From 808d27be2de7618472a9a7323a79cb0eefa96acf Mon Sep 17 00:00:00 2001 From: Bill Burke Date: Thu, 16 Jul 2015 08:48:07 -0400 Subject: [PATCH 1/2] idp initiated relaystate query param --- docbook/reference/en/en-US/modules/saml.xml | 3 ++- .../main/java/org/keycloak/protocol/saml/SamlService.java | 7 +++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/docbook/reference/en/en-US/modules/saml.xml b/docbook/reference/en/en-US/modules/saml.xml index 0ac20a6f0e..4f4ffb7b73 100755 --- a/docbook/reference/en/en-US/modules/saml.xml +++ b/docbook/reference/en/en-US/modules/saml.xml @@ -194,7 +194,8 @@ with no whitespace in it. After this you can reference your client at the following URL: root/auth/realms/{realm}/protocol/saml/clients/{url-name} - If your client requires a special relay state, you can also configure this in the admin console. + If your client requires a special relay state, you can also configure this in the admin console. Alternatively, you can specify the relay state in a + RelayState query parameter, i.e. : root/auth/realms/{realm}/protocol/saml/clients/{url-name}?RelayState=thestate diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java index d418f0edfb..da2fc9e5dd 100755 --- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java +++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java @@ -561,7 +561,8 @@ public class SamlService { @GET @Path("clients/{client}") @Produces(MediaType.TEXT_HTML) - public Response idpInitiatedSSO(@PathParam("client") String clientUrlName) { + public Response idpInitiatedSSO(@PathParam("client") String clientUrlName, + @QueryParam("RelayState") String relayState) { event.event(EventType.LOGIN); ClientModel client = null; for (ClientModel c : realm.getClients()) { @@ -609,7 +610,9 @@ public class SamlService { clientSession.setNote(SamlProtocol.SAML_IDP_INITIATED_LOGIN, "true"); clientSession.setRedirectUri(redirect); - String relayState = client.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_RELAY_STATE); + if (relayState == null) { + relayState = client.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_RELAY_STATE); + } if (relayState != null && !relayState.trim().equals("")) { clientSession.setNote(GeneralConstants.RELAY_STATE, relayState); } From e825be1c799e78f70fc847219898c73145626ec0 Mon Sep 17 00:00:00 2001 From: Bill Burke Date: Thu, 16 Jul 2015 10:17:44 -0400 Subject: [PATCH 2/2] nonce in tokens --- .../java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java | 1 + .../src/main/java/org/keycloak/protocol/oidc/TokenManager.java | 2 ++ .../protocol/oidc/endpoints/AuthorizationEndpoint.java | 3 +++ 3 files changed, 6 insertions(+) diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java index c002335311..ded0fbb640 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java @@ -55,6 +55,7 @@ public class OIDCLoginProtocol implements LoginProtocol { public static final String GRANT_TYPE_PARAM = "grant_type"; public static final String REDIRECT_URI_PARAM = "redirect_uri"; public static final String CLIENT_ID_PARAM = "client_id"; + public static final String NONCE_PARAM = "nonce"; public static final String PROMPT_PARAM = "prompt"; public static final String LOGIN_HINT_PARAM = "login_hint"; public static final String LOGOUT_REDIRECT_URI = "OIDC_LOGOUT_REDIRECT_URI"; diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java index 99528c8316..995175e980 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java @@ -324,6 +324,7 @@ public class TokenManager { token.issuedNow(); token.issuedFor(client.getClientId()); token.issuer(clientSession.getNote(OIDCLoginProtocol.ISSUER)); + token.setNonce(clientSession.getNote(OIDCLoginProtocol.NONCE_PARAM)); if (session != null) { token.setSessionState(session.getId()); } @@ -434,6 +435,7 @@ public class TokenManager { idToken.issuedNow(); idToken.issuedFor(accessToken.getIssuedFor()); idToken.issuer(accessToken.getIssuer()); + idToken.setNonce(accessToken.getNonce()); idToken.setSessionState(accessToken.getSessionState()); if (realm.getAccessTokenLifespan() > 0) { idToken.expiration(Time.currentTime() + realm.getAccessTokenLifespan()); diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java index c2a42eb89a..603f3dd65f 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java @@ -79,6 +79,7 @@ public class AuthorizationEndpoint { private String scope; private String loginHint; private String prompt; + private String nonce; private String idpHint; private String legacyResponseType; @@ -102,6 +103,7 @@ public class AuthorizationEndpoint { loginHint = params.getFirst(OIDCLoginProtocol.LOGIN_HINT_PARAM); prompt = params.getFirst(OIDCLoginProtocol.PROMPT_PARAM); idpHint = params.getFirst(AdapterConstants.KC_IDP_HINT); + nonce = params.getFirst(OIDCLoginProtocol.NONCE_PARAM); checkSsl(); checkRealm(); @@ -225,6 +227,7 @@ public class AuthorizationEndpoint { clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName())); if (state != null) clientSession.setNote(OIDCLoginProtocol.STATE_PARAM, state); + if (nonce != null) clientSession.setNote(OIDCLoginProtocol.NONCE_PARAM, nonce); if (scope != null) clientSession.setNote(OIDCLoginProtocol.SCOPE_PARAM, scope); if (loginHint != null) clientSession.setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, loginHint); if (prompt != null) clientSession.setNote(OIDCLoginProtocol.PROMPT_PARAM, prompt);