njs50
diff --git a/‎server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsPages.java‎
Lines changed: 1 addition & 1 deletion b/‎server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsPages.java‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java‎
Lines changed: 2 additions & 0 deletions b/‎server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎services/src/main/java/org/keycloak/authentication/authenticators/browser/WebAuthnAuthenticator.java‎
Lines changed: 30 additions & 30 deletions b/‎services/src/main/java/org/keycloak/authentication/authenticators/browser/WebAuthnAuthenticator.java‎
Lines changed: 30 additions & 30 deletions
diff --git a/‎services/src/main/java/org/keycloak/authentication/requiredactions/WebAuthnRegister.java‎
Lines changed: 16 additions & 22 deletions b/‎services/src/main/java/org/keycloak/authentication/requiredactions/WebAuthnRegister.java‎
Lines changed: 16 additions & 22 deletions
diff --git a/‎services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java‎
Lines changed: 5 additions & 0 deletions b/‎services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎services/src/main/java/org/keycloak/forms/login/freemarker/Templates.java‎
Lines changed: 2 additions & 0 deletions b/‎services/src/main/java/org/keycloak/forms/login/freemarker/Templates.java‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎services/src/main/java/org/keycloak/services/messages/Messages.java‎
Lines changed: 12 additions & 0 deletions b/‎services/src/main/java/org/keycloak/services/messages/Messages.java‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/webauthn/WebAuthnErrorPage.java‎
Lines changed: 36 additions & 0 deletions b/‎testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/webauthn/WebAuthnErrorPage.java‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/webauthn/WebAuthnLoginPage.java‎
Lines changed: 0 additions & 8 deletions b/‎testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/webauthn/WebAuthnLoginPage.java‎
Lines changed: 0 additions & 8 deletions
@@ -24,7 +24,7 @@ public enum LoginFormsPages {
 
     LOGIN, LOGIN_USERNAME, LOGIN_PASSWORD, LOGIN_TOTP, LOGIN_CONFIG_TOTP, LOGIN_WEBAUTHN, LOGIN_VERIFY_EMAIL,
     LOGIN_IDP_LINK_CONFIRM, LOGIN_IDP_LINK_EMAIL,
-    OAUTH_GRANT, LOGIN_RESET_PASSWORD, LOGIN_UPDATE_PASSWORD, LOGIN_SELECT_AUTHENTICATOR, REGISTER, INFO, ERROR, LOGIN_UPDATE_PROFILE,
+    OAUTH_GRANT, LOGIN_RESET_PASSWORD, LOGIN_UPDATE_PASSWORD, LOGIN_SELECT_AUTHENTICATOR, REGISTER, INFO, ERROR, ERROR_WEBAUTHN, LOGIN_UPDATE_PROFILE,
     LOGIN_PAGE_EXPIRED, CODE, X509_CONFIRM, SAML_POST_FORM;
 
 }
@@ -82,6 +82,8 @@ public interface LoginFormsProvider extends Provider {
 
     Response createErrorPage(Response.Status status);
 
+    Response createWebAuthnErrorPage();
+
     Response createOAuthGrant();
 
     Response createSelectAuthenticator();
 
@@ -22,7 +22,6 @@
 import com.webauthn4j.data.client.challenge.DefaultChallenge;
 import com.webauthn4j.server.ServerProperty;
 import com.webauthn4j.util.exception.WebAuthnException;
-
 import org.jboss.logging.Logger;
 import org.keycloak.WebAuthnConstants;
 import org.keycloak.authentication.AuthenticationFlowContext;
@@ -53,13 +52,16 @@
 import java.util.Collections;
 import java.util.List;
 
+import static org.keycloak.services.messages.Messages.*;
+
 /**
  * Authenticator for WebAuthn authentication, which will be typically used when WebAuthn is used as second factor.
  */
 public class WebAuthnAuthenticator implements Authenticator, CredentialValidator<WebAuthnCredentialProvider> {
 
     private static final Logger logger = Logger.getLogger(WebAuthnAuthenticator.class);
     private KeycloakSession session;
+    private WebAuthnAuthenticatorsBean authenticators;
 
     public WebAuthnAuthenticator(KeycloakSession session) {
         this.session = session;
@@ -82,7 +84,7 @@ public void authenticate(AuthenticationFlowContext context) {
         boolean isUserIdentified = false;
         if (user != null) {
             // in 2 Factor Scenario where the user has already been identified
-            WebAuthnAuthenticatorsBean authenticators = new WebAuthnAuthenticatorsBean(context.getSession(), context.getRealm(), user, getCredentialType());
+            authenticators = new WebAuthnAuthenticatorsBean(context.getSession(), context.getRealm(), user, getCredentialType());
             if (authenticators.getAuthenticators().isEmpty()) {
                 // require the user to register webauthn authenticator
                 return;
@@ -119,7 +121,7 @@ public void action(AuthenticationFlowContext context) {
         // receive error from navigator.credentials.get()
         String errorMsgFromWebAuthnApi = params.getFirst(WebAuthnConstants.ERROR);
         if (errorMsgFromWebAuthnApi != null && !errorMsgFromWebAuthnApi.isEmpty()) {
-            setErrorResponse(context, ERR_WEBAUTHN_API_GET, errorMsgFromWebAuthnApi);
+            setErrorResponse(context, WEBAUTHN_ERROR_API_GET, errorMsgFromWebAuthnApi);
             return;
         }
 
@@ -154,7 +156,7 @@ public void action(AuthenticationFlowContext context) {
                     context.getEvent()
                         .detail("first_authenticated_user_id", firstAuthenticatedUserId)
                         .detail("web_authn_authenticator_authenticated_user_id", userId);
-                    setErrorResponse(context, ERR_DIFFERENT_USER_AUTHENTICATED, null);
+                    setErrorResponse(context, WEBAUTHN_ERROR_DIFFERENT_USER, null);
                     return;
                 }
             } else {
@@ -181,7 +183,7 @@ public void action(AuthenticationFlowContext context) {
         try {
             result = session.userCredentialManager().isValid(context.getRealm(), user, cred);
         } catch (WebAuthnException wae) {
-            setErrorResponse(context, ERR_WEBAUTHN_VERIFICATION_FAIL, wae.getMessage());
+            setErrorResponse(context, WEBAUTHN_ERROR_AUTH_VERIFICATION, wae.getMessage());
             return;
         }
         String encodedCredentialID = Base64Url.encode(credentialId);
@@ -197,7 +199,7 @@ public void action(AuthenticationFlowContext context) {
             context.getEvent()
                 .detail("web_authn_authenticated_user_id", userId)
                 .detail("public_key_credential_id", encodedCredentialID);
-            setErrorResponse(context, ERR_WEBAUTHN_AUTHENTICATED_USER_NOT_FOUND, null);
+            setErrorResponse(context, WEBAUTHN_ERROR_USER_NOT_FOUND, null);
             context.cancelLogin();
         }
     }
@@ -232,64 +234,62 @@ public WebAuthnCredentialProvider getCredentialProvider(KeycloakSession session)
 
     private static final String ERR_LABEL = "web_authn_authentication_error";
     private static final String ERR_DETAIL_LABEL = "web_authn_authentication_error_detail";
-    private static final String ERR_NO_AUTHENTICATORS_REGISTERED = "No WebAuthn Authenticator registered.";
-    private static final String ERR_WEBAUTHN_API_GET = "Failed to authenticate by the WebAuthn Authenticator";
-    private static final String ERR_DIFFERENT_USER_AUTHENTICATED = "First authenticated user is not the one authenticated by the WebAuthn authenticator.";
-    private static final String ERR_WEBAUTHN_VERIFICATION_FAIL = "WebAuthn Authentication result is invalid.";
-    private static final String ERR_WEBAUTHN_AUTHENTICATED_USER_NOT_FOUND = "Unknown user authenticated by the WebAuthn Authenticator";
 
     private void setErrorResponse(AuthenticationFlowContext context, final String errorCase, final String errorMessage) {
         Response errorResponse = null;
         switch (errorCase) {
-        case ERR_NO_AUTHENTICATORS_REGISTERED:
+        case WEBAUTHN_ERROR_REGISTRATION:
             logger.warn(errorCase);
             context.getEvent()
                 .detail(ERR_LABEL, errorCase)
                 .error(Errors.INVALID_USER_CREDENTIALS);
-            errorResponse = context.form()
-                .setError(errorCase)
-                .createErrorPage(Response.Status.BAD_REQUEST);
+            errorResponse = createErrorResponse(context, errorCase);
             context.failure(AuthenticationFlowError.INVALID_CREDENTIALS, errorResponse);
             break;
-        case ERR_WEBAUTHN_API_GET:
+        case WEBAUTHN_ERROR_API_GET:
             logger.warnv("error returned from navigator.credentials.get(). {0}", errorMessage);
             context.getEvent()
                 .detail(ERR_LABEL, errorCase)
                 .detail(ERR_DETAIL_LABEL, errorMessage)
                 .error(Errors.NOT_ALLOWED);
-            errorResponse = context.form()
-                .setError(errorCase)
-                .createErrorPage(Response.Status.BAD_REQUEST);
+            errorResponse = createErrorResponse(context, errorCase);
             context.failure(AuthenticationFlowError.INVALID_USER, errorResponse);
             break;
-        case ERR_DIFFERENT_USER_AUTHENTICATED:
+        case WEBAUTHN_ERROR_DIFFERENT_USER:
             logger.warn(errorCase);
             context.getEvent()
                 .detail(ERR_LABEL, errorCase)
                 .error(Errors.DIFFERENT_USER_AUTHENTICATED);
-            errorResponse = context.form()
-                .setError(errorCase)
-                .createErrorPage(Response.Status.BAD_REQUEST);
+            errorResponse = createErrorResponse(context, errorCase);
             context.failure(AuthenticationFlowError.USER_CONFLICT, errorResponse);
             break;
-        case ERR_WEBAUTHN_VERIFICATION_FAIL:
+        case WEBAUTHN_ERROR_AUTH_VERIFICATION:
             logger.warnv("WebAuthn API .get() response validation failure. {0}", errorMessage);
             context.getEvent()
                 .detail(ERR_LABEL, errorCase)
                 .detail(ERR_DETAIL_LABEL, errorMessage)
                 .error(Errors.INVALID_USER_CREDENTIALS);
-            errorResponse = context.form()
-                .setError(errorCase)
-                .createErrorPage(Response.Status.BAD_REQUEST);
+            errorResponse = createErrorResponse(context, errorCase);
             context.failure(AuthenticationFlowError.INVALID_USER, errorResponse);
             break;
-        case ERR_WEBAUTHN_AUTHENTICATED_USER_NOT_FOUND:
+        case WEBAUTHN_ERROR_USER_NOT_FOUND:
             logger.warn(errorCase);
-            context.getEvent().detail(ERR_LABEL, errorCase);
-            context.getEvent().error(Errors.USER_NOT_FOUND);
+            context.getEvent()
+                    .detail(ERR_LABEL, errorCase)
+                    .error(Errors.USER_NOT_FOUND);
+            errorResponse = createErrorResponse(context, errorCase);
+            context.failure(AuthenticationFlowError.UNKNOWN_USER, errorResponse);
             break;
         default:
                 // NOP
         }
     }
+
+    private Response createErrorResponse(AuthenticationFlowContext context, final String errorCase) {
+        LoginFormsProvider provider = context.form().setError(errorCase);
+        if (authenticators != null && authenticators.getAuthenticators() != null) {
+            provider.setAttribute(WebAuthnConstants.ALLOWED_AUTHENTICATORS, authenticators);
+        }
+        return provider.createWebAuthnErrorPage();
+    }
 }
@@ -64,17 +64,20 @@
 import com.webauthn4j.validator.attestation.statement.tpm.TPMAttestationStatementValidator;
 import com.webauthn4j.validator.attestation.statement.u2f.FIDOU2FAttestationStatementValidator;
 import com.webauthn4j.validator.attestation.trustworthiness.certpath.CertPathTrustworthinessValidator;
-import com.webauthn4j.validator.attestation.trustworthiness.certpath.NullCertPathTrustworthinessValidator;
 import com.webauthn4j.validator.attestation.trustworthiness.ecdaa.DefaultECDAATrustworthinessValidator;
 import com.webauthn4j.validator.attestation.trustworthiness.self.DefaultSelfAttestationTrustworthinessValidator;
 import org.keycloak.models.credential.WebAuthnCredentialModel;
 
+import static org.keycloak.services.messages.Messages.*;
+
 /**
  * Required action for register WebAuthn 2-factor credential for the user
  */
 public class WebAuthnRegister implements RequiredActionProvider, CredentialRegistrator {
 
+    private static final String WEB_AUTHN_TITLE_ATTR = "webAuthnTitle";
     private static final Logger logger = Logger.getLogger(WebAuthnRegister.class);
+
     private KeycloakSession session;
     private CertPathTrustworthinessValidator certPathtrustValidator;
 
@@ -167,7 +170,7 @@ public void processAction(RequiredActionContext context) {
         // receive error from navigator.credentials.create()
         String errorMsgFromWebAuthnApi = params.getFirst(WebAuthnConstants.ERROR);
         if (errorMsgFromWebAuthnApi != null && !errorMsgFromWebAuthnApi.isEmpty()) {
-            setErrorResponse(context, ERR_WEBAUTHN_API_CREATE, errorMsgFromWebAuthnApi);
+            setErrorResponse(context, WEBAUTHN_ERROR_REGISTER_VERIFICATION, errorMsgFromWebAuthnApi);
             return;
         }
 
@@ -218,11 +221,11 @@ public void processAction(RequiredActionContext context) {
             context.success();
         } catch (WebAuthnException wae) {
             if (logger.isDebugEnabled()) logger.debug(wae.getMessage(), wae);
-            setErrorResponse(context, ERR_WEBAUTHN_API_CREATE, wae.getMessage());
+            setErrorResponse(context, WEBAUTHN_ERROR_REGISTRATION, wae.getMessage());
             return;
         } catch (Exception e) {
             if (logger.isDebugEnabled()) logger.debug(e.getMessage(), e);
-            setErrorResponse(context, ERR_WEBAUTHN_API_CREATE, e.getMessage());
+            setErrorResponse(context, WEBAUTHN_ERROR_REGISTRATION, e.getMessage());
             return;
         }
     }
@@ -326,44 +329,35 @@ public void evaluateTriggers(RequiredActionContext context) {
 
     private static final String ERR_LABEL = "web_authn_registration_error";
     private static final String ERR_DETAIL_LABEL = "web_authn_registration_error_detail";
-    private static final String ERR_WEBAUTHN_API_CREATE = "Failed to authenticate by the WebAuthn Authenticator";
-    private static final String ERR_WEBAUTHN_VERIFICATION_FAIL = "WetAuthn Registration result is invalid.";
-    private static final String ERR_REGISTRATION_FAIL = "Failed to register your WebAuthn Authenticator.";
+    private static final String REGISTRATION_ATTR = "webAuthnRegistration";
 
     private void setErrorResponse(RequiredActionContext context, final String errorCase, final String errorMessage) {
         Response errorResponse = null;
         switch (errorCase) {
-        case ERR_WEBAUTHN_API_CREATE:
-            logger.warnv("error returned from navigator.credentials.create(). {0}", errorMessage);
-            context.getEvent()
-                .detail(ERR_LABEL, errorCase)
-                .detail(ERR_DETAIL_LABEL, errorMessage)
-                .error(Errors.NOT_ALLOWED);
-            errorResponse = context.form()
-                .setError(errorCase)
-                .createErrorPage(Response.Status.BAD_REQUEST);
-            context.challenge(errorResponse);
-            break;
-        case ERR_WEBAUTHN_VERIFICATION_FAIL:
+        case WEBAUTHN_ERROR_REGISTER_VERIFICATION:
             logger.warnv("WebAuthn API .create() response validation failure. {0}", errorMessage);
             context.getEvent()
                 .detail(ERR_LABEL, errorCase)
                 .detail(ERR_DETAIL_LABEL, errorMessage)
                 .error(Errors.INVALID_USER_CREDENTIALS);
             errorResponse = context.form()
                 .setError(errorCase)
-                .createErrorPage(Response.Status.BAD_REQUEST);
+                .setAttribute(WEB_AUTHN_TITLE_ATTR, WEBAUTHN_REGISTER_TITLE)
+                .setAttribute(REGISTRATION_ATTR,true)
+                .createWebAuthnErrorPage();
             context.challenge(errorResponse);
             break;
-        case ERR_REGISTRATION_FAIL:
+        case WEBAUTHN_ERROR_REGISTRATION:
             logger.warn(errorCase);
             context.getEvent()
                 .detail(ERR_LABEL, errorCase)
                 .detail(ERR_DETAIL_LABEL, errorMessage)
                 .error(Errors.INVALID_REGISTRATION);
             errorResponse = context.form()
                 .setError(errorCase)
-                .createErrorPage(Response.Status.BAD_REQUEST);
+                .setAttribute(WEB_AUTHN_TITLE_ATTR, WEBAUTHN_REGISTER_TITLE)
+                .setAttribute(REGISTRATION_ATTR,true)
+                .createWebAuthnErrorPage();
             context.challenge(errorResponse);
             break;
         default:
 
@@ -547,6 +547,11 @@ public Response createErrorPage(Response.Status status) {
         return createResponse(LoginFormsPages.ERROR);
     }
 
+    @Override
+    public Response createWebAuthnErrorPage() {
+        return createResponse(LoginFormsPages.ERROR_WEBAUTHN);
+    }
+
     @Override
     public Response createOAuthGrant() {
         return createResponse(LoginFormsPages.OAUTH_GRANT);
 
@@ -58,6 +58,8 @@ public static String getTemplate(LoginFormsPages page) {
                 return "info.ftl";
             case ERROR:
                 return "error.ftl";
+            case ERROR_WEBAUTHN:
+                return "webauthn-error.ftl";
             case LOGIN_UPDATE_PROFILE:
                 return "login-update-profile.ftl";
             case CODE:
 
@@ -240,4 +240,16 @@ public class Messages {
     public static final String DELEGATION_FAILED = "delegationFailedMessage";
     public static final String DELEGATION_FAILED_HEADER = "delegationFailedHeader";
 
+    // WebAuthn
+    public static final String WEBAUTHN_REGISTER_TITLE = "webauthn-registration-title";
+    public static final String WEBAUTHN_LOGIN_TITLE = "webauthn-login-title";
+    public static final String WEBAUTHN_ERROR_TITLE = "webauthn-error-title";
+
+    // WebAuthn Error
+    public static final String WEBAUTHN_ERROR_REGISTRATION = "webauthn-error-registration";
+    public static final String WEBAUTHN_ERROR_API_GET = "webauthn-error-api-get";
+    public static final String WEBAUTHN_ERROR_DIFFERENT_USER = "webauthn-error-different-user";
+    public static final String WEBAUTHN_ERROR_AUTH_VERIFICATION = "webauthn-error-auth-verification";
+    public static final String WEBAUTHN_ERROR_REGISTER_VERIFICATION = "webauthn-error-register-verification";
+    public static final String WEBAUTHN_ERROR_USER_NOT_FOUND = "webauthn-error-user-not-found";
 }
@@ -0,0 +1,36 @@
+package org.keycloak.testsuite.pages.webauthn;
+
+import org.keycloak.testsuite.pages.LanguageComboboxAwarePage;
+import org.openqa.selenium.By;
+import org.openqa.selenium.NoSuchElementException;
+import org.openqa.selenium.WebElement;
+import org.openqa.selenium.support.FindBy;
+
+/**
+ * @author <a href="mailto:[email protected]">Martin Bartos</a>
+ */
+public class WebAuthnErrorPage extends LanguageComboboxAwarePage {
+
+    @FindBy(id = "kc-try-again")
+    private WebElement tryAgainButton;
+    
+    public void clickTryAgain() {
+        tryAgainButton.click();
+    }
+
+    @Override
+    public boolean isCurrent() {
+        try {
+            driver.findElement(By.id("kc-try-again"));
+            driver.findElement(By.id("kc-error-credential-form"));
+            return true;
+        } catch (NoSuchElementException e) {
+            return false;
+        }
+    }
+
+    @Override
+    public void open() {
+        throw new UnsupportedOperationException();
+    }
+}
@@ -18,20 +18,12 @@
 package org.keycloak.testsuite.pages.webauthn;
 
 import org.keycloak.testsuite.pages.LanguageComboboxAwarePage;
-import org.openqa.selenium.By;
 
 /**
  * Page shown during WebAuthn login. Page is useful with Chrome testing API
  */
 public class WebAuthnLoginPage extends LanguageComboboxAwarePage {
 
-    // After click the button, the "navigator.credentials.get" will be called on the browser side, which should automatically
-    // login user with the chrome testing API
-    public void confirmWebAuthnLogin() {
-        driver.findElement(By.cssSelector("input[type=\"button\"]")).click();
-    }
-
-
     public boolean isCurrent() {
         return driver.getPageSource().contains("navigator.credentials.get");
     }
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ public enum LoginFormsPages {`
`24`	`24`
`25`	`25`	`LOGIN, LOGIN_USERNAME, LOGIN_PASSWORD, LOGIN_TOTP, LOGIN_CONFIG_TOTP, LOGIN_WEBAUTHN, LOGIN_VERIFY_EMAIL,`
`26`	`26`	`LOGIN_IDP_LINK_CONFIRM, LOGIN_IDP_LINK_EMAIL,`
`27`		`- OAUTH_GRANT, LOGIN_RESET_PASSWORD, LOGIN_UPDATE_PASSWORD, LOGIN_SELECT_AUTHENTICATOR, REGISTER, INFO, ERROR, LOGIN_UPDATE_PROFILE,`
	`27`	`+ OAUTH_GRANT, LOGIN_RESET_PASSWORD, LOGIN_UPDATE_PASSWORD, LOGIN_SELECT_AUTHENTICATOR, REGISTER, INFO, ERROR, ERROR_WEBAUTHN, LOGIN_UPDATE_PROFILE,`
`28`	`28`	`LOGIN_PAGE_EXPIRED, CODE, X509_CONFIRM, SAML_POST_FORM;`
`29`	`29`
`30`	`30`	`}`