From fb26284c00e09e656732eb7ca4570afd052e0067 Mon Sep 17 00:00:00 2001
From: Jacek Kowalski <Jacek@jacekk.info>
Date: Fri, 21 Jun 2024 11:47:01 +0000
Subject: [PATCH] Improve error reporting in CAS ticket validation
---
src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java | 23 +++++++++--------------
1 files changed, 9 insertions(+), 14 deletions(-)
diff --git a/src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java b/src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java
index e0b8b72..e166bb0 100644
--- a/src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java
+++ b/src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java
@@ -103,20 +103,12 @@
throw new CASValidationException(CASErrorCode.INVALID_TICKET_SPEC, "Invalid format of the code", Response.Status.BAD_REQUEST);
}
+ String codeUUID = parsed[0];
String userSessionId = parsed[1];
String clientUUID = parsed[2];
event.detail(Details.CODE_ID, userSessionId);
event.session(userSessionId);
-
- // Parse UUID
- String codeUUID;
- try {
- codeUUID = parsed[0];
- } catch (IllegalArgumentException re) {
- event.error(Errors.INVALID_CODE);
- throw new CASValidationException(CASErrorCode.INVALID_TICKET_SPEC, "Invalid format of the UUID in the code", Response.Status.BAD_REQUEST);
- }
// Retrieve UserSession
UserSessionModel userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, userSessionId, clientUUID);
@@ -125,12 +117,13 @@
userSession = session.sessions().getUserSession(realm, userSessionId);
if (userSession == null) {
event.error(Errors.USER_SESSION_NOT_FOUND);
- throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User session not found", Response.Status.BAD_REQUEST);
+ throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
}
}
clientSession = userSession.getAuthenticatedClientSessionByClient(clientUUID);
if (clientSession == null) {
+ event.error(Errors.INVALID_CODE);
throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
}
@@ -139,14 +132,16 @@
// Either code not available
if (codeDataSerialized == null) {
- throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code already used", Response.Status.BAD_REQUEST);
+ event.error(Errors.INVALID_CODE);
+ throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
}
OAuth2Code codeData = OAuth2Code.deserializeCode(codeDataSerialized);
String persistedUserSessionId = codeData.getUserSessionId();
if (!userSessionId.equals(persistedUserSessionId)) {
- throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code "+codeUUID+"' is bound to a different session", Response.Status.BAD_REQUEST);
+ event.error(Errors.INVALID_CODE);
+ throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
}
// Finally doublecheck if code is not expired
@@ -181,7 +176,7 @@
} else {
if (!client.getClientId().equals(clientSession.getClient().getClientId())) {
event.error(Errors.INVALID_CODE);
- throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Auth error", Response.Status.BAD_REQUEST);
+ throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Invalid service", Response.Status.BAD_REQUEST);
}
}
@@ -213,7 +208,7 @@
this.pgtIou = pgtIou;
} catch (Exception e) {
event.error(Errors.INVALID_REQUEST);
- throw new CASValidationException(CASErrorCode.PROXY_CALLBACK_ERROR, "Proxy callback return with error", Response.Status.BAD_REQUEST);
+ throw new CASValidationException(CASErrorCode.PROXY_CALLBACK_ERROR, "Proxy callback returned an error", Response.Status.BAD_REQUEST);
}
}
--
Gitblit v1.9.1