libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

KEYCLOAK-17666 Client Policy - Executor : Limiting available period of Request Object

Browse source
This commit is contained in:
Takashi Norimatsu 2021-04-07 13:25:58 +09:00 committed by Marek Posolda
parent 42dec08f3c
commit 7b227ae47c
3 changed files with 44 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
services/src/main/java/org/keycloak/services/clientpolicy/executor/SecureRequestObjectExecutor.java
View file

@ -125,6 +125,25 @@ public class SecureRequestObjectExecutor implements ClientPolicyExecutorProvider
throw new ClientPolicyException(INVALID_REQUEST_OBJECT, "Request Expired");
}
// check whether "nbf" claim exists
if (requestObject.get("nbf") == null) {
logger.trace("nbf claim not incuded.");
throw new ClientPolicyException(INVALID_REQUEST_OBJECT, "Missing parameter : nbf");
}
// check whether request object not yet being processed
long nbf = requestObject.get("nbf").asLong();
if (Time.currentTime() < nbf) { // TODO: Time.currentTime() is int while nbf is long...
logger.trace("request object not yet being processed.");
throw new ClientPolicyException(INVALID_REQUEST_OBJECT, "Request not yet being processed");
}
// check whether request object's available period is short
if (exp - nbf > 3600) {
logger.trace("request object's available period is long.");
throw new ClientPolicyException(INVALID_REQUEST_OBJECT, "Request's available period is long");
}
// check whether "aud" claim exists
List<String> aud = new ArrayList<String>();
JsonNode audience = requestObject.get("aud");

2
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AbstractClientPoliciesTest.java
View file

@ -520,7 +520,7 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest {
requestObject.id(KeycloakModelUtils.generateId());
requestObject.iat(Long.valueOf(Time.currentTime()));
requestObject.exp(requestObject.getIat() + Long.valueOf(300));
requestObject.nbf(Long.valueOf(0));
requestObject.nbf(requestObject.getIat());
requestObject.setClientId(clientId);
requestObject.setResponseType("code");
requestObject.setRedirectUriParam(oauth.getRedirectUri());

24
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientPoliciesTest.java
View file

@ -982,6 +982,30 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
assertEquals(SecureRequestObjectExecutor.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Request Expired", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
// check whether "nbf" claim exists
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.nbf(null);
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
oauth.openLoginForm();
assertEquals(SecureRequestObjectExecutor.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Missing parameter : nbf", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
// check whether request object not yet being processed
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.nbf(requestObject.getNbf() + 600);
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
oauth.openLoginForm();
assertEquals(SecureRequestObjectExecutor.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Request not yet being processed", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
// check whether request object's available period is short
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.exp(requestObject.getNbf() + 3601);
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
oauth.openLoginForm();
assertEquals(SecureRequestObjectExecutor.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Request's available period is long", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
// check whether "aud" claim exists
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.audience((String)null);