From acd00a492b990625fbfca95c1dd117bdd6e398ec Mon Sep 17 00:00:00 2001
From: mposolda <mposolda@gmail.com>
Date: Fri, 15 Oct 2021 09:40:30 +0200
Subject: [PATCH] KEYCLOAK-19556 Avoid auto-creating invalid redirect URL for
 FAPI clients

---
 .../executor/SecureClientUrisExecutor.java             |  9 ++++++++-
 .../java/org/keycloak/testsuite/client/FAPI1Test.java  | 10 ++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/services/src/main/java/org/keycloak/services/clientpolicy/executor/SecureClientUrisExecutor.java b/services/src/main/java/org/keycloak/services/clientpolicy/executor/SecureClientUrisExecutor.java
index 5ea44c5776..f0214f95d0 100644
--- a/services/src/main/java/org/keycloak/services/clientpolicy/executor/SecureClientUrisExecutor.java
+++ b/services/src/main/java/org/keycloak/services/clientpolicy/executor/SecureClientUrisExecutor.java
@@ -62,7 +62,14 @@ public class SecureClientUrisExecutor implements ClientPolicyExecutorProvider<Cl
         switch (context.getEvent()) {
             case REGISTER:
                 if (context instanceof AdminClientRegisterContext || context instanceof DynamicClientRegisterContext) {
-                    confirmSecureUris(((ClientCRUDContext)context).getProposedClientRepresentation());
+                    ClientRepresentation clientRep = ((ClientCRUDContext)context).getProposedClientRepresentation();
+                    confirmSecureUris(clientRep);
+
+                    // Use rootUrl as default redirectUrl to avoid creation of redirectUris with wildcards, which is done at later stages during client creation
+                    if (clientRep.getRootUrl() != null && (clientRep.getRedirectUris() == null || clientRep.getRedirectUris().isEmpty())) {
+                        logger.debugf("Setup Redirect URI = %s for client %s", clientRep.getRootUrl(), clientRep.getClientId());
+                        clientRep.setRedirectUris(Collections.singletonList(clientRep.getRootUrl()));
+                    }
                 } else {
                     throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "not allowed input format.");
                 }
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI1Test.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI1Test.java
index 2d2bdcb14a..95a1c94ea0 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI1Test.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI1Test.java
@@ -278,6 +278,16 @@ public class FAPI1Test extends AbstractClientPoliciesTest {
         });
         ClientRepresentation client = getClientByAdmin(clientUUID);
         Assert.assertNames(client.getRedirectUris(), "https://hostname.com");
+        getCleanup().addClientUuid(clientUUID);
+
+        // Try to register client with valid root URL. Makes sure that there is not auto-created redirect URI with wildcard at the end (See KEYCLOAK-19556)
+        String clientUUID2 = createClientByAdmin("invalid2", (ClientRepresentation clientRep) -> {
+            clientRep.setRootUrl("https://hostname2.com");
+            clientRep.setRedirectUris(null);
+        });
+        ClientRepresentation client2 = getClientByAdmin(clientUUID2);
+        Assert.assertNames(client2.getRedirectUris(), "https://hostname2.com");
+        getCleanup().addClientUuid(clientUUID2);
     }