Custom error messages for custom openid provider

Hello, everyone!

Could you please give me advice on customizing error messages for custom oidc provider?
The following scenario is going on
User is redirected to oauth provider
User takes auth on oauth provider
User is redirected back to keycloak
Keycloak exchanges authorization_code from oauth provider for token
Keycloak uses token to request user profile from oauth provider
→ here is troublesome part : Keycloak decides upon user attribute from profile whether to allow user to be logged in keycloak or not. If not, custom error message should be displayed.
So main questions are - how to throw an error in doGetFederatedIdentity that will send user error with chosen theme template and a custom descritption “You are not eligble to login here becouse you’re too young and not married”, for example.

I haven’t done this exact thing, but I think you need to write your own IdP implementation so you can directly override doGetFederatedIdentity.

I’ve done that already. I’m missing part that let’s me show themed error.

I believe you have three options:

  • Deal with the attribute at the application
  • Implement a map between the attribute and a role (if say, attribute is married, role would be MarriedPerson).
  • Implement a custom identity provider.

In the first case, you deal with the attribute in the application. You can think about this as: the user is logged in, all is nice. You just want to do some logic based on some aspect of the user profile. Difficulty (medium)

Second case, you can implement this in the security framework (let’s say you are using spring security). Just tell it that you need users to have the role MarriedPerson to be able to access the resource /app/page. Difficulty (easy)

Third case, you are somewhat extending opendId connect protocol and need custom code. Not that hard to implement in keycloak, but is probably much easier to deal in application code. (difficulty hard).