Only process organization selection when the user is identified

Closes #33699

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Pedro Igor 2024-10-09 12:15:46 -03:00 committed by Alexander Schwartz
parent 316e00bb98
commit 9a3d81c23e
3 changed files with 27 additions and 3 deletions

View file

@ -159,7 +159,7 @@ public class OrganizationAuthenticator extends IdentityProviderAuthenticator {
String rawScope = authSession.getClientNote(OAuth2Constants.SCOPE); String rawScope = authSession.getClientNote(OAuth2Constants.SCOPE);
OrganizationScope scope = OrganizationScope.valueOfScope(rawScope); OrganizationScope scope = OrganizationScope.valueOfScope(rawScope);
if (!OrganizationScope.ANY.equals(scope)) { if (!OrganizationScope.ANY.equals(scope) || user == null) {
return false; return false;
} }

View file

@ -210,8 +210,8 @@ public class Organizations {
if (organizations.size() == 1) { if (organizations.size() == 1) {
// single organization mapped from authentication session // single organization mapped from authentication session
return organizations.get(0); return organizations.get(0);
} else if (scope != null) { } else if (scope != null && user != null) {
// organization scope requested but no single organization mapped from the scope // organization scope requested but no user and no single organization mapped from the scope
return null; return null;
} }
} }

View file

@ -33,6 +33,7 @@ import static org.junit.Assert.assertTrue;
import java.net.MalformedURLException; import java.net.MalformedURLException;
import java.net.URL; import java.net.URL;
import java.time.Duration;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
@ -47,6 +48,7 @@ import org.keycloak.admin.client.resource.ClientScopeResource;
import org.keycloak.admin.client.resource.OrganizationResource; import org.keycloak.admin.client.resource.OrganizationResource;
import org.keycloak.common.util.MultivaluedHashMap; import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.common.util.UriUtils; import org.keycloak.common.util.UriUtils;
import org.keycloak.models.OrganizationModel;
import org.keycloak.organization.protocol.mappers.oidc.OrganizationMembershipMapper; import org.keycloak.organization.protocol.mappers.oidc.OrganizationMembershipMapper;
import org.keycloak.protocol.ProtocolMapperUtils; import org.keycloak.protocol.ProtocolMapperUtils;
import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.protocol.oidc.OIDCLoginProtocol;
@ -57,6 +59,8 @@ import org.keycloak.representations.AccessToken;
import org.keycloak.representations.RefreshToken; import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation; import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.FederatedIdentityRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.representations.idm.MemberRepresentation; import org.keycloak.representations.idm.MemberRepresentation;
import org.keycloak.representations.idm.OrganizationRepresentation; import org.keycloak.representations.idm.OrganizationRepresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation; import org.keycloak.representations.idm.ProtocolMapperRepresentation;
@ -540,6 +544,26 @@ public class OrganizationOIDCProtocolMapperTest extends AbstractOrganizationTest
assertEquals("invalid_scope", queryParams.getFirst("error")); assertEquals("invalid_scope", queryParams.getFirst("error"));
} }
@Test
public void testAuthenticatingUsingBroker() {
driver.manage().timeouts().pageLoadTimeout(Duration.ofDays(1));
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
IdentityProviderRepresentation idp = organization.identityProviders().get(bc.getIDPAlias()).toRepresentation();
idp.getConfig().put(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE, "neworg.org");
testRealm().identityProviders().get(bc.getIDPAlias()).update(idp);
oauth.scope(OAuth2Constants.ORGANIZATION);
openIdentityFirstLoginPage(bc.getUserEmail(), true, idp.getAlias(), false, false);
loginOrgIdp(bc.getUserEmail(), bc.getUserEmail(),true, true);
assertIsMember(bc.getUserEmail(), organization);
UserRepresentation user = testRealm().users().search(bc.getUserEmail()).get(0);
List<FederatedIdentityRepresentation> federatedIdentities = testRealm().users().get(user.getId()).getFederatedIdentity();
assertEquals(1, federatedIdentities.size());
assertEquals(bc.getIDPAlias(), federatedIdentities.get(0).getIdentityProvider());
}
private ProtocolMapperRepresentation createGroupMapper() { private ProtocolMapperRepresentation createGroupMapper() {
ProtocolMapperRepresentation groupMapper = new ProtocolMapperRepresentation(); ProtocolMapperRepresentation groupMapper = new ProtocolMapperRepresentation();
groupMapper.setName("groups"); groupMapper.setName("groups");