Search code examples
jbossoutputsingle-sign-onmessagekeycloak

Keycloak Custom Validation Output messages

I'm using jboss keycloak 1.5 final version. I developed my custom user federation provider interfacing with keycloak properties and my user enterprise database.

My need is to send up to user the login interface custom error messages based on particular specific error related to my legacy user db.

I saw keycloak themes have a resources folder by which i can localize and add new messages. Then i can reference them by angular js using 

$myMessage

notation. The problem is i want to rise up a message from keycloak server. My user federation provider implements UserFederationProvider interface. So i should have to override:

@Override
public CredentialValidationOutput validCredentials(RealmModel realm, UserCredentialModel credential) {
    LOGGER.info("validCredentials(realm, credential)");
    return CredentialValidationOutput.failed();
}

which seems to be the method i was looking for just because CredentialValidationOutput contains custom messages to be sent as validation output. The problem is this method is never called.

Why?

Solution

  • I'll post the answer found on my own.

    It's necessary to develop your own Authenticator. For example refer to Keycloak UsernameAndForm and UsernameAndFormFactory implementation.

    You can find them on Keycloak github source code:

    https://github.com/keycloak/keycloak/tree/master/services/src/main/java/org/keycloak/authentication/authenticators/browser

    The main validation method are:

    public boolean validateUserAndPassword(AuthenticationFlowContext context, MultivaluedMap<String, String> inputData) {

    ...

}

 public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData) {

    ...

}

    From your custom user federation provider you can throw your custom exception and catch them in the two methods above adding:

    catch (YourCustomException ex){
    ...
    Response challengeResponse = context.form()
                .setError("YOUR ERROR MESSAGE", me.getMandator()).createLogin();        
    context.failureChallenge(AuthenticationFlowError.INVALID_USER, challengeResponse);
        return false;
}

    Of course in your project you have to add 

    META-INF/service/org.keycloak.authentication.AuthenticatorFactory

    In which you specify the full qualified name of your AuthenticatorFactory.

    For a valid guide make reference to Keycloak User Guide 1.6.1 Final. Chapter 33.3