libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

FAPI 2.0 security profile - Reject Implicit Grant executor does not return an appropriate error

Browse source 
Closes #20622
This commit is contained in:
Takashi Norimatsu 2023-05-29 12:02:19 +09:00 committed by Marek Posolda
parent 0832992e59
commit 6b42c2b4d0
2 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
services/src/main/java/org/keycloak/services/clientpolicy/executor/RejectImplicitGrantExecutor.java
View file

@ -108,7 +108,7 @@ public class RejectImplicitGrantExecutor implements ClientPolicyExecutorProvider
// Before client policies operation, Authorization Endpoint logic has already checked whether implicit/hybrid flow is activated for a client.
// This method rejects implicit grant regardless of client setting for allowing implicit grant.
if (parsedResponseType.isImplicitOrHybridFlow()) {
throw new ClientPolicyException(OAuthErrorException.INVALID_GRANT, "Implicit/Hybrid flow is prohibited.");
throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Implicit/Hybrid flow is prohibited.");
}
}

8
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesTest.java
View file

@ -1196,16 +1196,16 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
oauth.clientId(clientId);
// implicit grant
testProhibitedImplicitOrHybridFlow(false, OIDCResponseType.TOKEN, null, OAuthErrorException.INVALID_GRANT, expectedErrorDescription);
testProhibitedImplicitOrHybridFlow(false, OIDCResponseType.TOKEN, null, OAuthErrorException.INVALID_REQUEST, expectedErrorDescription);
// hybrid grant
testProhibitedImplicitOrHybridFlow(true, OIDCResponseType.TOKEN + " " + OIDCResponseType.ID_TOKEN, "exsefweag", OAuthErrorException.INVALID_GRANT, expectedErrorDescription);
testProhibitedImplicitOrHybridFlow(true, OIDCResponseType.TOKEN + " " + OIDCResponseType.ID_TOKEN, "exsefweag", OAuthErrorException.INVALID_REQUEST, expectedErrorDescription);
// hybrid grant
testProhibitedImplicitOrHybridFlow(true, OIDCResponseType.TOKEN + " " + OIDCResponseType.CODE, "exsefweag", OAuthErrorException.INVALID_GRANT, expectedErrorDescription);
testProhibitedImplicitOrHybridFlow(true, OIDCResponseType.TOKEN + " " + OIDCResponseType.CODE, "exsefweag", OAuthErrorException.INVALID_REQUEST, expectedErrorDescription);
// hybrid grant
testProhibitedImplicitOrHybridFlow(true, OIDCResponseType.TOKEN + " " + OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN, "exsefweag", OAuthErrorException.INVALID_GRANT, expectedErrorDescription);
testProhibitedImplicitOrHybridFlow(true, OIDCResponseType.TOKEN + " " + OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN, "exsefweag", OAuthErrorException.INVALID_REQUEST, expectedErrorDescription);
} finally {
// revert test client instance settings the same as OAuthClient.init