diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OpenIDConnectService.java b/services/src/main/java/org/keycloak/protocol/oidc/OpenIDConnectService.java index 0781c0473d..c33ef91cab 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/OpenIDConnectService.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/OpenIDConnectService.java @@ -583,6 +583,7 @@ public class OpenIDConnectService { return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(res) .build(); } + ClientSessionModel clientSession = accessCode.getClientSession(); event.detail(Details.CODE_ID, clientSession.getId()); if (!accessCode.isValid(ClientSessionModel.Action.CODE_TO_TOKEN)) { @@ -601,6 +602,16 @@ public class OpenIDConnectService { ClientModel client = authorizeClient(authorizationHeader, formData, event); + String redirectUri = clientSession.getRedirectUri(); + if (redirectUri != null && !redirectUri.equals(formData.getFirst(OAuth2Constants.REDIRECT_URI))) { + Map res = new HashMap(); + res.put(OAuth2Constants.ERROR, "invalid_grant"); + res.put(OAuth2Constants.ERROR_DESCRIPTION, "Incorrect redirect_uri"); + event.error(Errors.INVALID_CODE); + return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(res) + .build(); + } + if (!client.getClientId().equals(clientSession.getClient().getClientId())) { Map res = new HashMap(); res.put(OAuth2Constants.ERROR, "invalid_grant"); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java index f0e23394b0..ed4777498e 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java @@ -141,6 +141,25 @@ public class AccessTokenTest { expectedEvent.assertEvent(); } + @Test + public void accessTokenInvalidRedirectUri() throws Exception { + oauth.doLogin("test-user@localhost", "password"); + + Event loginEvent = events.expectLogin().assertEvent(); + String codeId = loginEvent.getDetails().get(Details.CODE_ID); + + String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); + + oauth.redirectUri("http://invalid"); + + AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password"); + Assert.assertEquals(400, response.getStatusCode()); + Assert.assertEquals("invalid_grant", response.getError()); + Assert.assertEquals("Incorrect redirect_uri", response.getErrorDescription()); + + events.expectCodeToToken(codeId, loginEvent.getSessionId()).error("invalid_code").removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).assertEvent(); + } + @Test public void accessTokenUserSessionExpired() { oauth.doLogin("test-user@localhost", "password");