Should different user authenticated be a server error? #8557

alechenninger · 2021-10-10T20:48:50Z

alechenninger
Oct 10, 2021

I was investigating a 500 error in our server logs and came across this one. From what I can tell, this is semantically in the "bad request" category and not an internal server error (there is no bug or operational problem for me to fix).

In AuthenticationProcessor:

                // We have existing userSession even if it wasn't attached to authenticator. Could happen if SSO authentication was ignored (eg. prompt=login) and in some other cases.
                // We need to handle case when different user was used
                logger.debugf("No SSO login, but found existing userSession with ID '%s' after finished authentication.", userSession.getId());
                if (!authSession.getAuthenticatedUser().equals(userSession.getUser())) {
                    event.detail(Details.EXISTING_USER, userSession.getUser().getId());
                    event.error(Errors.DIFFERENT_USER_AUTHENTICATED);
                    throw new ErrorPageException(session, authSession, Response.Status.INTERNAL_SERVER_ERROR, Messages.DIFFERENT_USER_AUTHENTICATED, userSession.getUser().getUsername());
                }

I traced this back to https://issues.redhat.com/browse/KEYCLOAK-5567 and I wonder if this one was just a mistake as the issue is about errors which should be 4xx errors and all the other errors changed in that PR (with one exception that isn't in the code base anymore) were changed to be 4xx errors.

Is there a reason to keep this as an internal server error, or is there a reason not to change this to BAD_REQUEST?

I'll happily submit a small PR if this sounds appropriate. Thanks!

alechenninger · 2021-10-18T16:00:10Z

alechenninger
Oct 18, 2021
Author

I opened a PR for it #8603

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Should different user authenticated be a server error? #8557

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Should different user authenticated be a server error? #8557

Uh oh!

Uh oh!

alechenninger Oct 10, 2021

Replies: 1 comment

Uh oh!

alechenninger Oct 18, 2021 Author

alechenninger
Oct 10, 2021

alechenninger
Oct 18, 2021
Author