have 1 Broker and 20 IdPs and need this plugin to allow automatic selection of the right IdP for the User.

The authentication flow is currently in PoC state and looks like this
grafik

@sventorben sventorben self-assigned this Jan 17, 2023
@sventorben
Copy link
Owner

@pawl1234 I assume that this works for you now, right?
I will check how to improve the error message in that case.

@sventorben sventorben added the enhancement New feature or request label Feb 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sventorben sventorben

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sventorben @pawl1234