Declining terms and conditions in account-console results in error

server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionContext.java

@@ -120,18 +120,28 @@ enum KcActionStatus {
 
     Status getStatus();
 
+    String getErrorMessage();
+
     /**
      * Send a challenge Response back to user
      *
      * @param response
      */
     void challenge(Response response);
 
+    /**
+     * Abort the authentication with an error, optionally with an erroMessage.
+     *
+     */
+    void failure(String errorMessage);
+
     /**
      * Abort the authentication with an error
      *
      */
-    void failure();
+    default void failure() {
+        failure(null);
+    }
 
     /**
      * Mark this required action as successful.  The required action will be removed from the UserModel

server-spi-private/src/main/java/org/keycloak/protocol/LoginProtocol.java

@@ -86,6 +86,10 @@ enum Error {
 
     Response sendError(AuthenticationSessionModel authSession, Error error);
 
+    default Response sendError(AuthenticationSessionModel authSession, Error error, String errorMessage) {
+        return sendError(authSession, error);
+    }
+
     /**
      * Returns client data, which will be wrapped in the "clientData" parameter sent within "authentication flow" requests. The purpose of clientData is to be able to send HTTP error
      * response back to the client if authentication fails due some error and authenticationSession is not available anymore (was either expired or removed). So clientData need to contain

services/src/main/java/org/keycloak/authentication/RequiredActionContextResult.java

@@ -46,6 +46,7 @@ public class RequiredActionContextResult implements RequiredActionContext {
     protected EventBuilder eventBuilder;
     protected KeycloakSession session;
     protected Status status;
+    protected String errorMessage;
     protected Response challenge;
     protected HttpRequest httpRequest;
     protected UserModel user;
@@ -66,6 +67,7 @@ public RequiredActionContextResult(AuthenticationSessionModel authSession,
         this.config = realm.getRequiredActionConfigByAlias(factory.getId());
     }
 
+    @Override
     public RequiredActionConfigModel getConfig() {
         return config;
     }
@@ -119,6 +121,11 @@ public Status getStatus() {
         return status;
     }
 
+    @Override
+    public String getErrorMessage() {
+        return errorMessage;
+    }
+
     @Override
     public void challenge(Response response) {
         status = Status.CHALLENGE;
@@ -127,7 +134,8 @@ public void challenge(Response response) {
     }
 
     @Override
-    public void failure() {
+    public void failure(String errorMessage) {
+        this.errorMessage = errorMessage;
         status = Status.FAILURE;
     }
 

services/src/main/java/org/keycloak/authentication/requiredactions/TermsAndConditions.java

@@ -23,6 +23,7 @@
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.models.UserModel;
+import org.keycloak.services.messages.Messages;
 
 import jakarta.ws.rs.core.Response;
 import java.util.Arrays;
@@ -80,7 +81,7 @@ public void processAction(RequiredActionContext context) {
 
         if (context.getHttpRequest().getDecodedFormParameters().containsKey("cancel")) {
             context.getUser().removeAttribute(USER_ATTRIBUTE);
-            context.failure();
+            context.failure(Messages.TERMS_AND_CONDITIONS_DECLINED);
             return;
         }
 

services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java

@@ -341,6 +341,11 @@ private boolean isIdTokenAsDetachedSignature(ClientModel client) {
 
     @Override
     public Response sendError(AuthenticationSessionModel authSession, Error error) {
+        return sendError(authSession, error, null);
+    }
+
+    @Override
+    public Response sendError(AuthenticationSessionModel authSession, Error error, String errorMessage) {
         if (isOAuth2DeviceVerificationFlow(authSession)) {
             return denyOAuth2DeviceAuthorization(authSession, error, session);
         }
@@ -351,18 +356,18 @@ public Response sendError(AuthenticationSessionModel authSession, Error error) {
         String redirect = authSession.getRedirectUri();
         String state = authSession.getClientNote(OIDCLoginProtocol.STATE_PARAM);
 
-        OIDCRedirectUriBuilder redirectUri = buildErrorRedirectUri(redirect, state, error);
+        OIDCRedirectUriBuilder redirectUri = buildErrorRedirectUri(redirect, state, error, errorMessage);
 
         // Remove authenticationSession from current tab
         new AuthenticationSessionManager(session).removeTabIdInAuthenticationSession(realm, authSession);
 
         return buildRedirectUri(redirectUri, authSession, null, null, null, error);
     }
 
-    private OIDCRedirectUriBuilder buildErrorRedirectUri(String redirect, String state, Error error) {
+    private OIDCRedirectUriBuilder buildErrorRedirectUri(String redirect, String state, Error error, String errorMessage) {
         OIDCRedirectUriBuilder redirectUri = OIDCRedirectUriBuilder.fromUri(redirect, responseMode, session, null);
 
-        OAuth2ErrorRepresentation oauthError = translateError(error);
+        OAuth2ErrorRepresentation oauthError = translateError(error, errorMessage);
         if (oauthError.getError() != null) {
             redirectUri.addParam(OAuth2Constants.ERROR, oauthError.getError());
         }
@@ -410,19 +415,19 @@ public Response sendError(ClientModel client, ClientData clientData, Error error
         }
 
         setupResponseTypeAndMode(clientData.getResponseType(), clientData.getResponseMode());
-        OIDCRedirectUriBuilder redirectUri = buildErrorRedirectUri(clientData.getRedirectUri(), clientData.getState(), error);
+        OIDCRedirectUriBuilder redirectUri = buildErrorRedirectUri(clientData.getRedirectUri(), clientData.getState(), error, null);
         return buildRedirectUri(redirectUri, null, null, null, null, error);
     }
 
-    private OAuth2ErrorRepresentation translateError(Error error) {
+    private OAuth2ErrorRepresentation translateError(Error error, String errorMessage) {
         switch (error) {
             case CANCELLED_AIA_SILENT:
                 return new OAuth2ErrorRepresentation(null, null);
             case CANCELLED_AIA:
                 return new OAuth2ErrorRepresentation(OAuthErrorException.ACCESS_DENIED, "User cancelled application-initiated action.");
             case CANCELLED_BY_USER:
             case CONSENT_DENIED:
-                return new OAuth2ErrorRepresentation(OAuthErrorException.ACCESS_DENIED, "User denied consent");
+                return new OAuth2ErrorRepresentation(OAuthErrorException.ACCESS_DENIED, errorMessage);
             case PASSIVE_INTERACTION_REQUIRED:
                 return new OAuth2ErrorRepresentation(OAuthErrorException.INTERACTION_REQUIRED, null);
             case PASSIVE_LOGIN_REQUIRED:

services/src/main/java/org/keycloak/services/messages/Messages.java

@@ -271,6 +271,8 @@ public class Messages {
 
     public static final String CONSENT_DENIED="consentDenied";
 
+    public static final String TERMS_AND_CONDITIONS_DECLINED="termsAndConditionsDeclined";
+
     public static final String ALREADY_LOGGED_IN="alreadyLoggedIn";
 
     public static final String DIFFERENT_USER_AUTHENTICATED = "differentUserAuthenticated";

services/src/main/java/org/keycloak/services/resources/LoginActionsService.java

@@ -1203,7 +1203,7 @@ private Response interruptionResponse(RequiredActionContextResult context, Authe
         event.detail(Details.CUSTOM_REQUIRED_ACTION, action);
 
         event.error(Errors.REJECTED_BY_USER);
-        return protocol.sendError(authSession, error);
+        return protocol.sendError(authSession, error, context.getErrorMessage());
     }
 
     private boolean isCancelAppInitiatedAction(String providerId, AuthenticationSessionModel authSession, RequiredActionContextResult context) {

testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/AppPage.java

@@ -17,6 +17,7 @@
 
 package org.keycloak.testsuite.pages;
 
+import org.keycloak.testsuite.util.DroneUtils;
 import org.keycloak.testsuite.util.OAuthClient;
 import org.openqa.selenium.WebElement;
 import org.openqa.selenium.support.FindBy;
@@ -34,16 +35,16 @@ public class AppPage extends AbstractPage {
 
     @Override
     public void open() {
-        driver.navigate().to(OAuthClient.APP_AUTH_ROOT);
+        DroneUtils.getCurrentDriver().navigate().to(OAuthClient.APP_AUTH_ROOT);
     }
 
     @Override
     public boolean isCurrent() {
-        return removeDefaultPorts(driver.getCurrentUrl()).startsWith(OAuthClient.APP_AUTH_ROOT);
+        return removeDefaultPorts(DroneUtils.getCurrentDriver().getCurrentUrl()).startsWith(OAuthClient.APP_AUTH_ROOT);
     }
 
     public RequestType getRequestType() {
-        return RequestType.valueOf(driver.getTitle());
+        return RequestType.valueOf(DroneUtils.getCurrentDriver().getTitle());
     }
 
     public void openAccount() {

testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/LoginPage.java

@@ -199,11 +199,13 @@ public String getInfoMessage() {
         }
     }
 
+    @Override
     public boolean isCurrent() {
         String realm = "test";
         return isCurrent(realm);
     }
 
+    @Override
     public boolean isCurrent(String realm) {
         return DroneUtils.getCurrentDriver().getTitle().equals("Sign in to " + realm) || DroneUtils.getCurrentDriver().getTitle().equals("Anmeldung bei " + realm);
     }

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/TermsAndConditionsTest.java

@@ -17,6 +17,7 @@
 package org.keycloak.testsuite.actions;
 
 import org.hamcrest.Matchers;
+import org.jboss.arquillian.drone.api.annotation.Drone;
 import org.jboss.arquillian.graphene.page.Page;
 import org.junit.Assert;
 import org.junit.Before;
@@ -26,6 +27,7 @@
 import org.keycloak.events.Details;
 import org.keycloak.events.Errors;
 import org.keycloak.events.EventType;
+import org.keycloak.models.Constants;
 import org.keycloak.models.UserModel;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.representations.idm.RequiredActionProviderRepresentation;
@@ -36,15 +38,24 @@
 import org.keycloak.testsuite.pages.AppPage.RequestType;
 import org.keycloak.testsuite.pages.LoginPage;
 import org.keycloak.testsuite.pages.TermsAndConditionsPage;
+import org.keycloak.testsuite.util.DroneUtils;
+import org.keycloak.testsuite.util.JavascriptBrowser;
+import org.keycloak.testsuite.util.UIUtils;
 import org.keycloak.testsuite.util.UserBuilder;
+import org.openqa.selenium.By;
+import org.openqa.selenium.WebDriver;
+import org.openqa.selenium.WebElement;
 
 import java.util.List;
 import java.util.Map;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;
 
 /**
  * @author <a href="mailto:[email protected]">Stian Thorgersen</a>
@@ -54,19 +65,34 @@ public class TermsAndConditionsTest extends AbstractTestRealmKeycloakTest {
     @Rule
     public AssertEvents events = new AssertEvents(this);
 
+    @Drone
+    @JavascriptBrowser
+    private WebDriver jsDriver;
+
     @Page
+    @JavascriptBrowser
     protected AppPage appPage;
 
     @Page
+    @JavascriptBrowser
     protected LoginPage loginPage;
 
     @Page
+    @JavascriptBrowser
     protected TermsAndConditionsPage termsPage;
 
     @Override
     public void configureTestRealm(RealmRepresentation testRealm) {
     }
 
+    @Before
+    public void driver() {
+        appPage.setDriver(jsDriver);
+        termsPage.setDriver(jsDriver);
+        loginPage.setDriver(jsDriver);
+        DroneUtils.addWebDriver(jsDriver);
+    }
+
     @Before
     public void addTermsAndConditionRequiredAction() {
         UserRepresentation user = ActionUtil.findUserWithAdminClient(adminClient, "test-user@localhost");
@@ -105,16 +131,18 @@ public void termsAccepted() {
         assertNotNull("expected non-null timestamp for terms acceptance in user attribute "
                 + TermsAndConditions.USER_ATTRIBUTE, timestamp);
         try {
-            Integer.parseInt(timestamp);
-        }
-        catch (NumberFormatException e) {
+            Integer.valueOf(timestamp);
+        } catch (NumberFormatException e) {
             fail("timestamp for terms acceptance is not a valid integer: '" + timestamp + "'");
         }
     }
 
     @Test
     public void termsDeclined() {
-        loginPage.open();
+        appPage.open();
+        appPage.openAccount();
+
+        loginPage.assertCurrent();
 
         loginPage.login("test-user@localhost", "password");
 
@@ -126,6 +154,8 @@ public void termsDeclined() {
                 .error(Errors.REJECTED_BY_USER)
                 .removeDetail(Details.CONSENT)
                 .session(Matchers.nullValue(String.class))
+                .client(Constants.ACCOUNT_CONSOLE_CLIENT_ID)
+                .detail(Details.REDIRECT_URI, getAuthServerContextRoot() + "/auth/realms/" + TEST_REALM_NAME + "/account")
                 .assertEvent();
 
 
@@ -136,6 +166,15 @@ public void termsDeclined() {
             assertNull("expected null for terms acceptance user attribute " + TermsAndConditions.USER_ATTRIBUTE,
                     attributes.get(TermsAndConditions.USER_ATTRIBUTE));
         }
+        assertThat(DroneUtils.getCurrentDriver().getTitle(), equalTo("Account Management"));
+        Assert.assertTrue(DroneUtils.getCurrentDriver().getPageSource().contains("You need to agree to Terms and Conditions"));
+        Assert.assertFalse(DroneUtils.getCurrentDriver().getPageSource().contains("An unexpected error occurred"));
+
+        WebElement tryAgainButton = DroneUtils.getCurrentDriver().findElement(By.tagName("button"));
+        assertThat(tryAgainButton.getText(), equalTo("Try again"));
+        UIUtils.click(tryAgainButton);
+
+        loginPage.assertCurrent();
     }