Use a new exception for IdP unconfirmed account

cas-server-support-osf/src/main/java/io/cos/cas/adaptors/postgres/handlers/OpenScienceFrameworkAuthenticationHandler.java

@@ -28,6 +28,7 @@
 import io.cos.cas.authentication.OneTimePasswordRequiredException;
 import io.cos.cas.authentication.OpenScienceFrameworkCredential;
 import io.cos.cas.authentication.ShouldNotHappenException;
+import io.cos.cas.authentication.exceptions.AccountNotConfirmedIdPLoginException;
 import io.cos.cas.authentication.oath.TotpUtils;
 
 import org.jasig.cas.authentication.AccountDisabledException;
@@ -187,9 +188,11 @@ protected final HandlerResult authenticateInternal(final OpenScienceFrameworkCre
         }
 
         // Check user's status, and only ACTIVE user can sign in
-        if (USER_NOT_CONFIRMED_OSF.equals(userStatus) || USER_NOT_CONFIRMED_IDP.equals(userStatus)) {
+        if (USER_NOT_CONFIRMED_OSF.equals(userStatus)) {
             throw new LoginNotAllowedException(username + " is registered but not confirmed");
-        } else if (USER_DISABLED.equals(userStatus)) {
+        } else if (USER_NOT_CONFIRMED_IDP.equals(userStatus)) {
+            throw new AccountNotConfirmedIdPLoginException(username + " is registered via external IdP but not confirmed ");
+        }  else if (USER_DISABLED.equals(userStatus)) {
             throw new AccountDisabledException(username + " is disabled");
         } else if (USER_NOT_CLAIMED.equals(userStatus)) {
             throw new ShouldNotHappenException(username + " is not claimed");

cas-server-support-osf/src/main/java/io/cos/cas/authentication/exceptions/AccountNotConfirmedIdPLoginException.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2020. Center for Open Science
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.cos.cas.authentication.exceptions;
+
+import javax.security.auth.login.AccountException;
+
+/**
+ * Describes an error condition where authentication occurs from an unconfirmed account created by external identity
+ * provider (IdP) login. This exception only applies to IdPs that require user email confirmation. Currently, there
+ * is only one: ORCiD. Institution IdPs do not require user email confirmation.
+ *
+ * @author Longze Chen
+ * @since 20.0.0
+ */
+public class AccountNotConfirmedIdPLoginException extends AccountException {
+
+    private static final long serialVersionUID = 2165106893184566462L;
+
+    /** Instantiates a new exception (default). */
+    public AccountNotConfirmedIdPLoginException() {
+        super();
+    }
+
+    /**
+     * Instantiates a new exception with a given message.
+     *
+     * @param message the message
+     */
+    public AccountNotConfirmedIdPLoginException(final String message) {
+        super(message);
+    }
+}

cas-server-support-osf/src/main/java/io/cos/cas/web/flow/OpenScienceFrameworkAuthenticationExceptionHandler.java

@@ -20,6 +20,7 @@
 import java.util.List;
 import java.util.Set;
 
+import io.cos.cas.authentication.exceptions.AccountNotConfirmedIdPLoginException;
 import io.cos.cas.authentication.exceptions.CasClientLoginException;
 import io.cos.cas.authentication.exceptions.DelegatedLoginException;
 import io.cos.cas.authentication.exceptions.OrcidClientLoginException;
@@ -81,6 +82,7 @@ public class OpenScienceFrameworkAuthenticationExceptionHandler extends Authenti
     static {
         DEFAULT_ERROR_LIST.add(InvalidVerificationKeyException.class);
         DEFAULT_ERROR_LIST.add(LoginNotAllowedException.class);
+        DEFAULT_ERROR_LIST.add(AccountNotConfirmedIdPLoginException.class);
         DEFAULT_ERROR_LIST.add(ShouldNotHappenException.class);
         DEFAULT_ERROR_LIST.add(RemoteUserFailedLoginException.class);
         DEFAULT_ERROR_LIST.add(OneTimePasswordFailedLoginException.class);

cas-server-webapp/src/main/resources/messages.properties

@@ -146,6 +146,8 @@ screen.badworkstation.message=Please contact <a style="white-space: nowrap" href
 # OSF Login Failure Pages
 screen.loginnotallowed.heading=Account not confirmed
 screen.loginnotallowed.message=The OSF account associated with the email has been registered but not confirmed.  Please check your email (and spam folder) or click the button below to resend your confirmation email.
+screen.accountnotconfirmed.idplogin.heading=Account not confirmed
+screen.accountnotconfirmed.idplogin.message=The OSF account associated with the email has been registered but not confirmed. Our records show that this account was created via ORCiD login. Please check your email (and spam folder) for the confirmation link. If you believe this should not happen, please contact <a style="white-space: nowrap" href="mailto:[email protected]">OSF Support</a>.
 screen.loginnotallowed.button.resendConfirmation=Resend confirmation email
 screen.accountdisabled.heading=Account disabled
 screen.accountdisabled.message=The OSF account associated with the email has been disabled.  Please contact <a style="white-space: nowrap" href="mailto:[email protected]">OSF Support</a> to regain access.

cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/casAccountNotConfirmedIdPLoginView.jsp

@@ -0,0 +1,41 @@
+<%--
+
+    Copyright (c) 2020. Center for Open Science
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+--%>
+
+<%-- Login exception page: account created via external IdP login but not confirmed --%>
+
+<jsp:directive.include file="includes/top.jsp"/>
+
+<div id="msg" class="errors">
+    <h2><spring:message code="screen.accountnotconfirmed.idplogin.heading"/></h2>
+    <p><spring:message code="screen.accountnotconfirmed.idplogin.message"/></p>
+</div>
+
+<spring:message code="screen.osf.login.message.error" var="errorDescription"/>
+<script>
+    description = document.getElementById("description");
+    if (description != null) {
+        description.innerHTML = "<br><br>${errorDescription}";
+    }
+</script>
+
+<c:set var="linkSignIn" value="true"/>
+<c:set var="linkSignOut" value="false"/>
+<c:set var="linkCreateAccount" value="true"/>
+<c:set var="linkBackToOsf" value="true"/>
+
+<jsp:directive.include file="includes/bottom.jsp"/>

cas-server-webapp/src/main/webapp/WEB-INF/webflow/login/login-webflow.xml

@@ -205,6 +205,7 @@
         <!-- Customized exceptions for OSF -->
         <transition on="InvalidVerificationKeyException" to="casInvalidVerificationKeyView" />
         <transition on="LoginNotAllowedException" to="casLoginNotAllowedView" />
+        <transition on="AccountNotConfirmedIdPLoginException" to="casAccountNotConfirmedIdPLoginView" />
         <transition on="ShouldNotHappenException" to="casShouldNotHappenView" />
         <transition on="RemoteUserFailedLoginException" to="casRemoteUserFailedLoginView" />
         <transition on="OneTimePasswordRequiredException" to="casOtpLoginView"/>
@@ -283,6 +284,7 @@
     <end-state id="casBadHoursView" view="casBadHoursView"/>
     <end-state id="casBadWorkstationView" view="casBadWorkstationView"/>
     <end-state id="casLoginNotAllowedView" view="casLoginNotAllowedView" />
+    <end-state id="casAccountNotConfirmedIdPLoginView" view="casAccountNotConfirmedIdPLoginView" />
     <end-state id="casShouldNotHappenView" view="casShouldNotHappenView" />
     <end-state id="casRemoteUserFailedLoginView" view="casRemoteUserFailedLoginView" />
     <end-state id="casInvalidVerificationKeyView" view="casInvalidVerificationKeyView" />