-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] No error message displayed if user with home IDP is locked #399
Comments
Hey @guilhem-lk, thanks for reporting this. To better understand why the password form is shown in this case, could you provide more information on how your authentication flow is configured? Specifically, are there other authenticators or custom flows that might influence this behavior? Regarding your expected behavior, it’s important to note that the scenario differs when the IDP is selected manually. When the IDP is selected manually, the user is not known to Keycloak. However, when entering an email address, Keycloak can look up the user through the home-idp-discovery extension. This is why I believe changing the behavior might not be appropriate in this context. Does your setup have use cases where a local user might have a password configured in Keycloak? Understanding this will help us determine if the current behavior has broader implications. Best, |
Hello @sventorben, We use a copy of the default When user is locked, the Our use case is to enable authentication federation for a subset of our users by using this extension. For those users, we want that they rely exclusively on the IDP for authentication, thus they won't have a password configured in Keycloak. That's why, when user is locked, he reaches a dead end when login/password form is displayed. For the expected behavior, I made a mistake in the ticket description. After the IDP redirects the user back to Keycloak, I expect that the user validation will fail because the user is locked and that it will display this error page: |
Is there an existing issue for this?
Current Behavior
If a user associated with a home IDP is locked in Keycloak, the
home-idp-discovery
authenticator prevents the user from being redirected to the IDP:keycloak-home-idp-discovery/src/main/java/de/sventorben/keycloak/authentication/hidpd/discovery/email/DomainExtractor.java
Lines 18 to 29 in 6a39af3
As a consequence, the username/password form is displayed without an error message. If the user does not have a password configured in Keycloak (which is our use case), he is stuck on this page without any indication of what to do next.
Expected Behavior
The authenticator should redirect the user to the home IDP, even if locked.
After IDP redirects the user back to Keycloak, the username/password form is displayed with the error message indicating that the user is locked.
This is the behavior when IDP is selected manually on login page.
Steps To Reproduce
No response
Version
Anything else?
No response
The text was updated successfully, but these errors were encountered: