libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

Missing Cache-Control header when response_type parameter is missing in login request

Browse source 
closes #29866

Signed-off-by: mposolda <mposolda@gmail.com>
This commit is contained in:
mposolda 2024-07-17 18:26:30 +02:00 committed by Marek Posolda
parent 5ea3becef5
commit 3110bb8989
2 changed files with 25 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java
View file

@ -268,6 +268,8 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
}
private Response redirectErrorToClient(OIDCResponseMode responseMode, String error, String errorDescription) {
CacheControlUtil.noBackButtonCacheControlHeader(session);
OIDCRedirectUriBuilder errorResponseBuilder = OIDCRedirectUriBuilder.fromUri(redirectUri, responseMode, session, null)
.addParam(OAuth2Constants.ERROR, error);

24
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java
View file

@ -16,6 +16,9 @@
*/
package org.keycloak.testsuite.oauth;
import jakarta.ws.rs.client.Client;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.Assert;
import org.junit.Before;
@ -37,6 +40,7 @@ import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.pages.ErrorPage;
import org.keycloak.testsuite.pages.InstalledAppRedirectPage;
import org.keycloak.testsuite.updaters.ClientAttributeUpdater;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.WaitUtils;
@ -50,6 +54,10 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.is;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
@ -185,6 +193,20 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
events.expectLogin().error(Errors.INVALID_REQUEST).user((String) null).session((String) null).clearDetails().detail(Details.RESPONSE_TYPE, "tokenn").assertEvent();
}
// Issue 29866
@Test
public void authorizationRequestInvalidResponseType_testHeaders() throws IOException {
oauth.responseType("tokenn");
Client client = AdminClientUtil.createResteasyClient();
Response response = client.target(oauth.getLoginFormUrl()).request().get();
assertThat(response.getStatus(), is(equalTo(302)));
String cacheControl = response.getHeaderString(HttpHeaders.CACHE_CONTROL);
Assert.assertNotNull(cacheControl);
Assert.assertThat(cacheControl, containsString("no-store"));
Assert.assertThat(cacheControl, containsString("must-revalidate"));
}
@Test
public void authorizationRequestFormPostResponseModeInvalidResponseType() throws IOException {
oauth.responseMode(OIDCResponseMode.FORM_POST.value());
@ -395,5 +417,5 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
events.expectLogin().error(Errors.INVALID_REQUEST).user((String) null).session((String) null).client((String) null).clearDetails().assertEvent();
}
}