KEYCLOAK-19556 Avoid auto-creating invalid redirect URL for FAPI clients
This commit is contained in:
parent
c5432e71ad
commit
acd00a492b
2 changed files with 18 additions and 1 deletions
|
@ -62,7 +62,14 @@ public class SecureClientUrisExecutor implements ClientPolicyExecutorProvider<Cl
|
|||
switch (context.getEvent()) {
|
||||
case REGISTER:
|
||||
if (context instanceof AdminClientRegisterContext || context instanceof DynamicClientRegisterContext) {
|
||||
confirmSecureUris(((ClientCRUDContext)context).getProposedClientRepresentation());
|
||||
ClientRepresentation clientRep = ((ClientCRUDContext)context).getProposedClientRepresentation();
|
||||
confirmSecureUris(clientRep);
|
||||
|
||||
// Use rootUrl as default redirectUrl to avoid creation of redirectUris with wildcards, which is done at later stages during client creation
|
||||
if (clientRep.getRootUrl() != null && (clientRep.getRedirectUris() == null || clientRep.getRedirectUris().isEmpty())) {
|
||||
logger.debugf("Setup Redirect URI = %s for client %s", clientRep.getRootUrl(), clientRep.getClientId());
|
||||
clientRep.setRedirectUris(Collections.singletonList(clientRep.getRootUrl()));
|
||||
}
|
||||
} else {
|
||||
throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "not allowed input format.");
|
||||
}
|
||||
|
|
|
@ -278,6 +278,16 @@ public class FAPI1Test extends AbstractClientPoliciesTest {
|
|||
});
|
||||
ClientRepresentation client = getClientByAdmin(clientUUID);
|
||||
Assert.assertNames(client.getRedirectUris(), "https://hostname.com");
|
||||
getCleanup().addClientUuid(clientUUID);
|
||||
|
||||
// Try to register client with valid root URL. Makes sure that there is not auto-created redirect URI with wildcard at the end (See KEYCLOAK-19556)
|
||||
String clientUUID2 = createClientByAdmin("invalid2", (ClientRepresentation clientRep) -> {
|
||||
clientRep.setRootUrl("https://hostname2.com");
|
||||
clientRep.setRedirectUris(null);
|
||||
});
|
||||
ClientRepresentation client2 = getClientByAdmin(clientUUID2);
|
||||
Assert.assertNames(client2.getRedirectUris(), "https://hostname2.com");
|
||||
getCleanup().addClientUuid(clientUUID2);
|
||||
}
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue