KEYCLOAK-7707
This commit is contained in:
parent
a957e118e6
commit
6564cebc0f
3 changed files with 61 additions and 3 deletions
|
@ -55,7 +55,7 @@ public class RedirectUtils {
|
||||||
|
|
||||||
public static Set<String> resolveValidRedirects(UriInfo uriInfo, String rootUrl, Set<String> validRedirects) {
|
public static Set<String> resolveValidRedirects(UriInfo uriInfo, String rootUrl, Set<String> validRedirects) {
|
||||||
// If the valid redirect URI is relative (no scheme, host, port) then use the request's scheme, host, and port
|
// If the valid redirect URI is relative (no scheme, host, port) then use the request's scheme, host, and port
|
||||||
Set<String> resolveValidRedirects = new HashSet<String>();
|
Set<String> resolveValidRedirects = new HashSet<>();
|
||||||
for (String validRedirect : validRedirects) {
|
for (String validRedirect : validRedirects) {
|
||||||
resolveValidRedirects.add(validRedirect); // add even relative urls.
|
resolveValidRedirects.add(validRedirect); // add even relative urls.
|
||||||
if (validRedirect.startsWith("/")) {
|
if (validRedirect.startsWith("/")) {
|
||||||
|
@ -70,7 +70,9 @@ public class RedirectUtils {
|
||||||
private static Set<String> getValidateRedirectUris(UriInfo uriInfo, RealmModel realm) {
|
private static Set<String> getValidateRedirectUris(UriInfo uriInfo, RealmModel realm) {
|
||||||
Set<String> redirects = new HashSet<>();
|
Set<String> redirects = new HashSet<>();
|
||||||
for (ClientModel client : realm.getClients()) {
|
for (ClientModel client : realm.getClients()) {
|
||||||
redirects.addAll(resolveValidRedirects(uriInfo, client.getRootUrl(), client.getRedirectUris()));
|
if (client.isEnabled()) {
|
||||||
|
redirects.addAll(resolveValidRedirects(uriInfo, client.getRootUrl(), client.getRedirectUris()));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return redirects;
|
return redirects;
|
||||||
}
|
}
|
||||||
|
|
|
@ -36,7 +36,6 @@ import org.keycloak.representations.idm.UserRepresentation;
|
||||||
import org.keycloak.representations.idm.UserSessionRepresentation;
|
import org.keycloak.representations.idm.UserSessionRepresentation;
|
||||||
import org.keycloak.util.TokenUtil;
|
import org.keycloak.util.TokenUtil;
|
||||||
|
|
||||||
import javax.ws.rs.core.Response;
|
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
@ -150,6 +149,13 @@ public class AssertEvents implements TestRule {
|
||||||
.session(sessionId);
|
.session(sessionId);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public ExpectedEvent expectLogoutError(String error) {
|
||||||
|
return expect(EventType.LOGOUT_ERROR)
|
||||||
|
.error(error)
|
||||||
|
.client((String) null)
|
||||||
|
.user((String) null);
|
||||||
|
}
|
||||||
|
|
||||||
public ExpectedEvent expectRegister(String username, String email) {
|
public ExpectedEvent expectRegister(String username, String email) {
|
||||||
UserRepresentation user = username != null ? getUser(username) : null;
|
UserRepresentation user = username != null ? getUser(username) : null;
|
||||||
return expect(EventType.REGISTER)
|
return expect(EventType.REGISTER)
|
||||||
|
|
|
@ -18,23 +18,40 @@
|
||||||
package org.keycloak.testsuite.client;
|
package org.keycloak.testsuite.client;
|
||||||
|
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
import org.junit.Rule;
|
||||||
import org.keycloak.OAuth2Constants;
|
import org.keycloak.OAuth2Constants;
|
||||||
|
import org.keycloak.OAuthErrorException;
|
||||||
|
import org.keycloak.common.util.KeycloakUriBuilder;
|
||||||
|
import org.keycloak.constants.ServiceUrlConstants;
|
||||||
|
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
|
||||||
import org.keycloak.representations.idm.RealmRepresentation;
|
import org.keycloak.representations.idm.RealmRepresentation;
|
||||||
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
|
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
|
||||||
|
import org.keycloak.testsuite.AssertEvents;
|
||||||
|
import org.keycloak.testsuite.admin.ApiUtil;
|
||||||
import org.keycloak.testsuite.util.ClientBuilder;
|
import org.keycloak.testsuite.util.ClientBuilder;
|
||||||
import org.keycloak.testsuite.util.RealmBuilder;
|
import org.keycloak.testsuite.util.RealmBuilder;
|
||||||
|
|
||||||
|
import java.net.URI;
|
||||||
import javax.ws.rs.client.Client;
|
import javax.ws.rs.client.Client;
|
||||||
import javax.ws.rs.core.HttpHeaders;
|
import javax.ws.rs.core.HttpHeaders;
|
||||||
import javax.ws.rs.core.Response;
|
import javax.ws.rs.core.Response;
|
||||||
|
import javax.ws.rs.core.Response.Status;
|
||||||
|
|
||||||
|
import static org.hamcrest.Matchers.equalTo;
|
||||||
|
import static org.hamcrest.Matchers.is;
|
||||||
|
import static org.hamcrest.Matchers.not;
|
||||||
import static org.junit.Assert.assertEquals;
|
import static org.junit.Assert.assertEquals;
|
||||||
|
import static org.junit.Assert.assertThat;
|
||||||
|
import static org.keycloak.testsuite.util.Matchers.statusCodeIs;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:thomas.darimont@gmail.com">Thomas Darimont</a>
|
* @author <a href="mailto:thomas.darimont@gmail.com">Thomas Darimont</a>
|
||||||
*/
|
*/
|
||||||
public class ClientRedirectTest extends AbstractTestRealmKeycloakTest {
|
public class ClientRedirectTest extends AbstractTestRealmKeycloakTest {
|
||||||
|
|
||||||
|
@Rule
|
||||||
|
public AssertEvents events = new AssertEvents(this);
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void configureTestRealm(RealmRepresentation testRealm) {
|
public void configureTestRealm(RealmRepresentation testRealm) {
|
||||||
RealmBuilder.edit(testRealm)
|
RealmBuilder.edit(testRealm)
|
||||||
|
@ -73,4 +90,37 @@ public class ClientRedirectTest extends AbstractTestRealmKeycloakTest {
|
||||||
assertEquals(303, response.getStatus());
|
assertEquals(303, response.getStatus());
|
||||||
client.close();
|
client.close();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// KEYCLOAK-7707
|
||||||
|
@Test
|
||||||
|
public void testRedirectToDisabledClientRedirectURI() throws Exception {
|
||||||
|
log.debug("Creating disabled-client with redirect uri \"*\"");
|
||||||
|
String clientId;
|
||||||
|
try (Response create = adminClient.realm("test").clients().create(ClientBuilder.create().clientId("disabled-client").enabled(false).redirectUris("*").build())) {
|
||||||
|
clientId = ApiUtil.getCreatedId(create);
|
||||||
|
assertThat(create, statusCodeIs(Status.CREATED));
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
log.debug("log in");
|
||||||
|
oauth.doLogin("test-user@localhost", "password");
|
||||||
|
events.expectLogin().assertEvent();
|
||||||
|
|
||||||
|
URI logout = KeycloakUriBuilder.fromUri(suiteContext.getAuthServerInfo().getBrowserContextRoot().toURI())
|
||||||
|
.path("auth" + ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH)
|
||||||
|
.queryParam(OIDCLoginProtocol.REDIRECT_URI_PARAM, "http://example.org/redirected")
|
||||||
|
.build("test");
|
||||||
|
|
||||||
|
log.debug("log out using: " + logout.toURL());
|
||||||
|
driver.navigate().to(logout.toURL());
|
||||||
|
log.debug("Current URL: " + driver.getCurrentUrl());
|
||||||
|
|
||||||
|
log.debug("check logout_error");
|
||||||
|
events.expectLogoutError(OAuthErrorException.INVALID_REDIRECT_URI).assertEvent();
|
||||||
|
assertThat(driver.getCurrentUrl(), is(not(equalTo("http://example.org/redirected"))));
|
||||||
|
} finally {
|
||||||
|
log.debug("removing disabled-client");
|
||||||
|
adminClient.realm("test").clients().get(clientId).remove();
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue