From fb26284c00e09e656732eb7ca4570afd052e0067 Mon Sep 17 00:00:00 2001 From: Jacek Kowalski <Jacek@jacekk.info> Date: Fri, 21 Jun 2024 11:47:01 +0000 Subject: [PATCH] Improve error reporting in CAS ticket validation --- src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java | 13 ++++++++----- 1 files changed, 8 insertions(+), 5 deletions(-) diff --git a/src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java b/src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java index cfc4551..e166bb0 100644 --- a/src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java +++ b/src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java @@ -117,12 +117,13 @@ userSession = session.sessions().getUserSession(realm, userSessionId); if (userSession == null) { event.error(Errors.USER_SESSION_NOT_FOUND); - throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User session not found", Response.Status.BAD_REQUEST); + throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST); } } clientSession = userSession.getAuthenticatedClientSessionByClient(clientUUID); if (clientSession == null) { + event.error(Errors.INVALID_CODE); throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST); } @@ -131,14 +132,16 @@ // Either code not available if (codeDataSerialized == null) { - throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code already used", Response.Status.BAD_REQUEST); + event.error(Errors.INVALID_CODE); + throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST); } OAuth2Code codeData = OAuth2Code.deserializeCode(codeDataSerialized); String persistedUserSessionId = codeData.getUserSessionId(); if (!userSessionId.equals(persistedUserSessionId)) { - throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code "+codeUUID+"' is bound to a different session", Response.Status.BAD_REQUEST); + event.error(Errors.INVALID_CODE); + throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST); } // Finally doublecheck if code is not expired @@ -173,7 +176,7 @@ } else { if (!client.getClientId().equals(clientSession.getClient().getClientId())) { event.error(Errors.INVALID_CODE); - throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Auth error", Response.Status.BAD_REQUEST); + throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Invalid service", Response.Status.BAD_REQUEST); } } @@ -205,7 +208,7 @@ this.pgtIou = pgtIou; } catch (Exception e) { event.error(Errors.INVALID_REQUEST); - throw new CASValidationException(CASErrorCode.PROXY_CALLBACK_ERROR, "Proxy callback return with error", Response.Status.BAD_REQUEST); + throw new CASValidationException(CASErrorCode.PROXY_CALLBACK_ERROR, "Proxy callback returned an error", Response.Status.BAD_REQUEST); } } -- Gitblit v1.9.1