Merge pull request #399 from patriot1burke/master
don't allow bearer-only to login
This commit is contained in:
commit
26d3e48555
2 changed files with 10 additions and 4 deletions
|
@ -279,8 +279,10 @@ public class RealmManager {
|
|||
if (application == null) {
|
||||
application = new ApplicationManager(this).createApplication(realm, Constants.ACCOUNT_MANAGEMENT_APP);
|
||||
application.setEnabled(true);
|
||||
String redirectUri = contextPath + "/realms/" + realm.getName() + "/account/*";
|
||||
String base = contextPath + "/realms/" + realm.getName() + "/account";
|
||||
String redirectUri = base + "/*";
|
||||
application.addRedirectUri(redirectUri);
|
||||
application.setBaseUrl(base);
|
||||
|
||||
for (String role : AccountRoles.ALL) {
|
||||
application.addDefaultRole(role);
|
||||
|
|
|
@ -18,6 +18,7 @@ import org.keycloak.authentication.AuthenticationProviderException;
|
|||
import org.keycloak.authentication.AuthenticationProviderManager;
|
||||
import org.keycloak.jose.jws.JWSInput;
|
||||
import org.keycloak.jose.jws.crypto.RSAProvider;
|
||||
import org.keycloak.models.ApplicationModel;
|
||||
import org.keycloak.models.ClientModel;
|
||||
import org.keycloak.models.Constants;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
|
@ -221,10 +222,9 @@ public class TokenService {
|
|||
|
||||
ClientModel client = authorizeClient(authorizationHeader, form, audit);
|
||||
|
||||
if (client.isPublicClient()) {
|
||||
// we don't allow public clients to invoke grants/access to prevent phishing attacks
|
||||
if ( (client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) {
|
||||
audit.error(Errors.NOT_ALLOWED);
|
||||
throw new ForbiddenException("Public clients are not allowed to invoke grants/access");
|
||||
throw new ForbiddenException("Bearer-only applications are not allowed to invoke grants/access");
|
||||
}
|
||||
|
||||
if (!realm.isEnabled()) {
|
||||
|
@ -745,6 +745,10 @@ public class TokenService {
|
|||
audit.error(Errors.CLIENT_DISABLED);
|
||||
return oauth.forwardToSecurityFailure("Login requester not enabled.");
|
||||
}
|
||||
if ( (client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) {
|
||||
audit.error(Errors.NOT_ALLOWED);
|
||||
return oauth.forwardToSecurityFailure("Bearer-only applications are not allowed to initiate login");
|
||||
}
|
||||
redirect = verifyRedirectUri(uriInfo, redirect, client);
|
||||
if (redirect == null) {
|
||||
audit.error(Errors.INVALID_REDIRECT_URI);
|
||||
|
|
Loading…
Reference in a new issue