KEYCLOAK-19556 Avoid auto-creating invalid redirect URL for FAPI clients

This commit is contained in:
mposolda 2021-10-15 09:40:30 +02:00 committed by Marek Posolda
parent c5432e71ad
commit acd00a492b
2 changed files with 18 additions and 1 deletions

View file

@ -62,7 +62,14 @@ public class SecureClientUrisExecutor implements ClientPolicyExecutorProvider<Cl
switch (context.getEvent()) {
case REGISTER:
if (context instanceof AdminClientRegisterContext || context instanceof DynamicClientRegisterContext) {
confirmSecureUris(((ClientCRUDContext)context).getProposedClientRepresentation());
ClientRepresentation clientRep = ((ClientCRUDContext)context).getProposedClientRepresentation();
confirmSecureUris(clientRep);
// Use rootUrl as default redirectUrl to avoid creation of redirectUris with wildcards, which is done at later stages during client creation
if (clientRep.getRootUrl() != null && (clientRep.getRedirectUris() == null || clientRep.getRedirectUris().isEmpty())) {
logger.debugf("Setup Redirect URI = %s for client %s", clientRep.getRootUrl(), clientRep.getClientId());
clientRep.setRedirectUris(Collections.singletonList(clientRep.getRootUrl()));
}
} else {
throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "not allowed input format.");
}

View file

@ -278,6 +278,16 @@ public class FAPI1Test extends AbstractClientPoliciesTest {
});
ClientRepresentation client = getClientByAdmin(clientUUID);
Assert.assertNames(client.getRedirectUris(), "https://hostname.com");
getCleanup().addClientUuid(clientUUID);
// Try to register client with valid root URL. Makes sure that there is not auto-created redirect URI with wildcard at the end (See KEYCLOAK-19556)
String clientUUID2 = createClientByAdmin("invalid2", (ClientRepresentation clientRep) -> {
clientRep.setRootUrl("https://hostname2.com");
clientRep.setRedirectUris(null);
});
ClientRepresentation client2 = getClientByAdmin(clientUUID2);
Assert.assertNames(client2.getRedirectUris(), "https://hostname2.com");
getCleanup().addClientUuid(clientUUID2);
}