libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

[KEYCLOAK-18559] Fix SAML adapters so they allow unescaped characters in URIs

Browse source 
- Makes adapters bahavior consistent with containers that allow unescaped characters in URIs
This commit is contained in:
Stefan Guilhen 2021-06-27 23:31:12 -03:00 committed by Hynek Mlnařík
parent ff70e2e04b
commit 9e676fce7e
7 changed files with 23 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
View file

@ -151,7 +151,7 @@ public class OAuthRequestAuthenticator {
} }
KeycloakUriBuilder secureUrl = KeycloakUriBuilder.fromUri(url).scheme("https").port(-1); KeycloakUriBuilder secureUrl = KeycloakUriBuilder.fromUri(url).scheme("https").port(-1);
if (port != 443) secureUrl.port(port); if (port != 443) secureUrl.port(port);
url = secureUrl.build().toString(); url = secureUrl.buildAsString();
} }
String loginHint = getQueryParamValue("login_hint"); String loginHint = getQueryParamValue("login_hint");
@ -197,7 +197,7 @@ public class OAuthRequestAuthenticator {
scope = TokenUtil.attachOIDCScope(scope); scope = TokenUtil.attachOIDCScope(scope);
redirectUriBuilder.queryParam(OAuth2Constants.SCOPE, scope); redirectUriBuilder.queryParam(OAuth2Constants.SCOPE, scope);
return redirectUriBuilder.build().toString(); return redirectUriBuilder.buildAsString();
} }
protected int sslRedirectPort() { protected int sslRedirectPort() {
@ -385,7 +385,7 @@ public class OAuthRequestAuthenticator {
.replaceQueryParam(OAuth2Constants.CODE, null) .replaceQueryParam(OAuth2Constants.CODE, null)
.replaceQueryParam(OAuth2Constants.STATE, null) .replaceQueryParam(OAuth2Constants.STATE, null)
.replaceQueryParam(OAuth2Constants.SESSION_STATE, null); .replaceQueryParam(OAuth2Constants.SESSION_STATE, null);
return builder.build().toString(); return builder.buildAsString();
} }
private String rewrittenRedirectUri(String originalUri) { private String rewrittenRedirectUri(String originalUri) {

2
adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/ServerRequest.java
View file

@ -292,7 +292,7 @@ public class ServerRequest {
KeycloakUriBuilder builder = KeycloakUriBuilder.fromUri(uri) KeycloakUriBuilder builder = KeycloakUriBuilder.fromUri(uri)
.replaceQueryParam(OAuth2Constants.CODE, null) .replaceQueryParam(OAuth2Constants.CODE, null)
.replaceQueryParam(OAuth2Constants.STATE, null); .replaceQueryParam(OAuth2Constants.STATE, null);
return builder.build().toString(); return builder.buildAsString();
} }

2
adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/ServletSamlSessionStore.java
View file

@ -230,7 +230,7 @@ public class ServletSamlSessionStore implements SamlSessionStore {
KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(exchange.getRequestURI()) KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(exchange.getRequestURI())
.replaceQuery(exchange.getQueryString()); .replaceQuery(exchange.getQueryString());
if (!exchange.isHostIncludedInRequestURI()) uriBuilder.scheme(exchange.getRequestScheme()).host(exchange.getHostAndPort()); if (!exchange.isHostIncludedInRequestURI()) uriBuilder.scheme(exchange.getRequestScheme()).host(exchange.getHostAndPort());
String uri = uriBuilder.build().toString(); String uri = uriBuilder.buildAsString();
session.setAttribute(SAML_REDIRECT_URI, uri); session.setAttribute(SAML_REDIRECT_URI, uri);

6
adapters/saml/wildfly-elytron/src/main/java/org/keycloak/adapters/saml/elytron/ElytronSamlSessionStore.java
View file

@ -212,11 +212,7 @@ public class ElytronSamlSessionStore implements SamlSessionStore, ElytronTokeSto
if (!scope.exists()) { if (!scope.exists()) {
scope.create(); scope.create();
} }
scope.setAttachment(SAML_REDIRECT_URI, exchange.getRequest().getURI());
KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(exchange.getURI()).replaceQuery(exchange.getURI().getQuery());
String uri = uriBuilder.build().toString();
scope.setAttachment(SAML_REDIRECT_URI, uri);
} }
@Override @Override

2
adapters/spi/undertow-adapter-spi/src/main/java/org/keycloak/adapters/undertow/UndertowHttpFacade.java
View file

@ -96,7 +96,7 @@ public class UndertowHttpFacade implements HttpFacade {
KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(exchange.getRequestURI()) KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(exchange.getRequestURI())
.replaceQuery(exchange.getQueryString()); .replaceQuery(exchange.getQueryString());
if (!exchange.isHostIncludedInRequestURI()) uriBuilder.scheme(exchange.getRequestScheme()).host(exchange.getHostAndPort()); if (!exchange.isHostIncludedInRequestURI()) uriBuilder.scheme(exchange.getRequestScheme()).host(exchange.getHostAndPort());
return uriBuilder.build().toString(); return uriBuilder.buildAsString();
} }
@Override @Override

25
common/src/main/java/org/keycloak/common/util/KeycloakUriBuilder.java
View file

@ -571,28 +571,33 @@ public class KeycloakUriBuilder {
return buildFromValues(true, false, values); return buildFromValues(true, false, values);
} }
public String buildAsString(Object... values) throws IllegalArgumentException {
if (values == null) throw new IllegalArgumentException("values parameter is null");
return buildFromValuesAsString(true, false, values);
}
protected URI buildFromValues(boolean encodeSlash, boolean encoded, Object... values) { protected URI buildFromValues(boolean encodeSlash, boolean encoded, Object... values) {
String buf = buildFromValuesAsString(encodeSlash, encoded, values);
try {
return new URI(buf);
} catch (Exception e) {
throw new RuntimeException("Failed to create URI: " + buf, e);
}
}
protected String buildFromValuesAsString(boolean encodeSlash, boolean encoded, Object... values) {
List<String> params = getPathParamNamesInDeclarationOrder(); List<String> params = getPathParamNamesInDeclarationOrder();
if (values.length < params.size()) if (values.length < params.size())
throw new IllegalArgumentException("You did not supply enough values to fill path parameters"); throw new IllegalArgumentException("You did not supply enough values to fill path parameters");
Map<String, Object> pathParams = new HashMap<String, Object>(); Map<String, Object> pathParams = new HashMap<String, Object>();
for (int i = 0; i < params.size(); i++) { for (int i = 0; i < params.size(); i++) {
String pathParam = params.get(i); String pathParam = params.get(i);
Object val = values[i]; Object val = values[i];
if (val == null) throw new IllegalArgumentException("A value was null"); if (val == null) throw new IllegalArgumentException("A value was null");
pathParams.put(pathParam, val.toString()); pathParams.put(pathParam, val.toString());
} }
String buf = null; return buildString(pathParams, encoded, false, encodeSlash);
try {
buf = buildString(pathParams, encoded, false, encodeSlash);
return new URI(buf);
//return URI.create(buf);
} catch (Exception e) {
throw new RuntimeException("Failed to create URI: " + buf, e);
}
} }
public KeycloakUriBuilder matrixParam(String name, Object... values) throws IllegalArgumentException { public KeycloakUriBuilder matrixParam(String name, Object... values) throws IllegalArgumentException {

2
core/src/main/java/org/keycloak/AbstractOAuthClient.java
View file

@ -130,7 +130,7 @@ public class AbstractOAuthClient {
KeycloakUriBuilder builder = KeycloakUriBuilder.fromUri(uri) KeycloakUriBuilder builder = KeycloakUriBuilder.fromUri(uri)
.replaceQueryParam(OAuth2Constants.CODE, null) .replaceQueryParam(OAuth2Constants.CODE, null)
.replaceQueryParam(OAuth2Constants.STATE, null); .replaceQueryParam(OAuth2Constants.STATE, null);
return builder.build().toString(); return builder.buildAsString();
} }
} }