search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.09k stars 564 forks source link

[Keycloak] Customizable Password Error Validator #1265

Closed kenjikikuchi closed 6 months ago

kenjikikuchi commented 6 months ago

Hello awesome team and contributors,

Thank you for developing and maintaining saml2aws! I have a minor request for the Keycloak module.

Request

Could you please add 2 new parameters below to handle non-English authentication error messages in the Keycloak passwordValid() function? They should keep the current hardcoded values as their default, and only non-English system users will tweak the new parameters in ~/.saml2aws.

$ view pkg/provider/keycloak/keycloak.go +358
...
358 func passwordValid(doc *goquery.Document) bool {
359         var valid = true
360 ---     doc.Find("span#input-error").Each(func(i int, s *goquery.Selection) {
360 +++     doc.Find(kc_auth_error_element).Each(func(i int, s *goquery.Selection) {
361                 text := s.Text()
362 ---             if strings.Contains(text, "Invalid username or password.") {
362 +++             if strings.Contains(text, kc_auth_error_message) {
363                         valid = false
364                         return
365                 }
366         })
367         return valid
368 }

Background

Since I use Japanese authentication systems, I get Japanese error messages when I mistype my password. However, the current passwordValid() function only checks the English message hardcoded in the function. The passwordValid() function returns "true" for any non-English authentication error messages, and then the doAuthenticate() function enters into recursive loops and keeps authenticating with the wrong password I mistyped.

107        if err != nil && authCtx.authenticatorIndexValid && passwordValid(doc) {
108                 return kc.doAuthenticate(authCtx, loginDetails)
109         }

My repeated error requests were mistaken for a DoS attack before.

Related Issue

https://github.com/Versent/saml2aws/issues/948

Please take a look at this issue. Thank you.

mapkon commented 6 months ago

@kenjikikuchi Can you submit a PR?

kenjikikuchi commented 6 months ago

Thank you for the opportunity to contribute to saml2aws! On it!

kenjikikuchi commented 6 months ago

@mapkon PR was sent. Please take a look. Thank you.