When I use the option:
oidc.groups.allowed=foo
and the user are not in the group, then exception is logged and the user seen an " HTTP Status 500 – Internal Server Error" error message.
Exception:
2025-06-06T08:14:37+0200 server[1961672]:
org.xwiki.contrib.oidc.provider.internal.OIDCException: The user is not allowed to authenticate because it's not a member of the following groups: [foo]
2025-06-06T08:14:37+0200 server[1961672]: at org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.checkAllowedGroups(OIDCUserManager.java:257)
2025-06-06T08:14:37+0200 server[1961672]: at org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.updateUser(OIDCUserManager.java:331)
2025-06-06T08:14:37+0200 server[1961672]: at org.xwiki.contrib.oidc.auth.internal.endpoint.CallbackOIDCEndpoint.handle(CallbackOIDCEndpoint.java:249)
2025-06-06T08:14:37+0200 server[1961672]: at org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:138)
2025-06-06T08:14:37+0200 server[1961672]: at org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:110)
2025-06-06T08:14:37+0200 server[1961672]: at org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79)
2025-06-06T08:14:37+0200 server[1961672]: at org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82)
2025-06-06T08:14:37+0200 server[1961672]: at org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:159)
2025-06-06T08:14:37+0200 server[1961672]: at org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87)
2025-06-06T08:14:37+0200 server[1961672]: at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)
2025-06-06T08:14:37+0200 server[1961672]: at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:661)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:425)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:330)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:294)
2025-06-06T08:14:37+0200 server[1961672]: at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)
2025-06-06T08:14:37+0200 server[1961672]: at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)
2025-06-06T08:14:37+0200 server[1961672]: at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:117)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:424)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1786)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
2025-06-06T08:14:37+0200 server[1961672]: at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
2025-06-06T08:14:37+0200 server[1961672]: at java.base/java.lang.Thread.run(Thread.java:840)
I think it will be better, when the user will see an normal error message.
But the second and security relevant error is the fact, that the created session on the IDP are not removed. So the user will logging in for all application in the realm(on Keycloak) or all applications(on Microsoft ADFS) without any notification. So here must be an option witch can force an logout in this case on the IDP. (This must be an option, because not all scenarios requites it)
Thanks