Merge pull request 'Handle Keycloak errors when cookies are stale/expired' (#35) from feature/24500 into develop

Author: fmichielssen

src/main/java/eu/openanalytics/containerproxy/auth/impl/KeycloakAuthenticationBackend.java

@@ -30,6 +30,7 @@
 import javax.inject.Inject;
 import javax.servlet.ServletException;
 
+import eu.openanalytics.containerproxy.auth.impl.keycloak.AuthenticationFaillureHandler;
 import org.keycloak.adapters.AdapterDeploymentContext;
 import org.keycloak.adapters.KeycloakConfigResolver;
 import org.keycloak.adapters.KeycloakDeployment;
@@ -39,6 +40,7 @@
 import org.keycloak.adapters.springsecurity.AdapterDeploymentContextFactoryBean;
 import org.keycloak.adapters.springsecurity.account.KeycloakRole;
 import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint;
+import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationFailureHandler;
 import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
 import org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler;
 import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
@@ -141,6 +143,7 @@ protected KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessin
 
 		KeycloakAuthenticationProcessingFilter filter = new KeycloakAuthenticationProcessingFilter(authenticationManager, requestMatcher);
 		filter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy());
+		filter.setAuthenticationFailureHandler(keycloakAuthenticationFailureHandler());
 		// Fix: call afterPropertiesSet manually, because Spring doesn't invoke it for some reason.
 		filter.setApplicationContext(ctx);
 		filter.afterPropertiesSet();
@@ -169,6 +172,12 @@ protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
 		return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
 	}
 
+	@Bean
+	@ConditionalOnProperty(name="proxy.authentication", havingValue="keycloak")
+	public KeycloakAuthenticationFailureHandler keycloakAuthenticationFailureHandler() {
+		return new AuthenticationFaillureHandler();
+	}
+
 	@Bean
 	@ConditionalOnProperty(name="proxy.authentication", havingValue="keycloak")
 	protected AdapterDeploymentContext adapterDeploymentContext() throws Exception {

src/main/java/eu/openanalytics/containerproxy/auth/impl/keycloak/AuthenticationFaillureHandler.java

@@ -0,0 +1,50 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2020 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.auth.impl.keycloak;
+
+import org.keycloak.adapters.OIDCAuthenticationError;
+import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationFailureHandler;
+import org.springframework.security.core.AuthenticationException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class AuthenticationFaillureHandler extends KeycloakAuthenticationFailureHandler {
+
+    final public static String SP_KEYCLOAK_ERROR_REASON = "SP_KEYCLOAK_ERROR_REASON";
+
+    @Override
+    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
+                                        AuthenticationException exception) throws IOException, ServletException {
+
+        // Note: Keycloak calls sendError before this method gets called, therefore we cannot do much with reuqest.
+        // We now set a flag in the session indicating the reason of the Keycloak error.
+        // The error page can then properly handle this.
+
+        Object obj = request.getAttribute("org.keycloak.adapters.spi.AuthenticationError");
+        if (obj instanceof org.keycloak.adapters.OIDCAuthenticationError) {
+            OIDCAuthenticationError authError = (OIDCAuthenticationError)  obj;
+            request.getSession().setAttribute(SP_KEYCLOAK_ERROR_REASON, authError.getReason());
+        }
+    }
+}

src/main/java/eu/openanalytics/containerproxy/ui/ErrorController.java

@@ -28,6 +28,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.keycloak.adapters.OIDCAuthenticationError;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.authentication.AccountStatusException;
@@ -39,20 +40,43 @@
 
 import eu.openanalytics.containerproxy.api.BaseController;
 
+import static eu.openanalytics.containerproxy.auth.impl.keycloak.AuthenticationFaillureHandler.SP_KEYCLOAK_ERROR_REASON;
+
 @Controller
 @RequestMapping("/error")
 public class ErrorController extends BaseController implements org.springframework.boot.web.servlet.error.ErrorController {
-	
+
 	@RequestMapping(produces = "text/html")
 	public String handleError(ModelMap map, HttpServletRequest request, HttpServletResponse response) {
+
+		// handle keycloak errors
+	    Object obj = request.getSession().getAttribute(SP_KEYCLOAK_ERROR_REASON);
+	    if (obj instanceof OIDCAuthenticationError.Reason) {
+	    	request.getSession().removeAttribute(SP_KEYCLOAK_ERROR_REASON);
+			OIDCAuthenticationError.Reason reason = (OIDCAuthenticationError.Reason) obj;
+	    	if (reason == OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE ||
+				reason == OIDCAuthenticationError.Reason.STALE_TOKEN) {
+	    		// These errors are typically caused by users using wrong bookmarks (e.g. bookmarks with states in)
+				// or when some cookies got stale. However, the user is logged into the IDP, therefore it's enough to
+				// send the user to the main page and they will get logged in automatically.
+				return "redirect:/";
+			} else {
+				return "redirect:/auth-error";
+			}
+		}
+
 		Throwable exception = (Throwable) request.getAttribute("javax.servlet.error.exception");
-		if (exception == null) exception = (Throwable) request.getAttribute("SPRING_SECURITY_LAST_EXCEPTION");
+		if (exception == null) {
+			exception = (Throwable) request.getAttribute("SPRING_SECURITY_LAST_EXCEPTION");
+		}
 
 		String[] msg = createMsgStack(exception);
-		if (exception == null) msg[0] = HttpStatus.valueOf(response.getStatus()).getReasonPhrase();
+		if (exception == null) {
+			msg[0] = HttpStatus.valueOf(response.getStatus()).getReasonPhrase();
+		}
 
-		if (response.getStatus() == 200 && isAccountStatusException(exception)) {
-			return "/";
+		if (response.getStatus() == 200 && (exception != null) && isAccountStatusException(exception)) {
+			return "redirect:/";
 		}
 
 		map.put("message", msg[0]);
@@ -102,7 +126,7 @@ private String[] createMsgStack(Throwable exception) {
 
 		return new String[] { message, stackTrace };
 	}
-	
+
 	private boolean isAccountStatusException(Throwable exception) {
 		if (exception instanceof AccountStatusException) return true;
 		if (exception.getCause() != null) return isAccountStatusException(exception.getCause());