libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

Allow requests from local IPv6 addresses

Browse source 
If administrator selects EXTERNAL for Require SSL setting, allow clear-text
HTTP requests when client is coming from IPv6 link-local or unique local
address (ULA).

Previously only private IPv4 addresses were allowed and private IPv6 addresses
were rejected.

Closes #30678

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
This commit is contained in:
Tero Saarni 2024-08-05 17:38:55 +03:00 committed by GitHub
parent 7b316afc74
commit 62fd969fe1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 15 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
common/src/main/java/org/keycloak/common/enums/SslRequired.java
View file

@ -51,10 +51,23 @@ public enum SslRequired {
private boolean isLocal(String remoteAddress) {
try {
InetAddress inetAddress = InetAddress.getByName(remoteAddress);
return inetAddress.isAnyLocalAddress() || inetAddress.isLoopbackAddress() || inetAddress.isSiteLocalAddress();
return inetAddress.isAnyLocalAddress() || inetAddress.isLoopbackAddress() || inetAddress.isSiteLocalAddress() || inetAddress.isLinkLocalAddress() || isUniqueLocal(inetAddress);
} catch (UnknownHostException e) {
return false;
}
}
/**
* Check if the address is within IPv6 unique local address (ULA) range RFC4193.
*/
private boolean isUniqueLocal(InetAddress address) {
if (address instanceof java.net.Inet6Address) {
byte[] addr = address.getAddress();
// Check if address is in unique local range fc00::/7
return ((byte) (addr[0] & 0b11111110)) == (byte) 0xFC;
}
return false;
}
}

2
docs/documentation/server_admin/topics/realms/ssl.adoc
View file

@ -17,7 +17,7 @@ image:images/general-tab.png[General Tab]
. Set *Require SSL* to one of the following SSL modes:
* *External requests*
Users can interact with {project_name} without SSL so long as they stick to private IP addresses such as `localhost`, `127.0.0.1`, `10.x.x.x`, `192.168.x.x`, and `172.16.x.x`.
Users can interact with {project_name} without SSL so long as they stick to private IPv4 addresses such as `localhost`, `127.0.0.1`, `10.x.x.x`, `192.168.x.x`, `172.16.x.x` or IPv6 link-local and unique-local addresses.
If you try to access {project_name} without SSL from a non-private IP address, you will get an error.
* *None*