KEYCLOAK-19556 Avoid auto-creating invalid redirect URL for FAPI clients

2021-10-15 09:40:30 +02:00 · 2021-10-15 09:40:30 +02:00 · acd00a492b
commit acd00a492b
parent c5432e71ad
2 changed files with 18 additions and 1 deletions
--- a/services/src/main/java/org/keycloak/services/clientpolicy/executor/SecureClientUrisExecutor.java
+++ b/services/src/main/java/org/keycloak/services/clientpolicy/executor/SecureClientUrisExecutor.java
@ -62,7 +62,14 @@ public class SecureClientUrisExecutor implements ClientPolicyExecutorProvider<Cl
        switch (context.getEvent()) {
            case REGISTER:
                if (context instanceof AdminClientRegisterContext || context instanceof DynamicClientRegisterContext) {
-                    confirmSecureUris(((ClientCRUDContext)context).getProposedClientRepresentation());
+                    ClientRepresentation clientRep = ((ClientCRUDContext)context).getProposedClientRepresentation();
+                    confirmSecureUris(clientRep);
+
+                    // Use rootUrl as default redirectUrl to avoid creation of redirectUris with wildcards, which is done at later stages during client creation
+                    if (clientRep.getRootUrl() != null && (clientRep.getRedirectUris() == null || clientRep.getRedirectUris().isEmpty())) {
+                        logger.debugf("Setup Redirect URI = %s for client %s", clientRep.getRootUrl(), clientRep.getClientId());
+                        clientRep.setRedirectUris(Collections.singletonList(clientRep.getRootUrl()));
+                    }
                } else {
                    throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "not allowed input format.");
                }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI1Test.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI1Test.java
@ -278,6 +278,16 @@ public class FAPI1Test extends AbstractClientPoliciesTest {
        });
        ClientRepresentation client = getClientByAdmin(clientUUID);
        Assert.assertNames(client.getRedirectUris(), "https://hostname.com");
+        getCleanup().addClientUuid(clientUUID);
+
+        // Try to register client with valid root URL. Makes sure that there is not auto-created redirect URI with wildcard at the end (See KEYCLOAK-19556)
+        String clientUUID2 = createClientByAdmin("invalid2", (ClientRepresentation clientRep) -> {
+            clientRep.setRootUrl("https://hostname2.com");
+            clientRep.setRedirectUris(null);
+        });
+        ClientRepresentation client2 = getClientByAdmin(clientUUID2);
+        Assert.assertNames(client2.getRedirectUris(), "https://hostname2.com");
+        getCleanup().addClientUuid(clientUUID2);
    }