fix: issuedFor added to token to get client id into the token also redirect uri added to token and then passed to info template for "back to application" functionality

test also added to check the availability of issueFor(azp) and redirect uri in Action Fixes #14860 Fixes #15136
2023-04-30 01:46:21 +02:00 · 2023-04-30 01:46:21 +02:00 · 31db84e924
commit 31db84e924
parent ace83231ee
3 changed files with 45 additions and 2 deletions
--- a/services/src/main/java/org/keycloak/authentication/actiontoken/updateemail/UpdateEmailActionToken.java
+++ b/services/src/main/java/org/keycloak/authentication/actiontoken/updateemail/UpdateEmailActionToken.java
@ -29,10 +29,11 @@ public class UpdateEmailActionToken extends DefaultActionToken {
 	@JsonProperty("newEmail")
 	private String newEmail;
-	public UpdateEmailActionToken(String userId, int absoluteExpirationInSecs, String oldEmail, String newEmail){
+	public UpdateEmailActionToken(String userId, int absoluteExpirationInSecs, String oldEmail, String newEmail, String clientId){
 		super(userId, TOKEN_TYPE, absoluteExpirationInSecs, null);
 		this.oldEmail = oldEmail;
 		this.newEmail = newEmail;
 		this.issuedFor = clientId;
 	}
 	private UpdateEmailActionToken(){
--- a/services/src/main/java/org/keycloak/authentication/requiredactions/UpdateEmail.java
+++ b/services/src/main/java/org/keycloak/authentication/requiredactions/UpdateEmail.java
@ -119,7 +119,7 @@ public class UpdateEmail implements RequiredActionProvider, RequiredActionFactor
        AuthenticationSessionModel authenticationSession = context.getAuthenticationSession();
        UpdateEmailActionToken actionToken = new UpdateEmailActionToken(user.getId(), Time.currentTime() + validityInSecs,
-                oldEmail, newEmail);
+                oldEmail, newEmail, authenticationSession.getClient().getClientId());
        String link = Urls
                .actionTokenBuilder(uriInfo.getBaseUri(), actionToken.serialize(session, realm, uriInfo),
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/AppInitiatedActionUpdateEmailWithVerificationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/AppInitiatedActionUpdateEmailWithVerificationTest.java
@ -16,6 +16,8 @@
 */
 package org.keycloak.testsuite.actions;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.endsWith;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
@ -24,18 +26,25 @@ import jakarta.mail.Address;
 import jakarta.mail.Message;
 import jakarta.mail.MessagingException;
 import jakarta.mail.internet.MimeMessage;
 import org.hamcrest.MatcherAssert;
 import org.hamcrest.Matchers;
 import org.jboss.arquillian.graphene.page.Page;
 import org.junit.Assert;
 import org.junit.Rule;
 import org.junit.Test;
 import org.keycloak.TokenVerifier;
 import org.keycloak.common.VerificationException;
 import org.keycloak.events.Details;
 import org.keycloak.events.EventType;
 import org.keycloak.representations.AccessToken;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.testsuite.pages.ErrorPage;
 import org.keycloak.testsuite.pages.InfoPage;
 import org.keycloak.testsuite.util.GreenMailRule;
 import org.keycloak.testsuite.util.MailUtils;
 import org.openqa.selenium.By;
 import org.openqa.selenium.WebElement;
 public class AppInitiatedActionUpdateEmailWithVerificationTest extends AbstractAppInitiatedActionUpdateEmailTest {
@ -140,4 +149,37 @@ public class AppInitiatedActionUpdateEmailWithVerificationTest extends AbstractA
 		return MailUtils.getPasswordResetEmailLink(message).trim();
 	}
 	@Test
 	public void updateEmailWithRedirect() throws Exception {
 		doAIA();
 		loginPage.login("test-user@localhost", "password");
 		emailUpdatePage.assertCurrent();
 		assertTrue(emailUpdatePage.isCancelDisplayed());
 		emailUpdatePage.changeEmail("new@localhost");
 		events.expect(EventType.SEND_VERIFY_EMAIL).detail(Details.EMAIL, "new@localhost").assertEvent();
 		Assert.assertEquals("test-user@localhost", ActionUtil.findUserWithAdminClient(adminClient, "test-user@localhost").getEmail());
 		String link = fetchEmailConfirmationLink("new@localhost");
 		String token = link.substring(link.indexOf("key=") + "key=".length()).split("&")[0];
 		try {
 			final AccessToken actionTokenVerifyEmail = TokenVerifier.create(token, AccessToken.class).getToken();
 			//Issue #14860
 			assertEquals("test-app", actionTokenVerifyEmail.getIssuedFor());
 		} catch (VerificationException e) {
 			throw new IOException(e);
 		}
 		driver.navigate().to(link);
 		infoPage.assertCurrent();
 		assertEquals(String.format("The account email has been successfully updated to %s.", "new@localhost"), infoPage.getInfo());
 		//Issue #15136
 		final WebElement backToApplicationLink = driver.findElement(By.linkText("« Back to Application"));
 		assertThat(backToApplicationLink.toString(), Matchers.containsString("/auth/realms/master/app/auth"));
 		events.expect(EventType.UPDATE_EMAIL)
 				.detail(Details.PREVIOUS_EMAIL, "test-user@localhost")
 				.detail(Details.UPDATED_EMAIL, "new@localhost");
 		Assert.assertEquals("new@localhost", ActionUtil.findUserWithAdminClient(adminClient, "test-user@localhost").getEmail());
 	}
 }