Whenever there is an error in keycloak custom authenticators, keycloak always takes the user to the error page. Of course, we can customize the error page. But I am looking for redirection to redirect url with error code. So far I have not been able to achieve it. Is it possible at all in keycloak? If so, how? I am using keycloak 24.0.1.
Hi,
I can imagine that this is possible in some circumstances: At least there is always the chance that the passed in clientId and/or redirectUri is unknown or invalid. In this case it would be a security issue to redirect the user to the given redirectUri because Keycloak will not be able to validate the url (whitelisted in client configuration).
We worked around this issue by customizing the error page. We added a link under the error message directing the user to the client home url if the clientId is valid. If the clientId is invalid we just show the regulat error page.
Thanks. So, it means we can not use redirection. Instead we can use error page for our purpose. Right?
If Keycloak does not redirect to redirect url in case of error, does it mean it is not following OAuth 2.0 spec? Possible Errors - OAuth 2.0 Simplified
Will not it get us to stuck to an error page in case of federated authentication?
Keycloak uses redirection as described in your link.
When using custom authenticators with custom errors Keycloak cannot determine which kind of error you have.
You can check Keycloak’s source code or debug Keycloak to see how Keycloak processes authenticator errors. I’d guess that Keycloak uses AuthenticationSessionModel#setAuthNote(String, String) to set notes in the auth session.
Thanks once again for your response.
Just to verify that keycloak uses redirection as per oauth2, I decided to use wrong client id. But it did not redirect back to redirect url. It loaded error page instead.
Update:
Sorry, my fault. The keycloak is not supposed to redirect in this case according to OAuth2.