[KEYCLOAK-12794] - Missing id token checks in oidc broker

This commit is contained in:
Pedro Igor 2020-02-26 10:27:45 -03:00 committed by Stian Thorgersen
parent 8297c0c878
commit a830818a84
2 changed files with 49 additions and 0 deletions

View file

@ -542,6 +542,10 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
throw new IdentityBrokerException("Wrong audience from token.");
}
if (!ignoreAudience && (token.getIssuedFor() != null && !getConfig().getClientId().equals(token.getIssuedFor()))) {
throw new IdentityBrokerException("Token not issued for client [" + getConfig().getClientId() + "]");
}
String trustedIssuers = getConfig().getIssuer();
if (trustedIssuers != null && trustedIssuers.length() > 0) {

View file

@ -12,6 +12,7 @@ import java.util.List;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Lists;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.IdentityProviderResource;
import org.keycloak.admin.client.resource.RealmResource;
@ -21,9 +22,11 @@ import org.keycloak.broker.oidc.mappers.ExternalKeycloakRoleToRoleMapper;
import org.keycloak.broker.oidc.mappers.UserAttributeMapper;
import org.keycloak.crypto.Algorithm;
import org.keycloak.protocol.oidc.OIDCConfigAttributes;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.IdentityProviderMapperRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.Assert;
@ -279,6 +282,48 @@ public final class KcOidcBrokerTest extends AbstractAdvancedBrokerTest {
}
}
@Test
public void testInvalidIssuedFor() {
loginUser();
logoutFromRealm(bc.providerRealmName());
logoutFromRealm(bc.consumerRealmName());
log.debug("Clicking social " + bc.getIDPAlias());
loginPage.clickSocial(bc.getIDPAlias());
waitForPage(driver, "log in to", true);
RealmResource realm = adminClient.realm(bc.providerRealmName());
ClientRepresentation rep = realm.clients().findByClientId(BrokerTestConstants.CLIENT_ID).get(0);
ClientResource clientResource = realm.clients().get(rep.getId());
ProtocolMapperRepresentation hardCodedAzp = createHardcodedClaim("hard", "azp", "invalid-azp", ProviderConfigProperty.STRING_TYPE, true, true);
clientResource.getProtocolMappers().createMapper(hardCodedAzp);
log.debug("Logging in");
loginPage.login(bc.getUserLogin(), bc.getUserPassword());
errorPage.assertCurrent();
}
@Test
public void testInvalidAudience() {
loginUser();
logoutFromRealm(bc.providerRealmName());
logoutFromRealm(bc.consumerRealmName());
log.debug("Clicking social " + bc.getIDPAlias());
loginPage.clickSocial(bc.getIDPAlias());
waitForPage(driver, "log in to", true);
RealmResource realm = adminClient.realm(bc.providerRealmName());
ClientRepresentation rep = realm.clients().findByClientId(BrokerTestConstants.CLIENT_ID).get(0);
ClientResource clientResource = realm.clients().get(rep.getId());
ProtocolMapperRepresentation hardCodedAzp = createHardcodedClaim("hard", "aud", "invalid-aud", ProviderConfigProperty.LIST_TYPE, true, true);
clientResource.getProtocolMappers().createMapper(hardCodedAzp);
log.debug("Logging in");
loginPage.login(bc.getUserLogin(), bc.getUserPassword());
errorPage.assertCurrent();
}
private UserRepresentation getFederatedIdentity() {
List<UserRepresentation> users = realmsResouce().realm(bc.consumerRealmName()).users().search(bc.getUserLogin());