Use specific error message from required actions for SamlProtocol if …

…available

Closes keycloak#34514

Signed-off-by: vramik <vramik@redhat.com>

server-spi-private/src/main/java/org/keycloak/protocol/LoginProtocol.java

@@ -84,12 +84,8 @@ enum Error {
 
     Response authenticated(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx);
 
-    Response sendError(AuthenticationSessionModel authSession, Error error);
+    Response sendError(AuthenticationSessionModel authSession, Error error, String errorMessage);
 
-    default Response sendError(AuthenticationSessionModel authSession, Error error, String errorMessage) {
-        return sendError(authSession, error);
-    }
-
     /**
      * Returns client data, which will be wrapped in the "clientData" parameter sent within "authentication flow" requests. The purpose of clientData is to be able to send HTTP error
      * response back to the client if authentication fails due some error and authenticationSession is not available anymore (was either expired or removed). So clientData need to contain

services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java

@@ -648,7 +648,7 @@ public void cancelLogin() {
                     .setHttpHeaders(getHttpRequest().getHttpHeaders())
                     .setUriInfo(getUriInfo())
                     .setEventBuilder(event);
-            Response response = protocol.sendError(getAuthenticationSession(), Error.CANCELLED_BY_USER);
+            Response response = protocol.sendError(getAuthenticationSession(), Error.CANCELLED_BY_USER, null);
             forceChallenge(response);
         }
 

services/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java

@@ -124,14 +124,14 @@ protected Response handleBrowserAuthenticationRequest(AuthenticationSessionModel
                         return challenge;
                     }
                     else {
-                        return protocol.sendError(authSession, Error.PASSIVE_LOGIN_REQUIRED);
+                        return protocol.sendError(authSession, Error.PASSIVE_LOGIN_REQUIRED, null);
                     }
                 }
 
                 AuthenticationManager.setClientScopesInSession(session, authSession);
 
                 if (processor.nextRequiredAction() != null) {
-                    return protocol.sendError(authSession, Error.PASSIVE_INTERACTION_REQUIRED);
+                    return protocol.sendError(authSession, Error.PASSIVE_INTERACTION_REQUIRED, null);
                 }
 
             } catch (Exception e) {

services/src/main/java/org/keycloak/protocol/docker/DockerAuthV2Protocol.java

@@ -145,7 +145,7 @@ public Response authenticated(final AuthenticationSessionModel authSession, fina
     }
 
     @Override
-    public Response sendError(final AuthenticationSessionModel clientSession, final LoginProtocol.Error error) {
+    public Response sendError(final AuthenticationSessionModel clientSession, final LoginProtocol.Error error, String errorMessage) {
         return new ResponseBuilderImpl().status(Response.Status.INTERNAL_SERVER_ERROR).build();
     }
 

services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java

@@ -340,11 +340,6 @@ private boolean isIdTokenAsDetachedSignature(ClientModel client) {
         return Boolean.valueOf(Optional.ofNullable(client.getAttribute(OIDCConfigAttributes.ID_TOKEN_AS_DETACHED_SIGNATURE)).orElse(Boolean.FALSE.toString())).booleanValue();
     }
 
-    @Override
-    public Response sendError(AuthenticationSessionModel authSession, Error error) {
-        return sendError(authSession, error, null);
-    }
-
     @Override
     public Response sendError(AuthenticationSessionModel authSession, Error error, String errorMessage) {
         if (isOAuth2DeviceVerificationFlow(authSession)) {

services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java

@@ -219,7 +219,7 @@ private SingleUseObjectProvider getSingleUseStore() {
     }
 
     @Override
-    public Response sendError(AuthenticationSessionModel authSession, Error error) {
+    public Response sendError(AuthenticationSessionModel authSession, Error error, String errorMessage) {
         try {
             ClientModel client = authSession.getClient();
 
@@ -233,7 +233,7 @@ public Response sendError(AuthenticationSessionModel authSession, Error error) {
                     URI redirect = builder.buildFromMap(params);
                     return Response.status(302).location(redirect).build();
                 } else {
-                    return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, translateErrorToIdpInitiatedErrorMessage(error));
+                    return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, errorMessage != null ? errorMessage : translateErrorToIdpInitiatedErrorMessage(error));
                 }
             } else {
                 return samlErrorMessage(

services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java

@@ -1311,7 +1311,7 @@ private static Response executeAction(KeycloakSession session, AuthenticationSes
                     .setHttpHeaders(context.getHttpRequest().getHttpHeaders())
                     .setUriInfo(context.getUriInfo())
                     .setEventBuilder(event);
-            Response response = protocol.sendError(context.getAuthenticationSession(), Error.CONSENT_DENIED);
+            Response response = protocol.sendError(context.getAuthenticationSession(), Error.CONSENT_DENIED, null);
             event.error(Errors.REJECTED_BY_USER);
             return response;
         }

services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java

@@ -1207,7 +1207,7 @@ private Response checkPassiveLoginError(AuthenticationSessionModel authSession,
                     .setHttpHeaders(headers)
                     .setUriInfo(session.getContext().getUri())
                     .setEventBuilder(event);
-            return protocol.sendError(authSession, error);
+            return protocol.sendError(authSession, error, null);
         }
         return null;
     }

services/src/main/java/org/keycloak/services/resources/LoginActionsService.java

@@ -925,7 +925,7 @@ public Response authenticateOnly() throws AuthenticationFlowException {
                                 .setHttpHeaders(headers)
                                 .setUriInfo(session.getContext().getUri())
                                 .setEventBuilder(event);
-                        return protocol.sendError(authSession, Error.PASSIVE_INTERACTION_REQUIRED);
+                        return protocol.sendError(authSession, Error.PASSIVE_INTERACTION_REQUIRED, null);
                     }
                 }
                 return challenge;
@@ -1014,7 +1014,7 @@ public Response processConsent() {
                     .setHttpHeaders(headers)
                     .setUriInfo(session.getContext().getUri())
                     .setEventBuilder(event);
-            Response response = protocol.sendError(authSession, Error.CONSENT_DENIED);
+            Response response = protocol.sendError(authSession, Error.CONSENT_DENIED, null);
             event.error(Errors.REJECTED_BY_USER);
             return response;
         }