libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

fix logout

Browse source
This commit is contained in:
Bill Burke 2014-08-12 10:06:19 -04:00
parent 100de5a55e
commit 114c1b95fa
1 changed files with 31 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
services/src/main/java/org/keycloak/services/resources/TokenService.java
View file

@ -23,6 +23,7 @@ import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel; import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.Constants; import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OAuthClientModel;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredCredentialModel; import org.keycloak.models.RequiredCredentialModel;
import org.keycloak.models.UserCredentialModel; import org.keycloak.models.UserCredentialModel;
@ -1049,8 +1050,6 @@ public class TokenService {
@GET @GET
@NoCache @NoCache
public Response logout(final @QueryParam("redirect_uri") String redirectUri) { public Response logout(final @QueryParam("redirect_uri") String redirectUri) {
// todo do we care if anybody can trigger this?
audit.event(EventType.LOGOUT); audit.event(EventType.LOGOUT);
if (redirectUri != null) { if (redirectUri != null) {
audit.detail(Details.REDIRECT_URI, redirectUri); audit.detail(Details.REDIRECT_URI, redirectUri);
@ -1059,20 +1058,15 @@ public class TokenService {
AuthenticationManager.AuthResult authResult = authManager.authenticateIdentityCookie(session, realm, uriInfo, clientConnection, headers, false); AuthenticationManager.AuthResult authResult = authManager.authenticateIdentityCookie(session, realm, uriInfo, clientConnection, headers, false);
if (authResult != null) { if (authResult != null) {
logout(authResult.getSession()); logout(authResult.getSession());
} else {
audit.error(Errors.USER_NOT_LOGGED_IN);
OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager);
return oauth.forwardToSecurityFailure("Not logged in.");
} }
if (redirectUri != null) { if (redirectUri != null) {
// todo manage legal redirects String validatedRedirect = verifyRealmRedirectUri(uriInfo, redirectUri, realm);
if (redirectUri.startsWith("/")) { // handle relative uri if (validatedRedirect == null) {
UriBuilder builder = uriInfo.getAbsolutePathBuilder(); OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager);
builder.replacePath(redirectUri); return oauth.forwardToSecurityFailure("Invalid redirect uri.");
return Response.status(302).location(builder.build()).build();
} }
return Response.status(302).location(UriBuilder.fromUri(redirectUri).build()).build(); return Response.status(302).location(UriBuilder.fromUri(validatedRedirect).build()).build();
} else { } else {
return Response.ok().build(); return Response.ok().build();
} }
@ -1235,8 +1229,32 @@ public class TokenService {
return false; return false;
} }
public static Set<String> getValidateRedirectUris(RealmModel realm) {
Set<String> redirects = new HashSet<String>();
for (ApplicationModel client : realm.getApplications()) {
for (String redirect : client.getRedirectUris()) {
redirects.add(redirect);
}
}
for (OAuthClientModel client : realm.getOAuthClients()) {
for (String redirect : client.getRedirectUris()) {
redirects.add(redirect);
}
}
return redirects;
}
public static String verifyRealmRedirectUri(UriInfo uriInfo, String redirectUri, RealmModel realm) {
Set<String> validRedirects = getValidateRedirectUris(realm);
return verifyRedirectUri(uriInfo, redirectUri, realm, validRedirects);
}
public static String verifyRedirectUri(UriInfo uriInfo, String redirectUri, RealmModel realm, ClientModel client) { public static String verifyRedirectUri(UriInfo uriInfo, String redirectUri, RealmModel realm, ClientModel client) {
Set<String> validRedirects = client.getRedirectUris(); Set<String> validRedirects = client.getRedirectUris();
return verifyRedirectUri(uriInfo, redirectUri, realm, validRedirects);
}
public static String verifyRedirectUri(UriInfo uriInfo, String redirectUri, RealmModel realm, Set<String> validRedirects) {
if (redirectUri == null) { if (redirectUri == null) {
if (validRedirects.size() != 1) return null; if (validRedirects.size() != 1) return null;
String validRedirect = validRedirects.iterator().next(); String validRedirect = validRedirects.iterator().next();
@ -1246,7 +1264,7 @@ public class TokenService {
} }
redirectUri = validRedirect; redirectUri = validRedirect;
} else if (validRedirects.isEmpty()) { } else if (validRedirects.isEmpty()) {
logger.error("Redirect URI is required for client: " + client.getClientId()); logger.error("No Redirect URIs supplied");
redirectUri = null; redirectUri = null;
} else { } else {
String r = redirectUri.indexOf('?') != -1 ? redirectUri.substring(0, redirectUri.indexOf('?')) : redirectUri; String r = redirectUri.indexOf('?') != -1 ? redirectUri.substring(0, redirectUri.indexOf('?')) : redirectUri;