Only process organization selection when the user is identified

Closes #33699

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Pedro Igor 2024-10-09 12:15:46 -03:00 committed by Alexander Schwartz
parent 316e00bb98
commit 9a3d81c23e
3 changed files with 27 additions and 3 deletions

View file

@ -159,7 +159,7 @@ public class OrganizationAuthenticator extends IdentityProviderAuthenticator {
String rawScope = authSession.getClientNote(OAuth2Constants.SCOPE);
OrganizationScope scope = OrganizationScope.valueOfScope(rawScope);
if (!OrganizationScope.ANY.equals(scope)) {
if (!OrganizationScope.ANY.equals(scope) || user == null) {
return false;
}

View file

@ -210,8 +210,8 @@ public class Organizations {
if (organizations.size() == 1) {
// single organization mapped from authentication session
return organizations.get(0);
} else if (scope != null) {
// organization scope requested but no single organization mapped from the scope
} else if (scope != null && user != null) {
// organization scope requested but no user and no single organization mapped from the scope
return null;
}
}

View file

@ -33,6 +33,7 @@ import static org.junit.Assert.assertTrue;
import java.net.MalformedURLException;
import java.net.URL;
import java.time.Duration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@ -47,6 +48,7 @@ import org.keycloak.admin.client.resource.ClientScopeResource;
import org.keycloak.admin.client.resource.OrganizationResource;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.common.util.UriUtils;
import org.keycloak.models.OrganizationModel;
import org.keycloak.organization.protocol.mappers.oidc.OrganizationMembershipMapper;
import org.keycloak.protocol.ProtocolMapperUtils;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
@ -57,6 +59,8 @@ import org.keycloak.representations.AccessToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.FederatedIdentityRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.representations.idm.MemberRepresentation;
import org.keycloak.representations.idm.OrganizationRepresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
@ -540,6 +544,26 @@ public class OrganizationOIDCProtocolMapperTest extends AbstractOrganizationTest
assertEquals("invalid_scope", queryParams.getFirst("error"));
}
@Test
public void testAuthenticatingUsingBroker() {
driver.manage().timeouts().pageLoadTimeout(Duration.ofDays(1));
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
IdentityProviderRepresentation idp = organization.identityProviders().get(bc.getIDPAlias()).toRepresentation();
idp.getConfig().put(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE, "neworg.org");
testRealm().identityProviders().get(bc.getIDPAlias()).update(idp);
oauth.scope(OAuth2Constants.ORGANIZATION);
openIdentityFirstLoginPage(bc.getUserEmail(), true, idp.getAlias(), false, false);
loginOrgIdp(bc.getUserEmail(), bc.getUserEmail(),true, true);
assertIsMember(bc.getUserEmail(), organization);
UserRepresentation user = testRealm().users().search(bc.getUserEmail()).get(0);
List<FederatedIdentityRepresentation> federatedIdentities = testRealm().users().get(user.getId()).getFederatedIdentity();
assertEquals(1, federatedIdentities.size());
assertEquals(bc.getIDPAlias(), federatedIdentities.get(0).getIdentityProvider());
}
private ProtocolMapperRepresentation createGroupMapper() {
ProtocolMapperRepresentation groupMapper = new ProtocolMapperRepresentation();
groupMapper.setName("groups");