KEYCLOAK-4748

2017-07-31 10:36:04 -04:00 · 2017-07-31 10:36:04 -04:00 · 8f542618f7
commit 8f542618f7
parent 486a0c9528
2 changed files with 29 additions and 15 deletions
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
@ -595,10 +595,36 @@ public class TokenEndpoint {
        boolean allowed = false;
        UserModel serviceAccount = session.users().getServiceAccount(client);
        if (serviceAccount != null) {
-            RoleModel exchangeable = targetClient.getRole(OAuth2Constants.TOKEN_EXCHANGER);
-            RoleModel realmExchangeable = AdminPermissions.management(session, realm).getRealmManagementClient().getRole(OAuth2Constants.TOKEN_EXCHANGER);
-            allowed = (exchangeable != null && serviceAccount.hasRole(exchangeable)) || (realmExchangeable != null && serviceAccount.hasRole(realmExchangeable));
+            if (authResult.getToken().getAudience() == null) {
+                logger.debug("Client doesn't have service account");
+            }
+            boolean tokenAllowed = false;
+            for (String aud : authResult.getToken().getAudience()) {
+                ClientModel audClient = realm.getClientByClientId(aud);
+                if (audClient == null) continue;
+                if (audClient.equals(client)) {
+                    tokenAllowed = true;
+                    break;
+                }
+                RoleModel audExchanger = audClient.getRole(OAuth2Constants.TOKEN_EXCHANGER);
+                if (audExchanger != null && serviceAccount.hasRole(audExchanger)) {
+                    tokenAllowed = true;
+                    break;
+                }
+            }
+            if (!tokenAllowed) {
+                logger.debug("Client does not have exchange rights for audience of token");
+            } else {
+                RoleModel targetExchangable = targetClient.getRole(OAuth2Constants.TOKEN_EXCHANGER);
+                RoleModel realmExchangeable = AdminPermissions.management(session, realm).getRealmManagementClient().getRole(OAuth2Constants.TOKEN_EXCHANGER);
+                allowed = (targetExchangable != null && serviceAccount.hasRole(targetExchangable)) || (realmExchangeable != null && serviceAccount.hasRole(realmExchangeable));
+                if (!allowed) {
+                    logger.debug("Client does not have exchange rights for target audience");
+                }
+            }

+        } else {
+            logger.debug("Client doesn't have service account");
        }

        if (!allowed) {
--- a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
+++ b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
@ -221,18 +221,6 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal

        }

-        // only allow origins from client.  Not sure we need this as I don't believe cookies can be
-        // sent if CORS preflight requests can't execute.
-        String origin = headers.getRequestHeaders().getFirst("Origin");
-        if (origin != null) {
-            String redirectOrigin = UriUtils.getOrigin(redirectUri);
-            if (!redirectOrigin.equals(origin)) {
-                event.error(Errors.ILLEGAL_ORIGIN);
-                throw new ErrorPageException(session, Messages.INVALID_REQUEST);
-
-            }
-        }
-
        AuthenticationManager.AuthResult cookieResult = AuthenticationManager.authenticateIdentityCookie(session, realmModel, true);
        String errorParam = "link_error";
        if (cookieResult == null) {