From 4acd1afa3b744aadcf1f66d53a902ebf39892a39 Mon Sep 17 00:00:00 2001 From: douph1 <45632394+douph1@users.noreply.github.com> Date: Tue, 29 Nov 2022 09:50:57 +0100 Subject: [PATCH] Use org.keycloak.common.util.Base64Url to encode/decode clientID fix #15734 related #10227 #10231 --- .../provider/util/IdentityBrokerState.java | 10 +++++----- .../util/IdentityBrokerStateTest.java | 19 +++++++++++++++++++ 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/server-spi-private/src/main/java/org/keycloak/broker/provider/util/IdentityBrokerState.java b/server-spi-private/src/main/java/org/keycloak/broker/provider/util/IdentityBrokerState.java index 07af682231..524b45b48d 100644 --- a/server-spi-private/src/main/java/org/keycloak/broker/provider/util/IdentityBrokerState.java +++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/util/IdentityBrokerState.java @@ -20,10 +20,10 @@ package org.keycloak.broker.provider.util; import org.keycloak.authorization.policy.evaluation.Realm; import org.keycloak.models.ClientModel; import org.keycloak.models.RealmModel; +import org.keycloak.common.util.Base64Url; import java.nio.BufferUnderflowException; import java.nio.ByteBuffer; -import java.util.Base64; import java.util.UUID; import java.util.regex.Pattern; @@ -51,8 +51,8 @@ public class IdentityBrokerState { bb.putLong(clientDbUuid.getMostSignificantBits()); bb.putLong(clientDbUuid.getLeastSignificantBits()); byte[] clientUuidBytes = bb.array(); - clientIdEncoded = Base64.getEncoder().encodeToString(clientUuidBytes).replace("=", ""); - } catch (IllegalArgumentException e) { + clientIdEncoded = Base64Url.encode(clientUuidBytes); + } catch (RuntimeException e) { // Ignore...the clientid in the database was not in UUID format. Just use as is. } } @@ -73,7 +73,7 @@ public class IdentityBrokerState { try { // If this decoding succeeds it was the result of the encoding of a UUID client.id - if it fails we interpret it as client.clientId // in accordance to the method decoded above - byte[] decodedClientId = Base64.getDecoder().decode(clientId); + byte[] decodedClientId = Base64Url.decode(clientId); ByteBuffer bb = ByteBuffer.wrap(decodedClientId); long first = bb.getLong(); long second = bb.getLong(); @@ -83,7 +83,7 @@ public class IdentityBrokerState { if (clientModel != null) { clientId = clientModel.getClientId(); } - } catch (IllegalArgumentException | BufferUnderflowException e) { + } catch (RuntimeException e) { // Ignore...the clientid was not in encoded uuid format. Just use as it is. } } diff --git a/server-spi-private/src/test/java/org/keycloak/broker/provider/util/IdentityBrokerStateTest.java b/server-spi-private/src/test/java/org/keycloak/broker/provider/util/IdentityBrokerStateTest.java index 29adcf7437..282c4edd76 100644 --- a/server-spi-private/src/test/java/org/keycloak/broker/provider/util/IdentityBrokerStateTest.java +++ b/server-spi-private/src/test/java/org/keycloak/broker/provider/util/IdentityBrokerStateTest.java @@ -45,6 +45,25 @@ public class IdentityBrokerStateTest { Assert.assertEquals("gNrGamIDGKpKSI9yOrcFzYTKoFGH779_WNCacAelkhk.vpISZLVDAc0.7UlEjBTPRx6oOgY9DcO8jA", encodedState.getEncoded()); } + @Test + public void testDecodedWithClientIdAnActualUuidBASE64UriFriendly() { + + // Given + String state = "gNrGamIDGKpKSI9yOrcFzYTKoFGH779_WNCacAelkhk"; + String clientId = "c5ac1ea7-6c28-4be1-b7cd-d63a1ba57f78"; + String clientClientId = "http://i.am.an.url"; + String tabId = "vpISZLVDAc0"; + + // When + IdentityBrokerState encodedState = IdentityBrokerState.decoded(state, clientId, clientClientId, tabId); + + // Then + Assert.assertNotNull(encodedState); + Assert.assertEquals(clientClientId, encodedState.getClientId()); + Assert.assertEquals(tabId, encodedState.getTabId()); + Assert.assertEquals("gNrGamIDGKpKSI9yOrcFzYTKoFGH779_WNCacAelkhk.vpISZLVDAc0.xawep2woS-G3zdY6G6V_eA", encodedState.getEncoded()); + } + @Test public void testEncodedWithClientIdUUid() { // Given