Merge pull request #399 from patriot1burke/master

don't allow bearer-only to login
This commit is contained in:
Bill Burke 2014-05-19 15:09:18 -04:00
commit 26d3e48555
2 changed files with 10 additions and 4 deletions

View file

@ -279,8 +279,10 @@ public class RealmManager {
if (application == null) {
application = new ApplicationManager(this).createApplication(realm, Constants.ACCOUNT_MANAGEMENT_APP);
application.setEnabled(true);
String redirectUri = contextPath + "/realms/" + realm.getName() + "/account/*";
String base = contextPath + "/realms/" + realm.getName() + "/account";
String redirectUri = base + "/*";
application.addRedirectUri(redirectUri);
application.setBaseUrl(base);
for (String role : AccountRoles.ALL) {
application.addDefaultRole(role);

View file

@ -18,6 +18,7 @@ import org.keycloak.authentication.AuthenticationProviderException;
import org.keycloak.authentication.AuthenticationProviderManager;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
@ -221,10 +222,9 @@ public class TokenService {
ClientModel client = authorizeClient(authorizationHeader, form, audit);
if (client.isPublicClient()) {
// we don't allow public clients to invoke grants/access to prevent phishing attacks
if ( (client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) {
audit.error(Errors.NOT_ALLOWED);
throw new ForbiddenException("Public clients are not allowed to invoke grants/access");
throw new ForbiddenException("Bearer-only applications are not allowed to invoke grants/access");
}
if (!realm.isEnabled()) {
@ -745,6 +745,10 @@ public class TokenService {
audit.error(Errors.CLIENT_DISABLED);
return oauth.forwardToSecurityFailure("Login requester not enabled.");
}
if ( (client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) {
audit.error(Errors.NOT_ALLOWED);
return oauth.forwardToSecurityFailure("Bearer-only applications are not allowed to initiate login");
}
redirect = verifyRedirectUri(uriInfo, redirect, client);
if (redirect == null) {
audit.error(Errors.INVALID_REDIRECT_URI);