Declarative User Profile: Helpful error messages from validators

287 views
Skip to first unread message

Matysiak Joerg (IOC/PAU1)

unread,
Jul 1, 2021, 11:12:34 AM7/1/21
to keyclo...@googlegroups.com, vel...@redhat.com, Pedro Igor Silva
Hi,

when playing around with the user profile I realized that the error messages from validators could be improved.

E.g. when a configured pattern is not matched, the user receives the message “Invalid value.” which isn’t very helpful.

I suggest to enhance the configuration of the user profile attribute validators with an additional property ‘message’ so that it is possible to pass a specific message to the user, e.g.:


"validations": {
"pattern": {
"pattern": "[0-9]+",
“message”: “zip code must be numeric”
}
}

or when using localization:

"validations": {
"pattern": {
"pattern": "[0-9]+",
“message”: “${userprofile.zipcode}”
}
}

If you agree I would be happy to contribute a PR for this,


Mit freundlichen Grüßen / Best regards

Jörg Matysiak

Product Area User Management (IOC/PAU1)
Bosch.IO GmbH | Postfach 30 02 40 | 70442 Stuttgart | GERMANY | www.bosch.io
Besucheradresse: Grönerstraße 5/1 | 71636 Ludwigsburg
Tel. +49 711 811-58484 | Mobil +49 1520 272 3703 | Telefax +49 711 811-58200 | Joerg.M...@bosch.io

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling


Pedro Igor Craveiro e Silva

unread,
Jul 1, 2021, 11:22:11 AM7/1/21
to Matysiak Joerg (IOC/PAU1), keyclo...@googlegroups.com, vel...@redhat.com, Pedro Igor Silva
For me, it makes sense to allow configuring messages. 

Or perhaps we could support a pattern for message properties like `<attribute_name>.<validator_id>` or similar so that we dynamically resolve a message based on the validator id and the attribute. In the example you gave, it would be `zipCode.pattern`.

The default messages I think were based on some UX directives. Not sure whether they are more appropriate or not but the proposal herein should help to change messages easily.

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/AM0PR10MB19234C0E872F1ABBD94CFD6FED009%40AM0PR10MB1923.EURPRD10.PROD.OUTLOOK.COM.

Matysiak Joerg (IOC/PAU1)

unread,
Jul 2, 2021, 2:15:59 AM7/2/21
to Pedro Igor Craveiro e Silva, keyclo...@googlegroups.com, vel...@redhat.com
Dynamically resolving the error message sounds also good for me, this would also be more like the header and description for attribute groups I implemented for https://issues.redhat.com/browse/KEYCLOAK-18552

IMHO we should then agree on a consistent pattern for the message property id.

In KEYCLOAK-18552 I used "userprofile.attributegroup.header.<groupname>" and "userprofile.attributegroup.description.<groupname>".
Following this pattern it would be e.g. "userprofile.<attribute_name>.<validator_id>" for the messages.

Kind regards
Jörg

-----

Betreff: Re: [keycloak-dev] Declarative User Profile: Helpful error messages from validators

For me, it makes sense to allow configuring messages. 

Or perhaps we could support a pattern for message properties like `<attribute_name>.<validator_id>` or similar so that we dynamically resolve a message based on the validator id and the attribute. In the example you gave, it would be `zipCode.pattern`.

The default messages I think were based on some UX directives. Not sure whether they are more appropriate or not but the proposal herein should help to change messages easily.

On Thu, Jul 1, 2021 at 12:12 PM 'Matysiak Joerg (IOC/PAU1)' via Keycloak Dev <mailto:keyclo...@googlegroups.com> wrote:
Hi,

when playing around with the user profile I realized that the error messages from validators could be improved.

E.g. when a configured pattern is not matched, the user receives the message “Invalid value.” which isn’t very helpful.

I suggest to enhance the configuration of the user profile attribute validators with an additional property ‘message’ so that it is possible to pass a specific message to the user, e.g.:


  "validations": {
        "pattern": {
          "pattern": "[0-9]+",
          “message”: “zip code must be numeric”
        }
  }

or when using localization:

  "validations": {
        "pattern": {
          "pattern": "[0-9]+",
          “message”: “${userprofile.zipcode}”
        }
  }

If you agree I would be happy to contribute a PR for this,


Mit freundlichen Grüßen / Best regards

Jörg Matysiak

Product Area User Management (IOC/PAU1)
Bosch.IO GmbH | Postfach 30 02 40 | 70442 Stuttgart | GERMANY | https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bosch.io%2F&data=04%7C01%7CJoerg.Matysiak%40bosch.io%7C06c657f7d3174056683608d93ca3ff90%7C0ae51e1907c84e4bbb6d648ee58410f4%7C0%7C0%7C637607497329542806%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=x5R%2Fz4y57eVoyhkCkoHP3hUgRXEFJFSYkUygnQzPgsA%3D&reserved=0
Besucheradresse: Grönerstraße 5/1 | 71636 Ludwigsburg
Tel. +49 711 811-58484 | Mobil +49 1520 272 3703 | Telefax +49 711 811-58200 | mailto:Joerg.M...@bosch.io

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling


--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mailto:keycloak-dev%2Bunsu...@googlegroups.com.
To view this discussion on the web visit https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fkeycloak-dev%2FAM0PR10MB19234C0E872F1ABBD94CFD6FED009%2540AM0PR10MB1923.EURPRD10.PROD.OUTLOOK.COM&data=04%7C01%7CJoerg.Matysiak%40bosch.io%7C06c657f7d3174056683608d93ca3ff90%7C0ae51e1907c84e4bbb6d648ee58410f4%7C0%7C0%7C637607497329552795%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6rV2oIQpS6oUlIZhR%2B1zrczH%2FqukxhIZjJYi1iZbLHo%3D&reserved=0.

Vlastimil Elias

unread,
Jul 2, 2021, 4:30:02 AM7/2/21
to keyclo...@googlegroups.com, Pedro Igor Craveiro e Silva, Matysiak Joerg (IOC/PAU1)

Hi,

makes sense to me to allow message change, mainly for highly configurable validators like pattern.

I personally prefer to configure it directly over the validator's config in the user profile config file rather than over explicit i18n key lookup, as this is more consistent with the rest of the user profile configuration format, and also less work as it requires only impl in the validator itself, not in bindings to GUIs where i18n happens ;-)

Looking into Validator SPI and how is it integrated into user profile and distinct GUIs, support for ${} construct may be relatively complex as we have to support putting parameters into the message itself (eg min and max for length validator), I'm not sure whether this construct can even support that internal replacing in the message itself.

And BTW some validators produce more error messages, so what we agree here will be more like "rule how to implement configurable messages for simple validators" and it needs to be implemented and documented on the per validator basis (ideally some support implemented in some basic class like org.keycloak.validate.AbstractSimpleValidator).

So IMHO best solution is configuration like:

  "validations": {
        "pattern": {
          "pattern": "[0-9]+",
          "message": "error.userprofile.format.zipcode"
        }
  }

Where error.userprofile.format.zipcode is message key for i18n.

Vl.

-- 
Vlastimil Elias
He / Him / His
Principal Software Engineer, DXP Application Development
Red Hat

Matysiak Joerg (IOC/PAU1)

unread,
Jul 2, 2021, 7:15:35 AM7/2/21
to Vlastimil Elias, keyclo...@googlegroups.com, Pedro Igor Craveiro e Silva
Thanks for the input, I created a jira ticket for this https://issues.redhat.com/browse/KEYCLOAK-18649
 
Will have a look at the code and come up with a pull request
 
Kind regards
Jörg

Pedro Igor Craveiro e Silva

unread,
Jul 2, 2021, 7:25:56 AM7/2/21
to Vlastimil Elias, keyclo...@googlegroups.com, Matysiak Joerg (IOC/PAU1)
On Fri, Jul 2, 2021 at 5:30 AM Vlastimil Elias <vel...@redhat.com> wrote:

Hi,

makes sense to me to allow message change, mainly for highly configurable validators like pattern.

I personally prefer to configure it directly over the validator's config in the user profile config file rather than over explicit i18n key lookup, as this is more consistent with the rest of the user profile configuration format, and also less work as it requires only impl in the validator itself, not in bindings to GUIs where i18n happens ;-)

Not sure what you mean by bindings to GUIs but templates should get that for free from their backing beans. Clients using the REST API should get localized messages as part of the response.

The effort here is basically to change the message bundle to add the corresponding property. That is where I think this approach wins because it provides an easier experience when configuring messages (no need to go through admin console and duplicate config when defining messages for the same validator in different attributes).

Looking into Validator SPI and how is it integrated into user profile and distinct GUIs, support for ${} construct may be relatively complex as we have to support putting parameters into the message itself (eg min and max for length validator), I'm not sure whether this construct can even support that internal replacing in the message itself.

I think it does if validators expose individual entries in map config as message parameters. Is up to you to use the replacements in messages or not. 


And BTW some validators produce more error messages, so what we agree here will be more like "rule how to implement configurable messages for simple validators" and it needs to be implemented and documented on the per validator basis (ideally some support implemented in some basic class like org.keycloak.validate.AbstractSimpleValidator).

Ideally, validators should be specialized and produce a single message. Multiple messages from a validator might indicate it is doing more than what it is supposed to do.

But yeah, if there are corner cases where multiple messages from validators make sense, then the message properties approach is not the best. But shall we really expect that?

If that works for Markus and possibly for others. I think we should go for it. If we reach in the future a real need for having a config property we can always support both.

Matysiak Joerg (IOC/PAU1)

unread,
Jul 2, 2021, 9:39:22 AM7/2/21
to Pedro Igor Craveiro e Silva, Vlastimil Elias, keyclo...@googlegroups.com
Hi,
 
I think it’s also important to have a consistent behavior within the user profile.
 
In https://github.com/keycloak/keycloak/pull/8233 it looks like we will agree on using patterns for message properties.
I suggest to do a similar implementation here following a common pattern for message properties, so configuration is comprehensible.
 
Kind regards
Jörg
Reply all
Reply to author
Forward
0 new messages