Support for customised messages per client

[cesarbtt]

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

No response

Describe the solution you'd like

Each client will check different requirements, so the message to the user should explain the reason why access has been denied.

Describe alternatives you've considered

I have made a modification to the RestrictClientAuthAuthenticator.htmlErrorResponse method to look for whether there are messages of the form . and in that case that message is displayed instead of the configured in the authentication step

Anything else?

No response

[sventorben]

Hello @cesarbtt,

thanks for the feature request.
Keycloak already has built-in functionality to configure a login theme per client. Would not it be sufficient deploy a client-specific theme where you overwrite the messages as needed? I am a little bit reluctant to implement some mechanism for this, that is not aligned with the way Keycloak handles such things.

Each client will check different requirements ...

Can you give me some details on this, please? I would like to better understand which scenarios and requirements you have in mind here. Aren't the requirements prescribed by the authentication flow and configured authenticators therein?

I have made a modification to the RestrictClientAuthAuthenticator.htmlErrorResponse

Would you mind sharing this, so I can have a look on what you have in mind?

Best regards,
Sven-Torben

[cesarbtt]

Although in our context we limit access to clients by groups, the requirements for a user to be part of a group are different. For example if to access a client A you need to have paid a fee the message should be "You cannot access the service because you have not paid the fee". If for a client B the criterion to be assigned to his group is to reside in the city the message should be "You cannot access the service because you do not reside in this locality". This is why we need different messages for each client.

[cesarbtt]

The modification I have made what it does is to check if there is a custom message for the client of the form {error-code}.{clientid}. If it exists that one is used. Otherwise the message {errorcode} is used.

I have been working with keycloak for a short time so I don't know if the implementation I have done is the best solution but for the moment it has solved our need.

[cesarbtt]

private Response htmlErrorResponse(AuthenticationFlowContext context, RestrictClientAuthConfig config) {

        AuthenticationSessionModel authSession = context.getAuthenticationSession();

        KeycloakSession session = context.getSession();
        String mensajeID = (config.getErrorMessage()!=null)?config.getErrorMessage():DEFAULT_ERROR_MESSAGE;        
        try {
            Theme theme = session.theme().getTheme(Theme.Type.LOGIN);
            UserModel user = context.getUser();
            Locale locale = session.getContext().resolveLocale(user);
            Properties messagesBundle = theme.getMessages(locale);
            String mensajePersonalizadoID = config.getErrorMessage()+"."+authSession.getClient().getClientId();
            Object mensaje = messagesBundle.get(mensajeID);
            Object mensajePersonalizado = messagesBundle.get(mensajePersonalizadoID);
            if (mensajePersonalizado!=null) {
                mensajeID = mensajePersonalizadoID;
            }
        } catch (IOException e) {
            e.printStackTrace();
        }

        return context.form()
            .setError(mensajeID, authSession.getAuthenticatedUser().getUsername(),
                authSession.getClient().getClientId())
            .createErrorPage(Response.Status.FORBIDDEN);
    }