libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-7356 Code to Token flow fails if initial redirect_uri contains a session_state parameter

Browse source
This commit is contained in:
Jared Blashka 2018-05-16 15:15:01 -04:00 committed by Marek Posolda
parent f429469fc8
commit 65c39763eb
2 changed files with 34 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
View file

@ -315,7 +315,7 @@ public class TokenEndpoint {
String redirectUriParam = formParams.getFirst(OAuth2Constants.REDIRECT_URI);
// KEYCLOAK-4478 Backwards compatibility with the adapters earlier than KC 3.4.2
if (redirectUriParam != null && redirectUriParam.contains("session_state=")) {
if (redirectUriParam != null && redirectUriParam.contains("session_state=") && !redirectUri.contains("session_state=")) {
redirectUriParam = KeycloakUriBuilder.fromUri(redirectUriParam)
.replaceQueryParam(OAuth2Constants.SESSION_STATE, null)
.build().toString();

33
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/flows/AbstractOIDCResponseTypeTest.java
View file

@ -90,6 +90,21 @@ public abstract class AbstractOIDCResponseTypeTest extends AbstractTestRealmKeyc
}
@Test
public void initialSessionStateUsedInRedirect() {
EventRepresentation loginEvent = loginUserWithRedirect("abcdef123456", OAuthClient.APP_ROOT + "/auth?session_state=foo");
OAuthClient.AuthorizationEndpointResponse authzResponse = new OAuthClient.AuthorizationEndpointResponse(oauth, isFragment());
Assert.assertNotNull(authzResponse.getSessionState());
List<IDToken> idTokens = testAuthzResponseAndRetrieveIDTokens(authzResponse, loginEvent);
for (IDToken idToken : idTokens) {
Assert.assertEquals(authzResponse.getSessionState(), idToken.getSessionState());
}
}
@Test
public void authorizationRequestMissingResponseType() throws IOException {
oauth.responseType(null);
@ -174,6 +189,24 @@ public abstract class AbstractOIDCResponseTypeTest extends AbstractTestRealmKeyc
return events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
}
protected EventRepresentation loginUserWithRedirect(String nonce, String redirectUri) {
if (nonce != null) {
oauth.nonce(nonce);
}
if (redirectUri != null) {
oauth.redirectUri(redirectUri);
}
driver.navigate().to(oauth.getLoginFormUrl());
loginPage.assertCurrent();
loginPage.login("test-user@localhost", "password");
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
return events.expectLogin().detail(Details.REDIRECT_URI, redirectUri).detail(Details.USERNAME, "test-user@localhost").assertEvent();
}
protected abstract boolean isFragment();
protected abstract List<IDToken> testAuthzResponseAndRetrieveIDTokens(OAuthClient.AuthorizationEndpointResponse authzResponse, EventRepresentation loginEvent);