Redirect back to client on IDP error

[Joep van Hulst]

Hi all,

We have been working on a custom authenticator that can pass errors returned from a default identity provider to the client that initiated the authentication request.

We have developed this authenticator because we are using Keycloak as an sso intermediary for the national Dutch identity providers called: DigiD (for people) and Eherkenning (for businesses). However these identity providers have a cancel button in their login and because of this we need to support the cancel message returned from the SAML authentication request. When a user cancels their login Keycloak receives an "error" and displays it as normal. However since EHerkenning is the only identity provider we use in a particular project we have made Keycloak invisible for the end user by using the default identity provider redirector. 

Using the default redirector we ran into problems however, as it simply redirected the user back to Eherkenning after they pressed the cancel button completely ignoring the error returned. After a little bit of research we found the KEYCLOAK-17368 (link) change and this partially fixed our problem, however this simply showed the "error" (which is simply a message stating the user canceled) to the user which isn't desirable either. As such we have now build upon this change by building an authenticator that redirects the user back to the client that initiated the request with the error neatly passed on abiding by the oAuth2 spec.

The code can be found here for anyone interested. Would this perhaps be a feature that would be interesting to add to the Keycloak codebase? If it would be of value to people what would be the best way to proceed to make it available to the wider community?

Regards,

Joep van Hulst

First8/Conclusion