libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

KEYCLOAK-12329 Fix linking accounts in the new Account Console

Browse source
This commit is contained in:
vmuzikar 2019-12-03 11:12:35 +01:00 committed by Bruno Oliveira da Silva
parent 73d1a26040
commit 072cd9f93f
2 changed files with 13 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
services/src/main/java/org/keycloak/services/resources/account/LinkedAccountsResource.java
View file

@ -61,6 +61,8 @@ import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.Cors; import org.keycloak.services.resources.Cors;
import org.keycloak.services.validation.Validation; import org.keycloak.services.validation.Validation;
import static org.keycloak.models.Constants.ACCOUNT_CONSOLE_CLIENT_ID;
/** /**
* API for linking/unlinking social login accounts * API for linking/unlinking social login accounts
* *
@ -175,14 +177,16 @@ public class LinkedAccountsResource {
try { try {
String nonce = UUID.randomUUID().toString(); String nonce = UUID.randomUUID().toString();
MessageDigest md = MessageDigest.getInstance("SHA-256"); MessageDigest md = MessageDigest.getInstance("SHA-256");
String input = nonce + auth.getSession().getId() + client.getClientId() + providerId; String input = nonce + auth.getSession().getId() + ACCOUNT_CONSOLE_CLIENT_ID + providerId;
byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8)); byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8));
String hash = Base64Url.encode(check); String hash = Base64Url.encode(check);
URI linkUri = Urls.identityProviderLinkRequest(this.session.getContext().getUri().getBaseUri(), providerId, realm.getName()); URI linkUri = Urls.identityProviderLinkRequest(this.session.getContext().getUri().getBaseUri(), providerId, realm.getName());
linkUri = UriBuilder.fromUri(linkUri) linkUri = UriBuilder.fromUri(linkUri)
.queryParam("nonce", nonce) .queryParam("nonce", nonce)
.queryParam("hash", hash) .queryParam("hash", hash)
.queryParam("client_id", client.getClientId()) // need to use "account-console" client because IdentityBrokerService authenticates user using cookies
// the regular "account" client is used only for REST calls therefore cookies authentication cannot be used
.queryParam("client_id", ACCOUNT_CONSOLE_CLIENT_ID)
.queryParam("redirect_uri", redirectUri) .queryParam("redirect_uri", redirectUri)
.build(); .build();

9
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/LinkedAccountsRestServiceTest.java
View file

@ -42,7 +42,12 @@ import org.keycloak.representations.idm.FederatedIdentityRepresentation;
import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.util.IdentityProviderBuilder; import org.keycloak.testsuite.util.IdentityProviderBuilder;
import static org.junit.Assert.*; import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import static org.keycloak.models.Constants.ACCOUNT_CONSOLE_CLIENT_ID;
import org.junit.FixMethodOrder; import org.junit.FixMethodOrder;
import org.junit.runners.MethodSorters; import org.junit.runners.MethodSorters;
import org.keycloak.representations.account.AccountLinkUriRepresentation; import org.keycloak.representations.account.AccountLinkUriRepresentation;
@ -162,7 +167,7 @@ public class LinkedAccountsRestServiceTest extends AbstractTestRealmKeycloakTest
assertEquals(rep.getHash(), nvp.getValue()); assertEquals(rep.getHash(), nvp.getValue());
break; break;
} }
case "client_id" : assertEquals("account", nvp.getValue()); break; case "client_id" : assertEquals(ACCOUNT_CONSOLE_CLIENT_ID, nvp.getValue()); break;
case "redirect_uri" : assertEquals("phonyUri", nvp.getValue()); case "redirect_uri" : assertEquals("phonyUri", nvp.getValue());
} }
} }