KEYCLOAK-12329 Fix linking accounts in the new Account Console

2019-12-03 11:12:35 +01:00 · 2019-12-03 11:12:35 +01:00 · 072cd9f93f
commit 072cd9f93f
parent 73d1a26040
2 changed files with 13 additions and 4 deletions
--- a/services/src/main/java/org/keycloak/services/resources/account/LinkedAccountsResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/account/LinkedAccountsResource.java
@ -61,6 +61,8 @@ import org.keycloak.services.messages.Messages;
 import org.keycloak.services.resources.Cors;
 import org.keycloak.services.validation.Validation;

+import static org.keycloak.models.Constants.ACCOUNT_CONSOLE_CLIENT_ID;
+
 /**
 * API for linking/unlinking social login accounts
 *
@ -175,14 +177,16 @@ public class LinkedAccountsResource {
        try {
            String nonce = UUID.randomUUID().toString();
            MessageDigest md = MessageDigest.getInstance("SHA-256");
-            String input = nonce + auth.getSession().getId() +  client.getClientId() + providerId;
+            String input = nonce + auth.getSession().getId() +  ACCOUNT_CONSOLE_CLIENT_ID + providerId;
            byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8));
            String hash = Base64Url.encode(check);
            URI linkUri = Urls.identityProviderLinkRequest(this.session.getContext().getUri().getBaseUri(), providerId, realm.getName());
            linkUri = UriBuilder.fromUri(linkUri)
                    .queryParam("nonce", nonce)
                    .queryParam("hash", hash)
-                    .queryParam("client_id", client.getClientId())
+                    // need to use "account-console" client because IdentityBrokerService authenticates user using cookies
+                    // the regular "account" client is used only for REST calls therefore cookies authentication cannot be used
+                    .queryParam("client_id", ACCOUNT_CONSOLE_CLIENT_ID)
                    .queryParam("redirect_uri", redirectUri)
                    .build();
            
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/LinkedAccountsRestServiceTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/LinkedAccountsRestServiceTest.java
@ -42,7 +42,12 @@ import org.keycloak.representations.idm.FederatedIdentityRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.testsuite.util.IdentityProviderBuilder;

-import static org.junit.Assert.*;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.keycloak.models.Constants.ACCOUNT_CONSOLE_CLIENT_ID;
+
 import org.junit.FixMethodOrder;
 import org.junit.runners.MethodSorters;
 import org.keycloak.representations.account.AccountLinkUriRepresentation;
@ -162,7 +167,7 @@ public class LinkedAccountsRestServiceTest extends AbstractTestRealmKeycloakTest
                    assertEquals(rep.getHash(), nvp.getValue());
                    break;
                }
-                case "client_id" : assertEquals("account", nvp.getValue()); break;
+                case "client_id" : assertEquals(ACCOUNT_CONSOLE_CLIENT_ID, nvp.getValue()); break;
                case "redirect_uri" : assertEquals("phonyUri", nvp.getValue());
            }
        }