From 2f489a41ebd06eb14197f8a66afae86ac1397f42 Mon Sep 17 00:00:00 2001
From: Pedro Igor <pigor.craveiro@gmail.com>
Date: Wed, 4 Mar 2020 09:21:25 -0300
Subject: [PATCH] [KEYCLOAK-12192] - Missing Input Validation in IDP
 Authorization URLs

---
 .../org/keycloak/common/util/UriUtils.java    |  28 ++++
 .../provider/IdentityProviderFactory.java     |  10 ++
 .../models/utils/RepresentationToModel.java   |  27 ++-
 .../models/IdentityProviderModel.java         |  12 +-
 .../KeycloakOIDCIdentityProviderFactory.java  |   7 +-
 .../oidc/OAuth2IdentityProviderConfig.java    |  18 ++
 .../oidc/OIDCIdentityProviderConfig.java      |  17 ++
 .../oidc/OIDCIdentityProviderFactory.java     |   7 +-
 .../saml/SAMLIdentityProviderConfig.java      |  12 ++
 .../saml/SAMLIdentityProviderFactory.java     |   5 +
 .../IdentityProvidersPartialImport.java       |   2 +-
 .../admin/IdentityProviderResource.java       |   6 +-
 .../admin/IdentityProvidersResource.java      |   4 +-
 .../BitbucketIdentityProviderFactory.java     |   5 +
 .../FacebookIdentityProviderFactory.java      |   5 +
 .../github/GitHubIdentityProviderFactory.java |   5 +
 .../gitlab/GitLabIdentityProviderFactory.java |   6 +-
 .../google/GoogleIdentityProviderConfig.java  |   4 +
 .../google/GoogleIdentityProviderFactory.java |   6 +-
 .../InstagramIdentityProviderFactory.java     |   5 +
 .../LinkedInIdentityProviderFactory.java      |   5 +
 .../MicrosoftIdentityProviderFactory.java     |   5 +
 .../OpenshiftV3IdentityProviderConfig.java    |   4 +
 .../OpenshiftV3IdentityProviderFactory.java   |   5 +
 .../OpenshiftV4IdentityProviderConfig.java    |   3 +
 .../OpenshiftV4IdentityProviderFactory.java   |   4 +
 .../paypal/PayPalIdentityProviderConfig.java  |   4 +
 .../paypal/PayPalIdentityProviderFactory.java |   5 +
 .../StackOverflowIdentityProviderConfig.java  |   6 +-
 .../StackoverflowIdentityProviderFactory.java |   5 +
 .../TwitterIdentityProviderFactory.java       |   5 +
 .../testsuite/admin/IdentityProviderTest.java | 155 ++++++++++++++++++
 .../testsuite/admin/PermissionsTest.java      |   4 +-
 .../keycloak/testsuite/admin/UserTest.java    |   2 +-
 .../broker/KcOIDCBrokerWithSignatureTest.java |   2 +-
 .../broker/OIDCIdentityProviderConfigRep.java |   2 +-
 .../testsuite/cli/admin/KcAdmUpdateTest.java  |   4 +-
 .../keycloak/testsuite/saml/BrokerTest.java   |  12 +-
 .../testsuite/saml/IdpInitiatedLoginTest.java |   2 +-
 .../keycloak/testsuite/saml/LogoutTest.java   |   6 +-
 .../test/resources/cli/idp-keycloak-9167.json |   4 +-
 41 files changed, 401 insertions(+), 34 deletions(-)

diff --git a/common/src/main/java/org/keycloak/common/util/UriUtils.java b/common/src/main/java/org/keycloak/common/util/UriUtils.java
index bbe718835b..43c263e7b9 100755
--- a/common/src/main/java/org/keycloak/common/util/UriUtils.java
+++ b/common/src/main/java/org/keycloak/common/util/UriUtils.java
@@ -18,10 +18,14 @@
 package org.keycloak.common.util;
 
 import java.io.UnsupportedEncodingException;
+import java.net.MalformedURLException;
 import java.net.URI;
+import java.net.URL;
 import java.net.URLDecoder;
 import java.util.regex.Pattern;
 
+import org.keycloak.common.enums.SslRequired;
+
 /**
  * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
  */
@@ -84,4 +88,28 @@ public class UriUtils {
     public static String stripQueryParam(String url, String name){
         return url.replaceFirst("[\\?&]"+name+"=[^&]*$|"+name+"=[^&]*&", "");
     }
+
+    public static void checkUrl(SslRequired sslRequired, String url, String name) throws IllegalArgumentException{
+        if (url == null) {
+            return;
+        }
+
+        URL parsed;
+
+        try {
+            parsed = new URL(url);
+        } catch (MalformedURLException e) {
+            throw new IllegalArgumentException("The url [" + name + "] is malformed", e);
+        }
+
+        String protocol = parsed.getProtocol().toLowerCase();
+
+        if (!("http".equalsIgnoreCase(protocol) || "https".equalsIgnoreCase(protocol))) {
+            throw new IllegalArgumentException("Invalid protocol/scheme for url [" + name + "]");
+        }
+
+        if (!"https".equals(protocol) && sslRequired.isRequired(url)) {
+            throw new IllegalArgumentException("The url [" + name + "] requires secure connections");
+        }
+    }
 }
diff --git a/server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityProviderFactory.java b/server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityProviderFactory.java
index c189316288..ad3b840295 100755
--- a/server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityProviderFactory.java
+++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityProviderFactory.java
@@ -54,4 +54,14 @@ public interface IdentityProviderFactory<T extends IdentityProvider> extends Pro
      * @return
      */
     Map<String, String> parseConfig(KeycloakSession session, InputStream inputStream);
+
+    /**
+     * <p>Creates a provider specific {@link IdentityProviderModel} instance.
+     * 
+     * <p>Providers may want to implement their own {@link IdentityProviderModel} type so that validations
+     * can be performed when managing the provider configuration
+     * 
+     * @return the provider specific instance
+     */
+    <C extends IdentityProviderModel> C createConfig();
 }
\ No newline at end of file
diff --git a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
index 7b455e7da2..9982bbe091 100755
--- a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
+++ b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
@@ -49,6 +49,9 @@ import org.keycloak.authorization.store.ResourceServerStore;
 import org.keycloak.authorization.store.ResourceStore;
 import org.keycloak.authorization.store.ScopeStore;
 import org.keycloak.authorization.store.StoreFactory;
+import org.keycloak.broker.provider.IdentityProvider;
+import org.keycloak.broker.provider.IdentityProviderFactory;
+import org.keycloak.broker.social.SocialIdentityProvider;
 import org.keycloak.common.enums.SslRequired;
 import org.keycloak.common.util.MultivaluedHashMap;
 import org.keycloak.common.util.UriUtils;
@@ -285,7 +288,7 @@ public class RepresentationToModel {
             DefaultRequiredActions.addActions(newRealm);
         }
 
-        importIdentityProviders(rep, newRealm);
+        importIdentityProviders(rep, newRealm, session);
         importIdentityProviderMappers(rep, newRealm);
 
         Map<String, ClientScopeModel> clientScopes = new HashMap<>();
@@ -1856,10 +1859,10 @@ public class RepresentationToModel {
         }
     }
 
-    private static void importIdentityProviders(RealmRepresentation rep, RealmModel newRealm) {
+    private static void importIdentityProviders(RealmRepresentation rep, RealmModel newRealm, KeycloakSession session) {
         if (rep.getIdentityProviders() != null) {
             for (IdentityProviderRepresentation representation : rep.getIdentityProviders()) {
-                newRealm.addIdentityProvider(toModel(newRealm, representation));
+                newRealm.addIdentityProvider(toModel(newRealm, representation, session));
             }
         }
     }
@@ -1872,8 +1875,20 @@ public class RepresentationToModel {
         }
     }
 
-    public static IdentityProviderModel toModel(RealmModel realm, IdentityProviderRepresentation representation) {
-        IdentityProviderModel identityProviderModel = new IdentityProviderModel();
+    public static IdentityProviderModel toModel(RealmModel realm, IdentityProviderRepresentation representation, KeycloakSession session) {
+        IdentityProviderFactory providerFactory = (IdentityProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(
+                IdentityProvider.class, representation.getProviderId());
+        
+        if (providerFactory == null) {
+            providerFactory = (IdentityProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(
+                    SocialIdentityProvider.class, representation.getProviderId());
+        }
+        
+        if (providerFactory == null) {
+            throw new IllegalArgumentException("Invalid identity provider id [" + representation.getProviderId() + "]");
+        }
+        
+        IdentityProviderModel identityProviderModel = providerFactory.createConfig();
 
         identityProviderModel.setInternalId(representation.getInternalId());
         identityProviderModel.setAlias(representation.getAlias());
@@ -1908,6 +1923,8 @@ public class RepresentationToModel {
             }
             identityProviderModel.setPostBrokerLoginFlowId(flowModel.getId());
         }
+        
+        identityProviderModel.validate(realm);
 
         return identityProviderModel;
     }
diff --git a/server-spi/src/main/java/org/keycloak/models/IdentityProviderModel.java b/server-spi/src/main/java/org/keycloak/models/IdentityProviderModel.java
index 6fb5c59679..846df4e75f 100755
--- a/server-spi/src/main/java/org/keycloak/models/IdentityProviderModel.java
+++ b/server-spi/src/main/java/org/keycloak/models/IdentityProviderModel.java
@@ -196,5 +196,15 @@ public class IdentityProviderModel implements Serializable {
     public void setDisplayName(String displayName) {
         this.displayName = displayName;
     }
-    
+
+    /**
+     * <p>Validates this configuration.
+     * 
+     * <p>Sub-classes can override this method in order to enforce provider specific validations.
+     * 
+     * @param realm the realm
+     */
+    public void validate(RealmModel realm) {
+        
+    }
 }
diff --git a/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProviderFactory.java b/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProviderFactory.java
index 87e7b73ab4..48bfd82547 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProviderFactory.java
@@ -48,7 +48,10 @@ public class KeycloakOIDCIdentityProviderFactory extends AbstractIdentityProvide
     @Override
     public Map<String, String> parseConfig(KeycloakSession session, InputStream inputStream) {
         return OIDCIdentityProviderFactory.parseOIDCConfig(session, inputStream);
-
     }
 
- }
+    @Override
+    public OIDCIdentityProviderConfig createConfig() {
+        return new OIDCIdentityProviderConfig();
+    }
+}
diff --git a/services/src/main/java/org/keycloak/broker/oidc/OAuth2IdentityProviderConfig.java b/services/src/main/java/org/keycloak/broker/oidc/OAuth2IdentityProviderConfig.java
index af26468a4a..5838376f50 100644
--- a/services/src/main/java/org/keycloak/broker/oidc/OAuth2IdentityProviderConfig.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/OAuth2IdentityProviderConfig.java
@@ -16,7 +16,12 @@
  */
 package org.keycloak.broker.oidc;
 
+import static org.keycloak.common.util.UriUtils.checkUrl;
+
+import org.keycloak.common.enums.SslRequired;
 import org.keycloak.models.IdentityProviderModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
 import org.keycloak.protocol.oidc.OIDCLoginProtocol;
 
 /**
@@ -28,6 +33,10 @@ public class OAuth2IdentityProviderConfig extends IdentityProviderModel {
         super(model);
     }
 
+    public OAuth2IdentityProviderConfig() {
+        super();
+    }
+
     public String getAuthorizationUrl() {
         return getConfig().get("authorizationUrl");
     }
@@ -123,4 +132,13 @@ public class OAuth2IdentityProviderConfig extends IdentityProviderModel {
     public void setForwardParameters(String forwardParameters) {
        getConfig().put("forwardParameters", forwardParameters);
     }
+
+    @Override
+    public void validate(RealmModel realm) {
+        SslRequired sslRequired = realm.getSslRequired();
+
+        checkUrl(sslRequired, getAuthorizationUrl(), "authorization_url");
+        checkUrl(sslRequired, getTokenUrl(), "token_url");
+        checkUrl(sslRequired, getUserInfoUrl(), "userinfo_url");
+    }
 }
diff --git a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java
index bb3d286f60..002848fec9 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java
@@ -16,7 +16,12 @@
  */
 package org.keycloak.broker.oidc;
 
+import static org.keycloak.common.util.UriUtils.checkUrl;
+
+import org.keycloak.common.enums.SslRequired;
 import org.keycloak.models.IdentityProviderModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
 
 /**
  * @author Pedro Igor
@@ -33,6 +38,10 @@ public class OIDCIdentityProviderConfig extends OAuth2IdentityProviderConfig {
         super(identityProviderModel);
     }
 
+    public OIDCIdentityProviderConfig() {
+        super();
+    }
+
     public String getPrompt() {
         return getConfig().get("prompt");
     }
@@ -122,4 +131,12 @@ public class OIDCIdentityProviderConfig extends OAuth2IdentityProviderConfig {
             return 0;
         }
     }
+
+    @Override 
+    public void validate(RealmModel realm) {
+        super.validate(realm);
+        SslRequired sslRequired = realm.getSslRequired();
+        checkUrl(sslRequired, getJwksUrl(), "jwks_url");
+        checkUrl(sslRequired, getLogoutUrl(), "logout_url");
+    }
 }
diff --git a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java
index 346cf82da3..64a3ea2fb8 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java
@@ -43,6 +43,11 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory
         return new OIDCIdentityProvider(session, new OIDCIdentityProviderConfig(model));
     }
 
+    @Override
+    public OIDCIdentityProviderConfig createConfig() {
+        return new OIDCIdentityProviderConfig();
+    }
+
     @Override
     public String getId() {
         return PROVIDER_ID;
@@ -60,7 +65,7 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory
         } catch (IOException e) {
             throw new RuntimeException("failed to load openid connect metadata", e);
         }
-        OIDCIdentityProviderConfig config = new OIDCIdentityProviderConfig(new IdentityProviderModel());
+        OIDCIdentityProviderConfig config = new OIDCIdentityProviderConfig();
         config.setIssuer(rep.getIssuer());
         config.setLogoutUrl(rep.getLogoutEndpoint());
         config.setAuthorizationUrl(rep.getAuthorizationEndpoint());
diff --git a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderConfig.java b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderConfig.java
index 37fa434c58..f80da3db00 100755
--- a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderConfig.java
+++ b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderConfig.java
@@ -16,8 +16,13 @@
  */
 package org.keycloak.broker.saml;
 
+import static org.keycloak.common.util.UriUtils.checkUrl;
+
+import org.keycloak.common.enums.SslRequired;
 import org.keycloak.models.IdentityProviderModel;
 
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
 import org.keycloak.protocol.saml.SamlPrincipalType;
 import org.keycloak.saml.common.util.XmlKeyInfoKeyNameTransformer;
 
@@ -276,4 +281,11 @@ public class SAMLIdentityProviderConfig extends IdentityProviderModel {
         getConfig().put(PRINCIPAL_ATTRIBUTE, principalAttribute);
     }
 
+    @Override
+    public void validate(RealmModel realm) {
+        SslRequired sslRequired = realm.getSslRequired();
+
+        checkUrl(sslRequired, getSingleLogoutServiceUrl(), SINGLE_LOGOUT_SERVICE_URL);
+        checkUrl(sslRequired, getSingleSignOnServiceUrl(), SINGLE_SIGN_ON_SERVICE_URL);
+    }
 }
diff --git a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderFactory.java b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderFactory.java
index f538cc5ab0..e6cd566530 100755
--- a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderFactory.java
@@ -58,6 +58,11 @@ public class SAMLIdentityProviderFactory extends AbstractIdentityProviderFactory
         return new SAMLIdentityProvider(session, new SAMLIdentityProviderConfig(model), destinationValidator);
     }
 
+    @Override
+    public SAMLIdentityProviderConfig createConfig() {
+        return new SAMLIdentityProviderConfig();
+    }
+
     @Override
     public Map<String, String> parseConfig(KeycloakSession session, InputStream inputStream) {
         try {
diff --git a/services/src/main/java/org/keycloak/partialimport/IdentityProvidersPartialImport.java b/services/src/main/java/org/keycloak/partialimport/IdentityProvidersPartialImport.java
index b68d116117..de3dbfd835 100644
--- a/services/src/main/java/org/keycloak/partialimport/IdentityProvidersPartialImport.java
+++ b/services/src/main/java/org/keycloak/partialimport/IdentityProvidersPartialImport.java
@@ -72,7 +72,7 @@ public class IdentityProvidersPartialImport extends AbstractPartialImport<Identi
     @Override
     public void create(RealmModel realm, KeycloakSession session, IdentityProviderRepresentation idpRep) {
         idpRep.setInternalId(KeycloakModelUtils.generateId());
-        IdentityProviderModel identityProvider = RepresentationToModel.toModel(realm, idpRep);
+        IdentityProviderModel identityProvider = RepresentationToModel.toModel(realm, idpRep, session);
         realm.addIdentityProvider(identityProvider);
     }
 
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/IdentityProviderResource.java b/services/src/main/java/org/keycloak/services/resources/admin/IdentityProviderResource.java
index 80837af007..2274d6cbd7 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/IdentityProviderResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/IdentityProviderResource.java
@@ -16,6 +16,8 @@
  */
 package org.keycloak.services.resources.admin;
 
+import static javax.ws.rs.core.Response.Status.BAD_REQUEST;
+
 import org.jboss.logging.Logger;
 import org.jboss.resteasy.annotations.cache.NoCache;
 import javax.ws.rs.NotFoundException;
@@ -162,6 +164,8 @@ public class IdentityProviderResource {
             adminEvent.operation(OperationType.UPDATE).resourcePath(session.getContext().getUri()).representation(providerRep).success();
 
             return Response.noContent().build();
+        } catch (IllegalArgumentException e) {
+            return ErrorResponse.error("Invalid request", BAD_REQUEST);
         } catch (ModelDuplicateException e) {
             return ErrorResponse.exists("Identity Provider " + providerRep.getAlias() + " already exists");
         }
@@ -176,7 +180,7 @@ public class IdentityProviderResource {
             lookUpProviderIdByAlias(realm, providerRep);
         }
 
-        IdentityProviderModel updated = RepresentationToModel.toModel(realm, providerRep);
+        IdentityProviderModel updated = RepresentationToModel.toModel(realm, providerRep, session);
 
         if (updated.getConfig() != null && ComponentRepresentation.SECRET_VALUE.equals(updated.getConfig().get("clientSecret"))) {
             updated.getConfig().put("clientSecret", identityProviderModel.getConfig() != null ? identityProviderModel.getConfig().get("clientSecret") : null);
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/IdentityProvidersResource.java b/services/src/main/java/org/keycloak/services/resources/admin/IdentityProvidersResource.java
index bc3e78e3b9..f88293dc42 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/IdentityProvidersResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/IdentityProvidersResource.java
@@ -183,7 +183,7 @@ public class IdentityProvidersResource {
         this.auth.realm().requireManageIdentityProviders();
 
         try {
-            IdentityProviderModel identityProvider = RepresentationToModel.toModel(realm, representation);
+            IdentityProviderModel identityProvider = RepresentationToModel.toModel(realm, representation, session);
             this.realm.addIdentityProvider(identityProvider);
 
             representation.setInternalId(identityProvider.getInternalId());
@@ -191,6 +191,8 @@ public class IdentityProvidersResource {
                     .representation(StripSecretsUtils.strip(representation)).success();
             
             return Response.created(session.getContext().getUri().getAbsolutePathBuilder().path(representation.getAlias()).build()).build();
+        } catch (IllegalArgumentException e) {
+            return ErrorResponse.error("Invalid request", BAD_REQUEST);
         } catch (ModelDuplicateException e) {
             return ErrorResponse.exists("Identity Provider " + representation.getAlias() + " already exists");
         }
diff --git a/services/src/main/java/org/keycloak/social/bitbucket/BitbucketIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/bitbucket/BitbucketIdentityProviderFactory.java
index b736d74181..a219164735 100755
--- a/services/src/main/java/org/keycloak/social/bitbucket/BitbucketIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/bitbucket/BitbucketIdentityProviderFactory.java
@@ -39,6 +39,11 @@ public class BitbucketIdentityProviderFactory extends AbstractIdentityProviderFa
         return new BitbucketIdentityProvider(session, new OAuth2IdentityProviderConfig(model));
     }
 
+    @Override
+    public OAuth2IdentityProviderConfig createConfig() {
+        return new OAuth2IdentityProviderConfig();
+    }
+
     @Override
     public String getId() {
         return PROVIDER_ID;
diff --git a/services/src/main/java/org/keycloak/social/facebook/FacebookIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/facebook/FacebookIdentityProviderFactory.java
index 26149a1ef6..58c55e3b6e 100755
--- a/services/src/main/java/org/keycloak/social/facebook/FacebookIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/facebook/FacebookIdentityProviderFactory.java
@@ -39,6 +39,11 @@ public class FacebookIdentityProviderFactory extends AbstractIdentityProviderFac
         return new FacebookIdentityProvider(session, new OAuth2IdentityProviderConfig(model));
     }
 
+    @Override
+    public OAuth2IdentityProviderConfig createConfig() {
+        return new OAuth2IdentityProviderConfig();
+    }
+
     @Override
     public String getId() {
         return PROVIDER_ID;
diff --git a/services/src/main/java/org/keycloak/social/github/GitHubIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/github/GitHubIdentityProviderFactory.java
index e1c05b85d1..4e75c9a460 100755
--- a/services/src/main/java/org/keycloak/social/github/GitHubIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/github/GitHubIdentityProviderFactory.java
@@ -39,6 +39,11 @@ public class GitHubIdentityProviderFactory extends AbstractIdentityProviderFacto
         return new GitHubIdentityProvider(session, new OAuth2IdentityProviderConfig(model));
     }
 
+    @Override
+    public OAuth2IdentityProviderConfig createConfig() {
+        return new OAuth2IdentityProviderConfig();
+    }
+
     @Override
     public String getId() {
         return PROVIDER_ID;
diff --git a/services/src/main/java/org/keycloak/social/gitlab/GitLabIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/gitlab/GitLabIdentityProviderFactory.java
index 35e7a5e034..0bc2c4143e 100755
--- a/services/src/main/java/org/keycloak/social/gitlab/GitLabIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/gitlab/GitLabIdentityProviderFactory.java
@@ -16,7 +16,6 @@
  */
 package org.keycloak.social.gitlab;
 
-import org.keycloak.broker.oidc.OAuth2IdentityProviderConfig;
 import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
 import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
 import org.keycloak.broker.social.SocialIdentityProviderFactory;
@@ -40,6 +39,11 @@ public class GitLabIdentityProviderFactory extends AbstractIdentityProviderFacto
         return new GitLabIdentityProvider(session, new OIDCIdentityProviderConfig(model));
     }
 
+    @Override
+    public OIDCIdentityProviderConfig createConfig() {
+        return new OIDCIdentityProviderConfig();
+    }
+
     @Override
     public String getId() {
         return PROVIDER_ID;
diff --git a/services/src/main/java/org/keycloak/social/google/GoogleIdentityProviderConfig.java b/services/src/main/java/org/keycloak/social/google/GoogleIdentityProviderConfig.java
index c61de905ee..d842738c8b 100644
--- a/services/src/main/java/org/keycloak/social/google/GoogleIdentityProviderConfig.java
+++ b/services/src/main/java/org/keycloak/social/google/GoogleIdentityProviderConfig.java
@@ -28,6 +28,10 @@ public class GoogleIdentityProviderConfig extends OIDCIdentityProviderConfig {
         super(model);
     }
 
+    public GoogleIdentityProviderConfig() {
+        
+    }
+
     public boolean isUserIp() {
         String userIp = getConfig().get("userIp");
         return userIp == null ? false : Boolean.valueOf(userIp);
diff --git a/services/src/main/java/org/keycloak/social/google/GoogleIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/google/GoogleIdentityProviderFactory.java
index b35fd173b8..e753779229 100755
--- a/services/src/main/java/org/keycloak/social/google/GoogleIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/google/GoogleIdentityProviderFactory.java
@@ -16,7 +16,6 @@
  */
 package org.keycloak.social.google;
 
-import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
 import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
 import org.keycloak.models.IdentityProviderModel;
 import org.keycloak.broker.social.SocialIdentityProviderFactory;
@@ -39,6 +38,11 @@ public class GoogleIdentityProviderFactory extends AbstractIdentityProviderFacto
         return new GoogleIdentityProvider(session, new GoogleIdentityProviderConfig(model));
     }
 
+    @Override
+    public GoogleIdentityProviderConfig createConfig() {
+        return new GoogleIdentityProviderConfig();
+    }
+
     @Override
     public String getId() {
         return PROVIDER_ID;
diff --git a/services/src/main/java/org/keycloak/social/instagram/InstagramIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/instagram/InstagramIdentityProviderFactory.java
index 8eaf333a67..53e8e59fa3 100755
--- a/services/src/main/java/org/keycloak/social/instagram/InstagramIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/instagram/InstagramIdentityProviderFactory.java
@@ -39,6 +39,11 @@ public class InstagramIdentityProviderFactory extends AbstractIdentityProviderFa
         return new InstagramIdentityProvider(session, new OAuth2IdentityProviderConfig(model));
     }
 
+    @Override
+    public OAuth2IdentityProviderConfig createConfig() {
+        return new OAuth2IdentityProviderConfig();
+    }
+
     @Override
     public String getId() {
         return PROVIDER_ID;
diff --git a/services/src/main/java/org/keycloak/social/linkedin/LinkedInIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/linkedin/LinkedInIdentityProviderFactory.java
index 10b94b45d9..944039ad05 100755
--- a/services/src/main/java/org/keycloak/social/linkedin/LinkedInIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/linkedin/LinkedInIdentityProviderFactory.java
@@ -40,6 +40,11 @@ public class LinkedInIdentityProviderFactory extends AbstractIdentityProviderFac
 		return new LinkedInIdentityProvider(session, new OAuth2IdentityProviderConfig(model));
 	}
 
+	@Override
+	public OAuth2IdentityProviderConfig createConfig() {
+		return new OAuth2IdentityProviderConfig();
+	}
+
 	@Override
 	public String getId() {
 		return PROVIDER_ID;
diff --git a/services/src/main/java/org/keycloak/social/microsoft/MicrosoftIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/microsoft/MicrosoftIdentityProviderFactory.java
index eee3e87042..74f875f15b 100644
--- a/services/src/main/java/org/keycloak/social/microsoft/MicrosoftIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/microsoft/MicrosoftIdentityProviderFactory.java
@@ -39,6 +39,11 @@ public class MicrosoftIdentityProviderFactory extends AbstractIdentityProviderFa
         return new MicrosoftIdentityProvider(session, new OAuth2IdentityProviderConfig(model));
     }
 
+    @Override
+    public OAuth2IdentityProviderConfig createConfig() {
+        return new OAuth2IdentityProviderConfig();
+    }
+
     @Override
     public String getId() {
         return PROVIDER_ID;
diff --git a/services/src/main/java/org/keycloak/social/openshift/OpenshiftV3IdentityProviderConfig.java b/services/src/main/java/org/keycloak/social/openshift/OpenshiftV3IdentityProviderConfig.java
index f7320b4791..30e18dfdf0 100644
--- a/services/src/main/java/org/keycloak/social/openshift/OpenshiftV3IdentityProviderConfig.java
+++ b/services/src/main/java/org/keycloak/social/openshift/OpenshiftV3IdentityProviderConfig.java
@@ -10,6 +10,10 @@ public class OpenshiftV3IdentityProviderConfig extends OAuth2IdentityProviderCon
         super(identityProviderModel);
     }
 
+    public OpenshiftV3IdentityProviderConfig() {
+        
+    }
+
     public String getBaseUrl() {
         return getConfig().get(BASE_URL);
     }
diff --git a/services/src/main/java/org/keycloak/social/openshift/OpenshiftV3IdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/openshift/OpenshiftV3IdentityProviderFactory.java
index d9708a1f90..18e225b5fa 100644
--- a/services/src/main/java/org/keycloak/social/openshift/OpenshiftV3IdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/openshift/OpenshiftV3IdentityProviderFactory.java
@@ -19,6 +19,11 @@ public class OpenshiftV3IdentityProviderFactory extends AbstractIdentityProvider
         return new OpenshiftV3IdentityProvider(keycloakSession, new OpenshiftV3IdentityProviderConfig(identityProviderModel));
     }
 
+    @Override
+    public OpenshiftV3IdentityProviderConfig createConfig() {
+        return new OpenshiftV3IdentityProviderConfig();
+    }
+
     @Override
     public String getId() {
         return PROVIDER_ID;
diff --git a/services/src/main/java/org/keycloak/social/openshift/OpenshiftV4IdentityProviderConfig.java b/services/src/main/java/org/keycloak/social/openshift/OpenshiftV4IdentityProviderConfig.java
index 4b2f7e71a4..5161315cc2 100644
--- a/services/src/main/java/org/keycloak/social/openshift/OpenshiftV4IdentityProviderConfig.java
+++ b/services/src/main/java/org/keycloak/social/openshift/OpenshiftV4IdentityProviderConfig.java
@@ -19,6 +19,9 @@ public class OpenshiftV4IdentityProviderConfig extends OAuth2IdentityProviderCon
         super(identityProviderModel);
     }
 
+    public OpenshiftV4IdentityProviderConfig() {
+    }
+
     private String trimTrailingSlash(String baseUrl) {
         if (baseUrl != null && baseUrl.endsWith("/")) {
             baseUrl = baseUrl.substring(0, baseUrl.length() - 1);
diff --git a/services/src/main/java/org/keycloak/social/openshift/OpenshiftV4IdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/openshift/OpenshiftV4IdentityProviderFactory.java
index 257327420f..0fd7d8a577 100644
--- a/services/src/main/java/org/keycloak/social/openshift/OpenshiftV4IdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/openshift/OpenshiftV4IdentityProviderFactory.java
@@ -30,4 +30,8 @@ public class OpenshiftV4IdentityProviderFactory extends AbstractIdentityProvider
         return PROVIDER_ID;
     }
 
+    @Override
+    public OpenshiftV4IdentityProviderConfig createConfig() {
+        return new OpenshiftV4IdentityProviderConfig();
+    }
 }
diff --git a/services/src/main/java/org/keycloak/social/paypal/PayPalIdentityProviderConfig.java b/services/src/main/java/org/keycloak/social/paypal/PayPalIdentityProviderConfig.java
index dc94e3addf..d119e4566f 100644
--- a/services/src/main/java/org/keycloak/social/paypal/PayPalIdentityProviderConfig.java
+++ b/services/src/main/java/org/keycloak/social/paypal/PayPalIdentityProviderConfig.java
@@ -28,6 +28,10 @@ public class PayPalIdentityProviderConfig extends OAuth2IdentityProviderConfig {
         super(model);
     }
 
+    public PayPalIdentityProviderConfig() {
+        
+    }
+
     public boolean targetSandbox() {
         String sandbox = getConfig().get("sandbox");
         return sandbox == null ? false : Boolean.valueOf(sandbox);
diff --git a/services/src/main/java/org/keycloak/social/paypal/PayPalIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/paypal/PayPalIdentityProviderFactory.java
index b0b554126a..28be0f7f25 100644
--- a/services/src/main/java/org/keycloak/social/paypal/PayPalIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/paypal/PayPalIdentityProviderFactory.java
@@ -39,6 +39,11 @@ public class PayPalIdentityProviderFactory extends AbstractIdentityProviderFacto
         return new PayPalIdentityProvider(session, new PayPalIdentityProviderConfig(model));
     }
 
+    @Override
+    public PayPalIdentityProviderConfig createConfig() {
+        return new PayPalIdentityProviderConfig();
+    }
+
     @Override
     public String getId() {
         return PROVIDER_ID;
diff --git a/services/src/main/java/org/keycloak/social/stackoverflow/StackOverflowIdentityProviderConfig.java b/services/src/main/java/org/keycloak/social/stackoverflow/StackOverflowIdentityProviderConfig.java
index 07882bfa4b..72f365069b 100644
--- a/services/src/main/java/org/keycloak/social/stackoverflow/StackOverflowIdentityProviderConfig.java
+++ b/services/src/main/java/org/keycloak/social/stackoverflow/StackOverflowIdentityProviderConfig.java
@@ -28,7 +28,11 @@ public class StackOverflowIdentityProviderConfig extends OAuth2IdentityProviderC
 		super(model);
 	}
 
-	public String getKey() {
+    public StackOverflowIdentityProviderConfig() {
+        
+    }
+
+    public String getKey() {
 		return getConfig().get("key");
 	}
 
diff --git a/services/src/main/java/org/keycloak/social/stackoverflow/StackoverflowIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/stackoverflow/StackoverflowIdentityProviderFactory.java
index 4c8deb9d2a..577999ab43 100755
--- a/services/src/main/java/org/keycloak/social/stackoverflow/StackoverflowIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/stackoverflow/StackoverflowIdentityProviderFactory.java
@@ -40,6 +40,11 @@ public class StackoverflowIdentityProviderFactory extends
 		return new StackoverflowIdentityProvider(session, new StackOverflowIdentityProviderConfig(model));
 	}
 
+	@Override
+	public StackOverflowIdentityProviderConfig createConfig() {
+		return new StackOverflowIdentityProviderConfig();
+	}
+
 	@Override
 	public String getId() {
 		return PROVIDER_ID;
diff --git a/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProviderFactory.java
index 74e1a3d6d0..79b2754722 100755
--- a/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProviderFactory.java
@@ -39,6 +39,11 @@ public class TwitterIdentityProviderFactory extends AbstractIdentityProviderFact
         return new TwitterIdentityProvider(session, new OAuth2IdentityProviderConfig(model));
     }
 
+    @Override
+    public OAuth2IdentityProviderConfig createConfig() {
+        return new OAuth2IdentityProviderConfig();
+    }
+
     @Override
     public String getId() {
         return PROVIDER_ID;
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/IdentityProviderTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/IdentityProviderTest.java
index b09158b163..328d8c581b 100755
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/IdentityProviderTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/IdentityProviderTest.java
@@ -17,9 +17,13 @@
 
 package org.keycloak.testsuite.admin;
 
+import org.hamcrest.Matchers;
 import org.jboss.resteasy.plugins.providers.multipart.MultipartFormDataOutput;
+import org.junit.Rule;
 import org.junit.Test;
+import org.junit.rules.ExpectedException;
 import org.keycloak.admin.client.resource.IdentityProviderResource;
+import org.keycloak.common.enums.SslRequired;
 import org.keycloak.dom.saml.v2.metadata.EndpointType;
 import org.keycloak.dom.saml.v2.metadata.EntityDescriptorType;
 import org.keycloak.dom.saml.v2.metadata.IndexedEndpointType;
@@ -35,12 +39,15 @@ import org.keycloak.representations.idm.ComponentRepresentation;
 import org.keycloak.representations.idm.IdentityProviderMapperRepresentation;
 import org.keycloak.representations.idm.IdentityProviderMapperTypeRepresentation;
 import org.keycloak.representations.idm.IdentityProviderRepresentation;
+import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.saml.common.exceptions.ParsingException;
 import org.keycloak.saml.processing.core.parsers.saml.SAMLParser;
 import org.keycloak.testsuite.Assert;
+import org.keycloak.testsuite.broker.OIDCIdentityProviderConfigRep;
 import org.keycloak.testsuite.util.AdminEventPaths;
 import org.w3c.dom.NodeList;
 
+import javax.ws.rs.ClientErrorException;
 import javax.ws.rs.NotFoundException;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -59,6 +66,7 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.UUID;
 
 import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.containsString;
@@ -75,6 +83,7 @@ import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
+import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
 
 /**
  * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@@ -102,6 +111,9 @@ public class IdentityProviderTest extends AbstractAdminTest {
       + "vOU8TyqfZF5jpv0IcrviLl/DoFrbjByeHR+pu/vClcAOjL/u7oQELuuTfNsBI4tpexUj5G8q/YbEz0gk7idf"
       + "LXrAUVcsR73oTngrhRfwUSmPrjjK0kjcRb6HL9V/+wh3R/6mEd59U08ExT8N38rhmn0CI3ehMdebReprP7U8=";
 
+    @Rule
+    public ExpectedException expectedException = ExpectedException.none();
+
     @Test
     public void testFindAll() {
         create(createRep("google", "google"));
@@ -143,6 +155,71 @@ public class IdentityProviderTest extends AbstractAdminTest {
         assertEquals(ComponentRepresentation.SECRET_VALUE, rep.getConfig().get("clientSecret"));
     }
 
+    @Test
+    public void failCreateInvalidUrl() {
+        RealmRepresentation realmRep = realm.toRepresentation();
+
+        realmRep.setSslRequired(SslRequired.ALL.name());
+
+        try {
+            realm.update(realmRep);
+
+            IdentityProviderRepresentation newIdentityProvider = createRep("new-identity-provider", "oidc");
+
+            newIdentityProvider.getConfig().put("clientId", "clientId");
+            newIdentityProvider.getConfig().put("clientSecret", "some secret value");
+
+            OIDCIdentityProviderConfigRep oidcConfig = new OIDCIdentityProviderConfigRep(newIdentityProvider);
+
+            oidcConfig.setAuthorizationUrl("invalid://test");
+
+            try (Response response = this.realm.identityProviders().create(newIdentityProvider)) {
+                assertEquals(AUTH_SERVER_SSL_REQUIRED ? Response.Status.BAD_REQUEST.getStatusCode() :
+                        Response.Status.CREATED.getStatusCode(), response.getStatus());
+            }
+
+            oidcConfig.setAuthorizationUrl(null);
+            oidcConfig.setTokenUrl("http://test");
+
+            try (Response response = this.realm.identityProviders().create(newIdentityProvider)) {
+                assertEquals(AUTH_SERVER_SSL_REQUIRED ? Response.Status.BAD_REQUEST.getStatusCode() :
+                        Response.Status.CREATED.getStatusCode(), response.getStatus());
+            }
+
+            oidcConfig.setAuthorizationUrl(null);
+            oidcConfig.setTokenUrl(null);
+            oidcConfig.setJwksUrl("http://test");
+
+            try (Response response = this.realm.identityProviders().create(newIdentityProvider)) {
+                assertEquals(AUTH_SERVER_SSL_REQUIRED ? Response.Status.BAD_REQUEST.getStatusCode() :
+                        Response.Status.CREATED.getStatusCode(), response.getStatus());
+            }
+
+            oidcConfig.setAuthorizationUrl(null);
+            oidcConfig.setTokenUrl(null);
+            oidcConfig.setJwksUrl(null);
+            oidcConfig.setLogoutUrl("http://test");
+
+            try (Response response = this.realm.identityProviders().create(newIdentityProvider)) {
+                assertEquals(AUTH_SERVER_SSL_REQUIRED ? Response.Status.BAD_REQUEST.getStatusCode() :
+                        Response.Status.CREATED.getStatusCode(), response.getStatus());
+            }
+
+            oidcConfig.setAuthorizationUrl(null);
+            oidcConfig.setTokenUrl(null);
+            oidcConfig.setJwksUrl(null);
+            oidcConfig.setLogoutUrl(null);
+            oidcConfig.setUserInfoUrl("http://test");
+
+            try (Response response = this.realm.identityProviders().create(newIdentityProvider)) {
+                assertEquals(AUTH_SERVER_SSL_REQUIRED ? Response.Status.BAD_REQUEST.getStatusCode() :
+                        Response.Status.CREATED.getStatusCode(), response.getStatus());
+            }
+        } finally {
+            realmRep.setSslRequired(SslRequired.NONE.name());
+            realm.update(realmRep);
+        }
+    }
 
     @Test
     public void testCreateWithBasicAuth() {
@@ -258,6 +335,84 @@ public class IdentityProviderTest extends AbstractAdminTest {
         assertEquals("${vault.key}", testingClient.testing("admin-client-test").getIdentityProviderConfig("changed-alias").get("clientSecret"));
     }
 
+    @Test
+    public void failUpdateInvalidUrl() {
+        RealmRepresentation realmRep = realm.toRepresentation();
+
+        realmRep.setSslRequired(SslRequired.ALL.name());
+
+        try {
+            realm.update(realmRep);
+
+            IdentityProviderRepresentation representation = createRep(UUID.randomUUID().toString(), "oidc");
+
+            representation.getConfig().put("clientId", "clientId");
+            representation.getConfig().put("clientSecret", "some secret value");
+
+            try (Response response = realm.identityProviders().create(representation)) {
+                assertEquals(Response.Status.CREATED.getStatusCode(), response.getStatus());
+            }
+
+            IdentityProviderResource resource = this.realm.identityProviders().get(representation.getAlias());
+            representation = resource.toRepresentation();
+
+            OIDCIdentityProviderConfigRep oidcConfig = new OIDCIdentityProviderConfigRep(representation);
+
+            oidcConfig.setAuthorizationUrl("invalid://test");
+
+            this.expectedException.expect(
+                    Matchers.allOf(Matchers.instanceOf(ClientErrorException.class), Matchers.hasProperty("response",
+                            Matchers.hasProperty("status", Matchers.is(
+                                    Response.Status.BAD_REQUEST.getStatusCode())))));
+            resource.update(representation);
+
+            oidcConfig.setAuthorizationUrl(null);
+            oidcConfig.setTokenUrl("http://test");
+
+            this.expectedException.expect(
+                    Matchers.allOf(Matchers.instanceOf(ClientErrorException.class), Matchers.hasProperty("response",
+                            Matchers.hasProperty("status", Matchers.is(
+                                    Response.Status.BAD_REQUEST.getStatusCode())))));
+            resource.update(representation);
+
+            oidcConfig.setAuthorizationUrl(null);
+            oidcConfig.setTokenUrl(null);
+            oidcConfig.setJwksUrl("http://test");
+
+            this.expectedException.expect(
+                    Matchers.allOf(Matchers.instanceOf(ClientErrorException.class), Matchers.hasProperty("response",
+                            Matchers.hasProperty("status", Matchers.is(
+                                    Response.Status.BAD_REQUEST.getStatusCode())))));
+            resource.update(representation);
+
+            oidcConfig.setAuthorizationUrl(null);
+            oidcConfig.setTokenUrl(null);
+            oidcConfig.setJwksUrl(null);
+            oidcConfig.setLogoutUrl("http://test");
+
+            this.expectedException.expect(
+                    Matchers.allOf(Matchers.instanceOf(ClientErrorException.class), Matchers.hasProperty("response",
+                            Matchers.hasProperty("status", Matchers.is(
+                                    Response.Status.BAD_REQUEST.getStatusCode())))));
+            resource.update(representation);
+
+            oidcConfig.setAuthorizationUrl(null);
+            oidcConfig.setTokenUrl(null);
+            oidcConfig.setJwksUrl(null);
+            oidcConfig.setLogoutUrl(null);
+            oidcConfig.setUserInfoUrl("http://test");
+
+            this.expectedException.expect(
+                    Matchers.allOf(Matchers.instanceOf(ClientErrorException.class), Matchers.hasProperty("response",
+                            Matchers.hasProperty("status", Matchers.is(
+                                    Response.Status.BAD_REQUEST.getStatusCode())))));
+            resource.update(representation);
+        } finally {
+            realmRep.setSslRequired(SslRequired.NONE.name());
+            realm.update(realmRep);
+        }
+    }
+
     @Test
     public void testRemove() {
         IdentityProviderRepresentation newIdentityProvider = createRep("remove-identity-provider", "saml");
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
index 732f73f54f..f628175db7 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
@@ -1658,8 +1658,8 @@ public class PermissionsTest extends AbstractKeycloakTest {
         }, Resource.IDENTITY_PROVIDER, false);
         invoke(new InvocationWithResponse() {
             public void invoke(RealmResource realm, AtomicReference<Response> response) {
-                response.set(realm.identityProviders().create(IdentityProviderBuilder.create().providerId("nosuch")
-                        .displayName("nosuch-foo").alias("foo").build()));
+                response.set(realm.identityProviders().create(IdentityProviderBuilder.create().providerId("oidc")
+                        .displayName("nosuch-foo").alias("foo").setAttribute("clientId", "foo").setAttribute("clientSecret", "foo").build()));
             }
         }, Resource.IDENTITY_PROVIDER, true);
 
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java
index c8b06720df..6d45fb4fe8 100755
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java
@@ -708,7 +708,7 @@ public class UserTest extends AbstractAdminTest {
 
         IdentityProviderRepresentation rep = new IdentityProviderRepresentation();
         rep.setAlias("social-provider-id");
-        rep.setProviderId("social-provider-type");
+        rep.setProviderId("oidc");
 
         realm.identityProviders().create(rep);
         assertAdminEvents.assertEvent(realmId, OperationType.CREATE, AdminEventPaths.identityProviderPath(rep.getAlias()), rep, ResourceType.IDENTITY_PROVIDER);
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOIDCBrokerWithSignatureTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOIDCBrokerWithSignatureTest.java
index f98a5fc804..34292ee638 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOIDCBrokerWithSignatureTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOIDCBrokerWithSignatureTest.java
@@ -279,7 +279,7 @@ public class KcOIDCBrokerWithSignatureTest extends AbstractBaseBrokerTest {
 
         // Update identityProvider to some bad JWKS_URL
         OIDCIdentityProviderConfigRep cfg = new OIDCIdentityProviderConfigRep(idpRep);
-        cfg.setJwksUrl("http://localhost:43214/non-existent");
+        cfg.setJwksUrl("https://localhost:43214/non-existent");
         updateIdentityProvider(idpRep);
 
         // Check that key is not cached anymore
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/OIDCIdentityProviderConfigRep.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/OIDCIdentityProviderConfigRep.java
index da8622fa38..8d95be7ff7 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/OIDCIdentityProviderConfigRep.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/OIDCIdentityProviderConfigRep.java
@@ -27,7 +27,7 @@ import org.keycloak.representations.idm.IdentityProviderRepresentation;
  *
  * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
  */
-class OIDCIdentityProviderConfigRep extends OIDCIdentityProviderConfig {
+public class OIDCIdentityProviderConfigRep extends OIDCIdentityProviderConfig {
 
     private final IdentityProviderRepresentation rep;
 
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/admin/KcAdmUpdateTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/admin/KcAdmUpdateTest.java
index c1bebe062c..49ff78d1ad 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/admin/KcAdmUpdateTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/admin/KcAdmUpdateTest.java
@@ -43,8 +43,8 @@ public class KcAdmUpdateTest extends AbstractAdmCliTest {
                 .providerId(SAMLIdentityProviderFactory.PROVIDER_ID)
                 .alias("idpAlias")
                 .displayName("SAML")
-                .setAttribute(SAMLIdentityProviderConfig.SINGLE_SIGN_ON_SERVICE_URL, "http://saml.idp/saml")
-                .setAttribute(SAMLIdentityProviderConfig.SINGLE_LOGOUT_SERVICE_URL, "http://saml.idp/saml")
+                .setAttribute(SAMLIdentityProviderConfig.SINGLE_SIGN_ON_SERVICE_URL, "https://saml.idp/saml")
+                .setAttribute(SAMLIdentityProviderConfig.SINGLE_LOGOUT_SERVICE_URL, "https://saml.idp/saml")
                 .setAttribute(SAMLIdentityProviderConfig.NAME_ID_POLICY_FORMAT, "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
                 .setAttribute(SAMLIdentityProviderConfig.POST_BINDING_RESPONSE, "false")
                 .setAttribute(SAMLIdentityProviderConfig.POST_BINDING_AUTHN_REQUEST, "false")
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/BrokerTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/BrokerTest.java
index 13ec90c7b9..954d3fc2d4 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/BrokerTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/BrokerTest.java
@@ -91,7 +91,7 @@ public class BrokerTest extends AbstractSamlTest {
             final ResponseType res = new SAML2LoginResponseBuilder()
               .requestID(req.getID())
               .destination(req.getAssertionConsumerServiceURL().toString())
-              .issuer("http://saml.idp/saml")
+              .issuer("https://saml.idp/saml")
               .assertionExpiration(1000000)
               .subjectExpiration(1000000)
               .requestIssuer(getAuthServerRealmBase(REALM_NAME).toString())
@@ -118,7 +118,7 @@ public class BrokerTest extends AbstractSamlTest {
 
         AuthenticationExecutionInfoRepresentation reviewProfileAuthenticator = null;
         String firstBrokerLoginFlowAlias = null;
-        try (IdentityProviderCreator idp = new IdentityProviderCreator(realm, addIdentityProvider("http://saml.idp/saml"))) {
+        try (IdentityProviderCreator idp = new IdentityProviderCreator(realm, addIdentityProvider("https://saml.idp/saml"))) {
             IdentityProviderRepresentation idpRepresentation = idp.identityProvider().toRepresentation();
             firstBrokerLoginFlowAlias = idpRepresentation.getFirstBrokerLoginFlowAlias();
             List<AuthenticationExecutionInfoRepresentation> executions = realm.flows().getExecutions(firstBrokerLoginFlowAlias);
@@ -168,7 +168,7 @@ public class BrokerTest extends AbstractSamlTest {
     public void testRedirectQueryParametersPreserved() throws IOException {
         final RealmResource realm = adminClient.realm(REALM_NAME);
 
-        try (IdentityProviderCreator idp = new IdentityProviderCreator(realm, addIdentityProvider("http://saml.idp/?service=name&serviceType=prod"))) {
+        try (IdentityProviderCreator idp = new IdentityProviderCreator(realm, addIdentityProvider("https://saml.idp/?service=name&serviceType=prod"))) {
             SAMLDocumentHolder samlResponse = new SamlClientBuilder()
               .authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).build()
               .login().idp(SAML_BROKER_ALIAS).build()
@@ -178,7 +178,7 @@ public class BrokerTest extends AbstractSamlTest {
 
             assertThat(samlResponse.getSamlObject(), Matchers.instanceOf(AuthnRequestType.class));
             AuthnRequestType ar = (AuthnRequestType) samlResponse.getSamlObject();
-            assertThat(ar.getDestination(), Matchers.equalTo(URI.create("http://saml.idp/?service=name&serviceType=prod")));
+            assertThat(ar.getDestination(), Matchers.equalTo(URI.create("https://saml.idp/?service=name&serviceType=prod")));
 
             Header[] headers = new SamlClientBuilder()
               .authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).build()
@@ -187,7 +187,7 @@ public class BrokerTest extends AbstractSamlTest {
               .executeAndTransform(resp -> resp.getHeaders(HttpHeaders.LOCATION));
 
             assertThat(headers.length, Matchers.is(1));
-            assertThat(headers[0].getValue(), Matchers.containsString("http://saml.idp/?service=name&serviceType=prod"));
+            assertThat(headers[0].getValue(), Matchers.containsString("https://saml.idp/?service=name&serviceType=prod"));
             assertThat(headers[0].getValue(), Matchers.containsString("SAMLRequest"));
         }
     }
@@ -228,7 +228,7 @@ public class BrokerTest extends AbstractSamlTest {
     private void assertExpired(XMLGregorianCalendar notBefore, XMLGregorianCalendar notOnOrAfter, boolean shouldPass) throws Exception {
         Status expectedStatus = shouldPass ? Status.OK : Status.BAD_REQUEST;
         final RealmResource realm = adminClient.realm(REALM_NAME);
-        try (IdentityProviderCreator idp = new IdentityProviderCreator(realm, addIdentityProvider("http://saml.idp/"))) {
+        try (IdentityProviderCreator idp = new IdentityProviderCreator(realm, addIdentityProvider("https://saml.idp/"))) {
             new SamlClientBuilder()
               .authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).build()
               .login().idp(SAML_BROKER_ALIAS).build()
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/IdpInitiatedLoginTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/IdpInitiatedLoginTest.java
index 37f8ae3d15..cddd3a8a1a 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/IdpInitiatedLoginTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/IdpInitiatedLoginTest.java
@@ -210,7 +210,7 @@ public class IdpInitiatedLoginTest extends AbstractSamlTest {
                 IdentityProviderBuilder.create()
                     .alias("saml-idp")
                     .providerId("saml")
-                    .setAttribute(SAMLIdentityProviderConfig.SINGLE_SIGN_ON_SERVICE_URL, "http://saml-idp-sso-service/")
+                    .setAttribute(SAMLIdentityProviderConfig.SINGLE_SIGN_ON_SERVICE_URL, "https://saml-idp-sso-service/")
                     .setAttribute(SAMLIdentityProviderConfig.POST_BINDING_AUTHN_REQUEST, "true")
                     .build())) {
             new SamlClientBuilder()
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/LogoutTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/LogoutTest.java
index e1fa36fc35..8dbae0fd8b 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/LogoutTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/LogoutTest.java
@@ -75,9 +75,9 @@ public class LogoutTest extends AbstractSamlTest {
     private static final String SP_NAME_QUALIFIER = "spNameQualifier";
     private static final String NAME_QUALIFIER = "nameQualifier";
 
-    private static final String BROKER_SIGN_ON_SERVICE_URL = "http://saml.idp/saml";
-    private static final String BROKER_LOGOUT_SERVICE_URL = "http://saml.idp/SLO/saml";
-    private static final String BROKER_SERVICE_ID = "http://saml.idp/saml";
+    private static final String BROKER_SIGN_ON_SERVICE_URL = "https://saml.idp/saml";
+    private static final String BROKER_LOGOUT_SERVICE_URL = "https://saml.idp/SLO/saml";
+    private static final String BROKER_SERVICE_ID = "https://saml.idp/saml";
 
     private ClientRepresentation salesRep;
     private ClientRepresentation sales2Rep;
diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/cli/idp-keycloak-9167.json b/testsuite/integration-arquillian/tests/base/src/test/resources/cli/idp-keycloak-9167.json
index 58fd177e03..79c23c0982 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/resources/cli/idp-keycloak-9167.json
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/cli/idp-keycloak-9167.json
@@ -13,9 +13,9 @@
   "config" : {
     "nameIDPolicyFormat" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
     "postBindingResponse" : "false",
-    "singleLogoutServiceUrl" : "http://saml.idp/saml",
+    "singleLogoutServiceUrl" : "https://saml.idp/saml",
     "postBindingAuthnRequest" : "false",
-    "singleSignOnServiceUrl" : "http://saml.idp/saml",
+    "singleSignOnServiceUrl" : "https://saml.idp/saml",
     "backchannelSupported" : "false"
   }
 }