Support for customised messages per client about keycloak-restrict-client-auth HOT 4 OPEN

Hello @cesarbtt,

thanks for the feature request.
Keycloak already has built-in functionality to configure a login theme per client. Would not it be sufficient deploy a client-specific theme where you overwrite the messages as needed? I am a little bit reluctant to implement some mechanism for this, that is not aligned with the way Keycloak handles such things.

Each client will check different requirements ...

Can you give me some details on this, please? I would like to better understand which scenarios and requirements you have in mind here. Aren't the requirements prescribed by the authentication flow and configured authenticators therein?

I have made a modification to the RestrictClientAuthAuthenticator.htmlErrorResponse

Would you mind sharing this, so I can have a look on what you have in mind?

Best regards,
Sven-Torben

from keycloak-restrict-client-auth.

Although in our context we limit access to clients by groups, the requirements for a user to be part of a group are different. For example if to access a client A you need to have paid a fee the message should be "You cannot access the service because you have not paid the fee". If for a client B the criterion to be assigned to his group is to reside in the city the message should be "You cannot access the service because you do not reside in this locality". This is why we need different messages for each client.

from keycloak-restrict-client-auth.

The modification I have made what it does is to check if there is a custom message for the client of the form {error-code}.{clientid}. If it exists that one is used. Otherwise the message {errorcode} is used.

I have been working with keycloak for a short time so I don't know if the implementation I have done is the best solution but for the moment it has solved our need.

from keycloak-restrict-client-auth.

private Response htmlErrorResponse(AuthenticationFlowContext context, RestrictClientAuthConfig config) {

        AuthenticationSessionModel authSession = context.getAuthenticationSession();

        KeycloakSession session = context.getSession();
        String mensajeID = (config.getErrorMessage()!=null)?config.getErrorMessage():DEFAULT_ERROR_MESSAGE;        
        try {
            Theme theme = session.theme().getTheme(Theme.Type.LOGIN);
            UserModel user = context.getUser();
            Locale locale = session.getContext().resolveLocale(user);
            Properties messagesBundle = theme.getMessages(locale);
            String mensajePersonalizadoID = config.getErrorMessage()+"."+authSession.getClient().getClientId();
            Object mensaje = messagesBundle.get(mensajeID);
            Object mensajePersonalizado = messagesBundle.get(mensajePersonalizadoID);
            if (mensajePersonalizado!=null) {
                mensajeID = mensajePersonalizadoID;
            }
        } catch (IOException e) {
            e.printStackTrace();
        }

        return context.form()
            .setError(mensajeID, authSession.getAuthenticatedUser().getUsername(),
                authSession.getClient().getClientId())
            .createErrorPage(Response.Status.FORBIDDEN);
    }

from keycloak-restrict-client-auth.