diff --git a/services/src/main/java/org/keycloak/services/resources/account/LinkedAccountsResource.java b/services/src/main/java/org/keycloak/services/resources/account/LinkedAccountsResource.java index 81e419e96f..8ef6b37c7c 100644 --- a/services/src/main/java/org/keycloak/services/resources/account/LinkedAccountsResource.java +++ b/services/src/main/java/org/keycloak/services/resources/account/LinkedAccountsResource.java @@ -61,6 +61,8 @@ import org.keycloak.services.messages.Messages; import org.keycloak.services.resources.Cors; import org.keycloak.services.validation.Validation; +import static org.keycloak.models.Constants.ACCOUNT_CONSOLE_CLIENT_ID; + /** * API for linking/unlinking social login accounts * @@ -175,14 +177,16 @@ public class LinkedAccountsResource { try { String nonce = UUID.randomUUID().toString(); MessageDigest md = MessageDigest.getInstance("SHA-256"); - String input = nonce + auth.getSession().getId() + client.getClientId() + providerId; + String input = nonce + auth.getSession().getId() + ACCOUNT_CONSOLE_CLIENT_ID + providerId; byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8)); String hash = Base64Url.encode(check); URI linkUri = Urls.identityProviderLinkRequest(this.session.getContext().getUri().getBaseUri(), providerId, realm.getName()); linkUri = UriBuilder.fromUri(linkUri) .queryParam("nonce", nonce) .queryParam("hash", hash) - .queryParam("client_id", client.getClientId()) + // need to use "account-console" client because IdentityBrokerService authenticates user using cookies + // the regular "account" client is used only for REST calls therefore cookies authentication cannot be used + .queryParam("client_id", ACCOUNT_CONSOLE_CLIENT_ID) .queryParam("redirect_uri", redirectUri) .build(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/LinkedAccountsRestServiceTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/LinkedAccountsRestServiceTest.java index e60e7f90eb..dbadbd668c 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/LinkedAccountsRestServiceTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/LinkedAccountsRestServiceTest.java @@ -42,7 +42,12 @@ import org.keycloak.representations.idm.FederatedIdentityRepresentation; import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.testsuite.util.IdentityProviderBuilder; -import static org.junit.Assert.*; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertTrue; +import static org.keycloak.models.Constants.ACCOUNT_CONSOLE_CLIENT_ID; + import org.junit.FixMethodOrder; import org.junit.runners.MethodSorters; import org.keycloak.representations.account.AccountLinkUriRepresentation; @@ -162,7 +167,7 @@ public class LinkedAccountsRestServiceTest extends AbstractTestRealmKeycloakTest assertEquals(rep.getHash(), nvp.getValue()); break; } - case "client_id" : assertEquals("account", nvp.getValue()); break; + case "client_id" : assertEquals(ACCOUNT_CONSOLE_CLIENT_ID, nvp.getValue()); break; case "redirect_uri" : assertEquals("phonyUri", nvp.getValue()); } }