Missing Cache-Control header when response_type parameter is missing in login request

closes #29866

Signed-off-by: mposolda <mposolda@gmail.com>
This commit is contained in:
mposolda 2024-07-17 18:26:30 +02:00 committed by Marek Posolda
parent 5ea3becef5
commit 3110bb8989
2 changed files with 25 additions and 1 deletions

View file

@ -268,6 +268,8 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
} }
private Response redirectErrorToClient(OIDCResponseMode responseMode, String error, String errorDescription) { private Response redirectErrorToClient(OIDCResponseMode responseMode, String error, String errorDescription) {
CacheControlUtil.noBackButtonCacheControlHeader(session);
OIDCRedirectUriBuilder errorResponseBuilder = OIDCRedirectUriBuilder.fromUri(redirectUri, responseMode, session, null) OIDCRedirectUriBuilder errorResponseBuilder = OIDCRedirectUriBuilder.fromUri(redirectUri, responseMode, session, null)
.addParam(OAuth2Constants.ERROR, error); .addParam(OAuth2Constants.ERROR, error);

View file

@ -16,6 +16,9 @@
*/ */
package org.keycloak.testsuite.oauth; package org.keycloak.testsuite.oauth;
import jakarta.ws.rs.client.Client;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;
import org.jboss.arquillian.graphene.page.Page; import org.jboss.arquillian.graphene.page.Page;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Before; import org.junit.Before;
@ -37,6 +40,7 @@ import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.pages.ErrorPage; import org.keycloak.testsuite.pages.ErrorPage;
import org.keycloak.testsuite.pages.InstalledAppRedirectPage; import org.keycloak.testsuite.pages.InstalledAppRedirectPage;
import org.keycloak.testsuite.updaters.ClientAttributeUpdater; import org.keycloak.testsuite.updaters.ClientAttributeUpdater;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.ClientManager; import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.OAuthClient; import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.WaitUtils; import org.keycloak.testsuite.util.WaitUtils;
@ -50,6 +54,10 @@ import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.is;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson; import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
@ -185,6 +193,20 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
events.expectLogin().error(Errors.INVALID_REQUEST).user((String) null).session((String) null).clearDetails().detail(Details.RESPONSE_TYPE, "tokenn").assertEvent(); events.expectLogin().error(Errors.INVALID_REQUEST).user((String) null).session((String) null).clearDetails().detail(Details.RESPONSE_TYPE, "tokenn").assertEvent();
} }
// Issue 29866
@Test
public void authorizationRequestInvalidResponseType_testHeaders() throws IOException {
oauth.responseType("tokenn");
Client client = AdminClientUtil.createResteasyClient();
Response response = client.target(oauth.getLoginFormUrl()).request().get();
assertThat(response.getStatus(), is(equalTo(302)));
String cacheControl = response.getHeaderString(HttpHeaders.CACHE_CONTROL);
Assert.assertNotNull(cacheControl);
Assert.assertThat(cacheControl, containsString("no-store"));
Assert.assertThat(cacheControl, containsString("must-revalidate"));
}
@Test @Test
public void authorizationRequestFormPostResponseModeInvalidResponseType() throws IOException { public void authorizationRequestFormPostResponseModeInvalidResponseType() throws IOException {
oauth.responseMode(OIDCResponseMode.FORM_POST.value()); oauth.responseMode(OIDCResponseMode.FORM_POST.value());