libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

KEYCLOAK-957 Access Token Request does not verify redirect_uri

Browse source
This commit is contained in:
Stian Thorgersen 2015-01-14 09:59:04 +01:00
parent 3be74cda30
commit abd5967be3
2 changed files with 30 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
services/src/main/java/org/keycloak/protocol/oidc/OpenIDConnectService.java
View file

@ -583,6 +583,7 @@ public class OpenIDConnectService {
return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(res) return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(res)
.build(); .build();
} }
ClientSessionModel clientSession = accessCode.getClientSession(); ClientSessionModel clientSession = accessCode.getClientSession();
event.detail(Details.CODE_ID, clientSession.getId()); event.detail(Details.CODE_ID, clientSession.getId());
if (!accessCode.isValid(ClientSessionModel.Action.CODE_TO_TOKEN)) { if (!accessCode.isValid(ClientSessionModel.Action.CODE_TO_TOKEN)) {
@ -601,6 +602,16 @@ public class OpenIDConnectService {
ClientModel client = authorizeClient(authorizationHeader, formData, event); ClientModel client = authorizeClient(authorizationHeader, formData, event);
String redirectUri = clientSession.getRedirectUri();
if (redirectUri != null && !redirectUri.equals(formData.getFirst(OAuth2Constants.REDIRECT_URI))) {
Map<String, String> res = new HashMap<String, String>();
res.put(OAuth2Constants.ERROR, "invalid_grant");
res.put(OAuth2Constants.ERROR_DESCRIPTION, "Incorrect redirect_uri");
event.error(Errors.INVALID_CODE);
return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(res)
.build();
}
if (!client.getClientId().equals(clientSession.getClient().getClientId())) { if (!client.getClientId().equals(clientSession.getClient().getClientId())) {
Map<String, String> res = new HashMap<String, String>(); Map<String, String> res = new HashMap<String, String>();
res.put(OAuth2Constants.ERROR, "invalid_grant"); res.put(OAuth2Constants.ERROR, "invalid_grant");

19
testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
View file

@ -141,6 +141,25 @@ public class AccessTokenTest {
expectedEvent.assertEvent(); expectedEvent.assertEvent();
} }
@Test
public void accessTokenInvalidRedirectUri() throws Exception {
oauth.doLogin("test-user@localhost", "password");
Event loginEvent = events.expectLogin().assertEvent();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
oauth.redirectUri("http://invalid");
AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
Assert.assertEquals(400, response.getStatusCode());
Assert.assertEquals("invalid_grant", response.getError());
Assert.assertEquals("Incorrect redirect_uri", response.getErrorDescription());
events.expectCodeToToken(codeId, loginEvent.getSessionId()).error("invalid_code").removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).assertEvent();
}
@Test @Test
public void accessTokenUserSessionExpired() { public void accessTokenUserSessionExpired() {
oauth.doLogin("test-user@localhost", "password"); oauth.doLogin("test-user@localhost", "password");