libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

stuff

Browse source
This commit is contained in:
Bill Burke 2014-05-19 15:08:38 -04:00
parent 11c23a7945
commit a53206995a
2 changed files with 10 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
services/src/main/java/org/keycloak/services/managers/RealmManager.java
View file

@ -279,8 +279,10 @@ public class RealmManager {
if (application == null) { if (application == null) {
application = new ApplicationManager(this).createApplication(realm, Constants.ACCOUNT_MANAGEMENT_APP); application = new ApplicationManager(this).createApplication(realm, Constants.ACCOUNT_MANAGEMENT_APP);
application.setEnabled(true); application.setEnabled(true);
String redirectUri = contextPath + "/realms/" + realm.getName() + "/account/*"; String base = contextPath + "/realms/" + realm.getName() + "/account";
String redirectUri = base + "/*";
application.addRedirectUri(redirectUri); application.addRedirectUri(redirectUri);
application.setBaseUrl(base);
for (String role : AccountRoles.ALL) { for (String role : AccountRoles.ALL) {
application.addDefaultRole(role); application.addDefaultRole(role);

10
services/src/main/java/org/keycloak/services/resources/TokenService.java
View file

@ -18,6 +18,7 @@ import org.keycloak.authentication.AuthenticationProviderException;
import org.keycloak.authentication.AuthenticationProviderManager; import org.keycloak.authentication.AuthenticationProviderManager;
import org.keycloak.jose.jws.JWSInput; import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.crypto.RSAProvider; import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.ClientModel; import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants; import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
@ -221,10 +222,9 @@ public class TokenService {
ClientModel client = authorizeClient(authorizationHeader, form, audit); ClientModel client = authorizeClient(authorizationHeader, form, audit);
if (client.isPublicClient()) { if ( (client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) {
// we don't allow public clients to invoke grants/access to prevent phishing attacks
audit.error(Errors.NOT_ALLOWED); audit.error(Errors.NOT_ALLOWED);
throw new ForbiddenException("Public clients are not allowed to invoke grants/access"); throw new ForbiddenException("Bearer-only applications are not allowed to invoke grants/access");
} }
if (!realm.isEnabled()) { if (!realm.isEnabled()) {
@ -745,6 +745,10 @@ public class TokenService {
audit.error(Errors.CLIENT_DISABLED); audit.error(Errors.CLIENT_DISABLED);
return oauth.forwardToSecurityFailure("Login requester not enabled."); return oauth.forwardToSecurityFailure("Login requester not enabled.");
} }
if ( (client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) {
audit.error(Errors.NOT_ALLOWED);
return oauth.forwardToSecurityFailure("Bearer-only applications are not allowed to initiate login");
}
redirect = verifyRedirectUri(uriInfo, redirect, client); redirect = verifyRedirectUri(uriInfo, redirect, client);
if (redirect == null) { if (redirect == null) {
audit.error(Errors.INVALID_REDIRECT_URI); audit.error(Errors.INVALID_REDIRECT_URI);