VERIFY_EMAIL as supported Application Initiated Action

Closes #25154

Signed-off-by: Alexander Schwartz <[email protected]>

Author: ahus1

docs/documentation/server_admin/topics/users/con-aia.adoc

@@ -47,7 +47,7 @@ the client can  still request re-authentication when some AIA is requested. Exce
 
 * The action `delete_account` will always require the user to actively re-authenticate
 
-* The action `update_password` might require the user to actively re-authenticate according to the configured <<maximum-authentication-age,Maximum Authentication Age Password policy>>.
+* The action `UPDATE_PASSWORD` might require the user to actively re-authenticate according to the configured <<maximum-authentication-age,Maximum Authentication Age Password policy>>.
 In case the policy is not configured, it is also possible to configure it on the required action itself in the <<proc-setting-default-required-actions_{context}, Required actions tab>>
 when configuring the particular required action. If the policy is not configured in any of those places, it defaults to five minutes.
 
@@ -65,7 +65,7 @@ In the same manner, deleting an existing 2nd-factor credential (`otp` or `webaut
 
 Some AIA can require the parameter to be sent together with the action name. For instance, the `Delete Credential` action can be triggered only by AIA and it requires a parameter to be sent together with the name
 of the action, which points to the ID of the removed credential. So the URL for this example would be `kc_action=delete_credential:ce1008ac-f811-427f-825a-c0b878d1c24b`. In this case, the
-part after the colon character (`ce1008ac-f811-427f-825a-c0b878d1c24b`) contains the ID of the credential of the particular user, which is to be deleted. The `Delete Credential` action 
+part after the colon character (`ce1008ac-f811-427f-825a-c0b878d1c24b`) contains the ID of the credential of the particular user, which is to be deleted. The `Delete Credential` action
 displays the confirmation screen where the user can confirm agreement to delete the credential.
 
 NOTE: The <<_account-service,{project_name} Account Console>> typically uses the `Delete Credential` action when deleting a 2nd-factor credential.  You can check the Account Console for examples if you want

services/src/main/java/org/keycloak/authentication/requiredactions/VerifyEmail.java

@@ -24,6 +24,7 @@
 import org.jboss.logging.Logger;
 import org.keycloak.Config;
 import org.keycloak.authentication.AuthenticationProcessor;
+import org.keycloak.authentication.InitiatedActionSupport;
 import org.keycloak.authentication.RequiredActionContext;
 import org.keycloak.authentication.RequiredActionFactory;
 import org.keycloak.authentication.RequiredActionProvider;
@@ -64,8 +65,18 @@ public void evaluateTriggers(RequiredActionContext context) {
             logger.debug("User is required to verify email");
         }
     }
+
+    @Override
+    public InitiatedActionSupport initiatedActionSupport() {
+        return InitiatedActionSupport.SUPPORTED;
+    }
+
     @Override
     public void requiredActionChallenge(RequiredActionContext context) {
+        process(context, true);
+    }
+
+    public void process(RequiredActionContext context, boolean isChallenge) {
         AuthenticationSessionModel authSession = context.getAuthenticationSession();
 
         if (context.getUser().isEmailVerified()) {
@@ -81,11 +92,12 @@ public void requiredActionChallenge(RequiredActionContext context) {
         }
 
         LoginFormsProvider loginFormsProvider = context.form();
+        loginFormsProvider.setAuthenticationSession(context.getAuthenticationSession());
         Response challenge;
         authSession.setClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW, null);
 
         // Do not allow resending e-mail by simple page refresh, i.e. when e-mail sent, it should be resent properly via email-verification endpoint
-        if (! Objects.equals(authSession.getAuthNote(Constants.VERIFY_EMAIL_KEY), email)) {
+        if (!Objects.equals(authSession.getAuthNote(Constants.VERIFY_EMAIL_KEY), email) && !(isCurrentActionTriggeredFromAIA(context) && isChallenge)) {
             authSession.setAuthNote(Constants.VERIFY_EMAIL_KEY, email);
             EventBuilder event = context.getEvent().clone().event(EventType.SEND_VERIFY_EMAIL).detail(Details.EMAIL, email);
             challenge = sendVerifyEmail(context, event);
@@ -96,6 +108,9 @@ public void requiredActionChallenge(RequiredActionContext context) {
         context.challenge(challenge);
     }
 
+    private boolean isCurrentActionTriggeredFromAIA(RequiredActionContext context) {
+        return Objects.equals(context.getAuthenticationSession().getClientNote(Constants.KC_ACTION), getId());
+    }
 
     @Override
     public void processAction(RequiredActionContext context) {
@@ -104,7 +119,7 @@ public void processAction(RequiredActionContext context) {
         // This will allow user to re-send email again
         context.getAuthenticationSession().removeAuthNote(Constants.VERIFY_EMAIL_KEY);
 
-        requiredActionChallenge(context);
+        process(context, false);
     }
 
 

services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java

@@ -196,6 +196,9 @@ public Response createResponse(UserModel.RequiredAction action) {
             case VERIFY_EMAIL:
                 UpdateProfileContext userBasedContext1 = new UserUpdateProfileContext(realm, user);
                 attributes.put("user", new ProfileBean(userBasedContext1, formData));
+                if (authenticationSession.getAuthNote(Constants.VERIFY_EMAIL_KEY) != null) {
+                    attributes.put("verifyEmail", authenticationSession.getAuthNote(Constants.VERIFY_EMAIL_KEY));
+                }
                 actionMessage = Messages.VERIFY_EMAIL;
                 page = LoginFormsPages.LOGIN_VERIFY_EMAIL;
                 break;

testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/VerifyEmailPage.java

@@ -33,6 +33,9 @@ public class VerifyEmailPage extends AbstractPage {
     @FindBy(linkText = "Click here")
     private WebElement resendEmailLink;
 
+    @FindBy(name = "cancel-aia")
+    private WebElement cancelAIAButton;
+
     @Override
     public void open() {
     }
@@ -49,4 +52,8 @@ public String getResendEmailLink() {
         return resendEmailLink.getAttribute("href");
     }
 
+    public void cancel() {
+        cancelAIAButton.click();
+    }
+
 }

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/AppInitiatedActionTest.java

@@ -29,7 +29,7 @@
 import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.pages.AppPage;
 import org.keycloak.testsuite.pages.LoginPage;
-import org.keycloak.testsuite.pages.VerifyEmailPage;
+import org.keycloak.testsuite.pages.TermsAndConditionsPage;
 import org.keycloak.testsuite.updaters.UserAttributeUpdater;
 import org.keycloak.testsuite.util.GreenMailRule;
 
@@ -58,7 +58,7 @@ public void configureTestRealm(RealmRepresentation testRealm) {
     protected LoginPage loginPage;
 
     @Page
-    protected VerifyEmailPage verifyEmailPage;
+    protected TermsAndConditionsPage termsAndConditionsPage;
 
     @Test
     public void executeUnknownAction() {
@@ -106,17 +106,19 @@ public void executeDisabledAction() {
     }
 
     @Test
-    public void executeActionWithVerifyEmailUnsupportedAIA() throws IOException {
+    public void executeActionWithTermsAndConditionsUnsupportedAIA() throws IOException {
         RealmResource realm = testRealm();
-        RequiredActionProviderRepresentation model = realm.flows().getRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL.name());
-        int prevPriority = model.getPriority();
+        RequiredActionProviderRepresentation termsAndConditions = realm.flows().getRequiredAction(TermsAndConditions.PROVIDER_ID);
+        int prevPriority = termsAndConditions.getPriority();
+        boolean prevEnabled = termsAndConditions.isEnabled();
 
         try (UserAttributeUpdater userUpdater = UserAttributeUpdater
                 .forUserByUsername(realm, "test-user@localhost")
-                .setRequiredActions(UserModel.RequiredAction.VERIFY_EMAIL).update()) {
-            // Set max priority for verify email (AIA not supported) to be executed before update password
-            model.setPriority(1);
-            realm.flows().updateRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL.name(), model);
+                .setRequiredActions(UserModel.RequiredAction.TERMS_AND_CONDITIONS).update()) {
+            // Set max priority for terms and conditions (AIA not supported) to be executed before update password
+            termsAndConditions.setPriority(1);
+            termsAndConditions.setEnabled(true);
+            realm.flows().updateRequiredAction(TermsAndConditions.PROVIDER_ID, termsAndConditions);
 
             oauth.kcAction(UserModel.RequiredAction.UPDATE_PASSWORD.name()).openLoginForm();
             loginPage.login("test-user@localhost", "password");
@@ -125,11 +127,12 @@ public void executeActionWithVerifyEmailUnsupportedAIA() throws IOException {
             passwordUpdatePage.assertCurrent();
             passwordUpdatePage.changePassword("password", "password");
 
-            // once the AIA password is executed the verify profile should be displayed for the login
-            verifyEmailPage.assertCurrent();
+            // once the AIA password is executed the terms and conditions should be displayed for the login
+            termsAndConditionsPage.assertCurrent();
         } finally {
-            model.setPriority(prevPriority);
-            realm.flows().updateRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL.name(), model);
+            termsAndConditions.setPriority(prevPriority);
+            termsAndConditions.setEnabled(prevEnabled);
+            realm.flows().updateRequiredAction(TermsAndConditions.PROVIDER_ID, termsAndConditions);
         }
     }
 }

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/AppInitiatedActionVerifyEmailTest.java

@@ -0,0 +1,87 @@
+/*
+ * Copyright 2019 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.testsuite.actions;
+
+import org.jboss.arquillian.graphene.page.Page;
+import org.junit.Before;
+import org.junit.Test;
+import org.keycloak.models.UserModel;
+import org.keycloak.representations.idm.RealmRepresentation;
+import org.keycloak.representations.idm.UserRepresentation;
+import org.keycloak.testsuite.admin.ApiUtil;
+import org.keycloak.testsuite.pages.ErrorPage;
+import org.keycloak.testsuite.pages.VerifyEmailPage;
+import org.keycloak.testsuite.util.UserBuilder;
+
+/**
+ * Only covers basic use cases for App Initialized actions. Complete dynamic user profile behavior is tested in {@link RequiredActionUpdateProfileWithUserProfileTest} as it shares same code as the App initialized action.
+ *
+ * @author Stan Silvert
+ */
+public class AppInitiatedActionVerifyEmailTest extends AbstractAppInitiatedActionTest {
+
+    @Override
+    public String getAiaAction() {
+        return UserModel.RequiredAction.VERIFY_EMAIL.name();
+    }
+    
+    @Page
+    protected VerifyEmailPage verifyEmailPage;
+
+    @Page
+    protected ErrorPage errorPage;
+    
+    @Override
+    public void configureTestRealm(RealmRepresentation testRealm) {
+    }
+
+    @Before
+    public void beforeTest() {
+        ApiUtil.removeUserByUsername(testRealm(), "test-user@localhost");
+        UserRepresentation user = UserBuilder.create().enabled(true)
+                .username("test-user@localhost")
+                .email("test-user@localhost")
+                .firstName("Tom")
+                .lastName("Brady")
+                .build();
+        ApiUtil.createUserAndResetPasswordWithAdminClient(testRealm(), user, "password");
+    }
+  
+    @Test
+    public void sendVerifyEmail() {
+        doAIA();
+
+        loginPage.login("test-user@localhost", "password");
+        
+        verifyEmailPage.assertCurrent();
+
+    }
+    
+    @Test
+    public void cancelUpdateProfile() {
+        doAIA();
+
+        loginPage.login("test-user@localhost", "password");
+        
+        verifyEmailPage.assertCurrent();
+        verifyEmailPage.cancel();
+
+        assertKcActionStatus(CANCELLED);
+
+    }
+
+}

themes/src/main/resources/theme/base/login/login-verify-email.ftl

@@ -3,12 +3,34 @@
     <#if section = "header">
         ${msg("emailVerifyTitle")}
     <#elseif section = "form">
-        <p class="instruction">${msg("emailVerifyInstruction1",user.email)}</p> 
-    <#elseif section = "info">
         <p class="instruction">
-            ${msg("emailVerifyInstruction2")}
-            <br/>
-            <a href="${url.loginAction}">${msg("doClickHere")}</a> ${msg("emailVerifyInstruction3")}
+            <#if verifyEmail??>
+                ${msg("emailVerifyInstruction1",verifyEmail)}
+            <#else>
+                ${msg("emailVerifyInstruction4",user.email)}
+            </#if>
         </p>
+        <#if isAppInitiatedAction??>
+            <form id="kc-verify-email-form" class="${properties.kcFormClass!}" action="${url.loginAction}" method="post">
+                <div class="${properties.kcFormGroupClass!}">
+                    <div id="kc-form-buttons" class="${properties.kcFormButtonsClass!}">
+                        <#if verifyEmail??>
+                            <input class="${properties.kcButtonClass!} ${properties.kcButtonDefaultClass!} ${properties.kcButtonLargeClass!}" type="submit" value="${msg("emailVerifyResend")}" />
+                        <#else>
+                            <input class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonLargeClass!}" type="submit" value="${msg("emailVerifySend")}" />
+                        </#if>
+                        <button class="${properties.kcButtonClass!} ${properties.kcButtonDefaultClass!} ${properties.kcButtonLargeClass!}" type="submit" name="cancel-aia" value="true" formnovalidate/>${msg("doCancel")}</button>
+                    </div>
+                </div>
+            </form>
+        </#if>
+    <#elseif section = "info">
+        <#if !isAppInitiatedAction??>
+            <p class="instruction">
+                ${msg("emailVerifyInstruction2")}
+                <br/>
+                <a href="${url.loginAction}">${msg("doClickHere")}</a> ${msg("emailVerifyInstruction3")}
+            </p>
+        </#if>
     </#if>
 </@layout.registrationLayout>

themes/src/main/resources/theme/base/login/messages/messages_en.properties

@@ -168,6 +168,9 @@ oauth2DeviceAuthorizationGrantDisabledMessage=Client is not allowed to initiate
 emailVerifyInstruction1=An email with instructions to verify your email address has been sent to your address {0}.
 emailVerifyInstruction2=Haven''t received a verification code in your email?
 emailVerifyInstruction3=to re-send the email.
+emailVerifyInstruction4=To verify your email address, we are about to send you email with instructions to the address {0}.
+emailVerifyResend=Re-send verification email
+emailVerifySend=Send verification email
 
 emailLinkIdpTitle=Link {0}
 emailLinkIdp1=An email with instructions to link {0} account {1} with your {2} account has been sent to you.

themes/src/main/resources/theme/keycloak.v2/login/resources/css/styles.css

@@ -79,6 +79,11 @@ div.kc-logo-text span {
     overflow-wrap: break-word
 }
 
+#kc-verify-email-form {
+    margin-top: 24px;
+    margin-bottom: 24px;
+}
+
 #kc-header-wrapper {
     font-size: 29px;
     text-transform: uppercase;