fix(Closes #21236): Adding client-id to logout event
This commit is contained in:
Maria Arias de Reyna
Marek Posolda
parent
741f76887c
commit
c15753266f
12 changed files with 39 additions and 16 deletions
|
|
@ -384,6 +384,7 @@ public class OIDCLoginProtocol implements LoginProtocol {
|
|||
@Override
|
||||
public Response finishBrowserLogout(UserSessionModel userSession, AuthenticationSessionModel logoutSession) {
|
||||
event.event(EventType.LOGOUT);
|
||||
event.client(logoutSession.getClient());
|
||||
|
||||
String redirectUri = logoutSession.getAuthNote(OIDCLoginProtocol.LOGOUT_REDIRECT_URI);
|
||||
if (redirectUri != null) {
|
||||
|
|
|
|||
|
|
@ -232,6 +232,7 @@ public class LogoutEndpoint {
|
|||
}
|
||||
if (client != null) {
|
||||
session.getContext().setClient(client);
|
||||
event.client(client);
|
||||
}
|
||||
|
||||
String validatedRedirectUri = null;
|
||||
|
|
|
|||
|
|
@ -175,7 +175,7 @@ public class AssertEvents implements TestRule {
|
|||
}
|
||||
|
||||
public ExpectedEvent expectLogout(String sessionId) {
|
||||
return expect(EventType.LOGOUT).client((String) null)
|
||||
return expect(EventType.LOGOUT)
|
||||
.detail(Details.REDIRECT_URI, Matchers.equalTo(DEFAULT_REDIRECT_URI))
|
||||
.session(sessionId);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1100,6 +1100,7 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
|
|||
assertEvents.expectLogout(null)
|
||||
.realm(realm.getId())
|
||||
.user(userId)
|
||||
.client("account")
|
||||
.session(AssertEvents.isUUID())
|
||||
.removeDetail(Details.REDIRECT_URI)
|
||||
.assertEvent();
|
||||
|
|
|
|||
|
|
@ -119,7 +119,7 @@ public class ClientRedirectTest extends AbstractTestRealmKeycloakTest {
|
|||
log.debug("Current URL: " + driver.getCurrentUrl());
|
||||
|
||||
log.debug("check logout_error");
|
||||
events.expectLogoutError(OAuthErrorException.INVALID_REDIRECT_URI).assertEvent();
|
||||
events.expectLogoutError(OAuthErrorException.INVALID_REDIRECT_URI).client(AssertEvents.DEFAULT_CLIENT_ID).assertEvent();
|
||||
assertThat(driver.getCurrentUrl(), is(not(equalTo("http://example.org/redirected"))));
|
||||
} finally {
|
||||
log.debug("removing disabled-client");
|
||||
|
|
|
|||
|
|
@ -1293,7 +1293,11 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest {
|
|||
logoutConfirmPage.assertCurrent();
|
||||
logoutConfirmPage.confirmLogout();
|
||||
|
||||
events.expectLogout(sessionId).user(user.getId()).removeDetail(Details.REDIRECT_URI).assertEvent();
|
||||
events.expectLogout(sessionId)
|
||||
.client("account")
|
||||
.user(user.getId())
|
||||
.removeDetail(Details.REDIRECT_URI)
|
||||
.assertEvent();
|
||||
}
|
||||
|
||||
BrowserTabUtil util = BrowserTabUtil.getInstanceAndSetEnv(driver);
|
||||
|
|
|
|||
|
|
@ -144,7 +144,7 @@ public class LegacyLogoutTest extends AbstractTestRealmKeycloakTest {
|
|||
logoutConfirmPage.confirmLogout();
|
||||
|
||||
// Redirected back to the application with expected state
|
||||
events.expectLogout(sessionId).removeDetail(Details.REDIRECT_URI).assertEvent();
|
||||
events.expectLogout(sessionId).client("account").removeDetail(Details.REDIRECT_URI).assertEvent();
|
||||
assertThat(false, is(isSessionActive(sessionId)));
|
||||
assertCurrentUrlEquals(APP_REDIRECT_URI);
|
||||
}
|
||||
|
|
@ -165,7 +165,7 @@ public class LegacyLogoutTest extends AbstractTestRealmKeycloakTest {
|
|||
logoutConfirmPage.confirmLogout();
|
||||
|
||||
// Redirected back to the application with expected state
|
||||
events.expectLogout(sessionId).removeDetail(Details.REDIRECT_URI).assertEvent();
|
||||
events.expectLogout(sessionId).client("account").removeDetail(Details.REDIRECT_URI).assertEvent();
|
||||
assertThat(false, is(isSessionActive(sessionId)));
|
||||
assertCurrentUrlEquals(APP_REDIRECT_URI);
|
||||
}
|
||||
|
|
@ -230,7 +230,7 @@ public class LegacyLogoutTest extends AbstractTestRealmKeycloakTest {
|
|||
logoutConfirmPage.confirmLogout();
|
||||
|
||||
// Redirected back to the application with expected state
|
||||
events.expectLogout(sessionId).removeDetail(Details.REDIRECT_URI).assertEvent();
|
||||
events.expectLogout(sessionId).client("account").removeDetail(Details.REDIRECT_URI).assertEvent();
|
||||
MatcherAssert.assertThat(false, is(isSessionActive(sessionId)));
|
||||
assertCurrentUrlEquals(APP_REDIRECT_URI);
|
||||
}
|
||||
|
|
@ -248,7 +248,7 @@ public class LegacyLogoutTest extends AbstractTestRealmKeycloakTest {
|
|||
String logoutUrl = oauth.getLogoutUrl().postLogoutRedirectUri(APP_REDIRECT_URI).build();
|
||||
driver.navigate().to(logoutUrl);
|
||||
|
||||
events.expectLogout(sessionId).detail(Details.REDIRECT_URI, APP_REDIRECT_URI).assertEvent();
|
||||
events.expectLogout(sessionId).client("account").detail(Details.REDIRECT_URI, APP_REDIRECT_URI).assertEvent();
|
||||
assertThat(false, is(isSessionActive(sessionId)));
|
||||
assertCurrentUrlEquals(APP_REDIRECT_URI);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -293,7 +293,10 @@ public class LogoutTest extends AbstractKeycloakTest {
|
|||
}
|
||||
|
||||
// Assert logout event triggered for backchannel logout
|
||||
events.expectLogout(sessionId).detail(Details.REDIRECT_URI, oauth.APP_AUTH_ROOT).assertEvent();
|
||||
events.expectLogout(sessionId)
|
||||
.client(AssertEvents.DEFAULT_CLIENT_ID)
|
||||
.detail(Details.REDIRECT_URI, oauth.APP_AUTH_ROOT)
|
||||
.assertEvent();
|
||||
|
||||
assertNotNull(testingClient.testApp().getAdminLogoutAction());
|
||||
}
|
||||
|
|
|
|||
|
|
@ -360,7 +360,7 @@ public class OAuthGrantTest extends AbstractKeycloakTest {
|
|||
String logoutUrl = oauth.getLogoutUrl().idTokenHint(res.getIdToken()).build();
|
||||
driver.navigate().to(logoutUrl);
|
||||
|
||||
events.expectLogout(loginEvent.getSessionId()).removeDetail(Details.REDIRECT_URI).assertEvent();
|
||||
events.expectLogout(loginEvent.getSessionId()).client(THIRD_PARTY_APP).removeDetail(Details.REDIRECT_URI).assertEvent();
|
||||
|
||||
// login again to check whether the Dynamic scope and only the dynamic scope is requested again
|
||||
oauth.scope("foo-dynamic-scope:withparam");
|
||||
|
|
|
|||
|
|
@ -452,13 +452,19 @@ public class RPInitiatedLogoutTest extends AbstractTestRealmKeycloakTest {
|
|||
// Completely invalid redirect uri
|
||||
driver.navigate().to(oauth.getLogoutUrl().postLogoutRedirectUri("https://invalid").idTokenHint(idTokenString).build());
|
||||
errorPage.assertCurrent();
|
||||
events.expectLogoutError(OAuthErrorException.INVALID_REDIRECT_URI).detail(Details.REDIRECT_URI, "https://invalid").assertEvent();
|
||||
events.expectLogoutError(OAuthErrorException.INVALID_REDIRECT_URI)
|
||||
.client(AssertEvents.DEFAULT_CLIENT_ID)
|
||||
.detail(Details.REDIRECT_URI, "https://invalid")
|
||||
.assertEvent();
|
||||
|
||||
// Redirect uri of different client in the realm should fail as well
|
||||
String rootUrlClientRedirectUri = UriUtils.getOrigin(APP_REDIRECT_URI) + "/foo/bar";
|
||||
driver.navigate().to(oauth.getLogoutUrl().postLogoutRedirectUri(rootUrlClientRedirectUri).idTokenHint(idTokenString).build());
|
||||
errorPage.assertCurrent();
|
||||
events.expectLogoutError(OAuthErrorException.INVALID_REDIRECT_URI).detail(Details.REDIRECT_URI, rootUrlClientRedirectUri).assertEvent();
|
||||
events.expectLogoutError(OAuthErrorException.INVALID_REDIRECT_URI)
|
||||
.client(AssertEvents.DEFAULT_CLIENT_ID)
|
||||
.detail(Details.REDIRECT_URI, rootUrlClientRedirectUri)
|
||||
.assertEvent();
|
||||
|
||||
// Session still authenticated
|
||||
MatcherAssert.assertThat(true, is(isSessionActive(tokenResponse.getSessionState())));
|
||||
|
|
@ -510,7 +516,7 @@ public class RPInitiatedLogoutTest extends AbstractTestRealmKeycloakTest {
|
|||
// expected
|
||||
}
|
||||
|
||||
events.expectLogout(tokenResponse.getSessionState()).removeDetail(Details.REDIRECT_URI).assertEvent();
|
||||
events.expectLogout(tokenResponse.getSessionState()).client("account").removeDetail(Details.REDIRECT_URI).assertEvent();
|
||||
MatcherAssert.assertThat(false, is(isSessionActive(tokenResponse.getSessionState())));
|
||||
}
|
||||
|
||||
|
|
@ -600,7 +606,7 @@ public class RPInitiatedLogoutTest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// Logout confirmation page not shown as id_token_hint was included.
|
||||
// Redirected back to the application with expected "state"
|
||||
events.expectLogout(tokenResponse.getSessionState()).assertEvent();
|
||||
events.expectLogout(tokenResponse.getSessionState()).client("third-party").assertEvent();
|
||||
MatcherAssert.assertThat(false, is(isSessionActive(tokenResponse.getSessionState())));
|
||||
assertCurrentUrlEquals(APP_REDIRECT_URI + "?state=somethingg");
|
||||
|
||||
|
|
@ -762,7 +768,7 @@ public class RPInitiatedLogoutTest extends AbstractTestRealmKeycloakTest {
|
|||
// expected
|
||||
}
|
||||
|
||||
events.expectLogout(tokenResponse.getSessionState()).removeDetail(Details.REDIRECT_URI).assertEvent();
|
||||
events.expectLogout(tokenResponse.getSessionState()).client("account").removeDetail(Details.REDIRECT_URI).assertEvent();
|
||||
MatcherAssert.assertThat(false, is(isSessionActive(tokenResponse.getSessionState())));
|
||||
}
|
||||
|
||||
|
|
@ -837,7 +843,7 @@ public class RPInitiatedLogoutTest extends AbstractTestRealmKeycloakTest {
|
|||
Assert.assertEquals("Deutsch", logoutConfirmPage.getLanguageDropdownText());
|
||||
logoutConfirmPage.confirmLogout();
|
||||
WaitUtils.waitForPageToLoad();
|
||||
events.expectLogout(tokenResponse.getSessionState()).removeDetail(Details.REDIRECT_URI).assertEvent();
|
||||
events.expectLogout(tokenResponse.getSessionState()).client("account").removeDetail(Details.REDIRECT_URI).assertEvent();
|
||||
|
||||
// Remove ui_locales from logout request. Default locale should be set
|
||||
tokenResponse = loginUser();
|
||||
|
|
@ -846,7 +852,7 @@ public class RPInitiatedLogoutTest extends AbstractTestRealmKeycloakTest {
|
|||
Assert.assertEquals("English", logoutConfirmPage.getLanguageDropdownText());
|
||||
logoutConfirmPage.confirmLogout();
|
||||
WaitUtils.waitForPageToLoad();
|
||||
events.expectLogout(tokenResponse.getSessionState()).removeDetail(Details.REDIRECT_URI).assertEvent();
|
||||
events.expectLogout(tokenResponse.getSessionState()).client("account").removeDetail(Details.REDIRECT_URI).assertEvent();
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -248,6 +248,7 @@ public class WebAuthnIdlessTest extends AbstractWebAuthnVirtualTest {
|
|||
events.expectLogout(sessionId)
|
||||
.removeDetail(Details.REDIRECT_URI)
|
||||
.user(userId)
|
||||
.client("account")
|
||||
.assertEvent();
|
||||
return credentialId;
|
||||
}
|
||||
|
|
@ -304,6 +305,7 @@ public class WebAuthnIdlessTest extends AbstractWebAuthnVirtualTest {
|
|||
events.expectLogout(sessionId)
|
||||
.removeDetail(Details.REDIRECT_URI)
|
||||
.user(userId)
|
||||
.client("account")
|
||||
.assertEvent();
|
||||
}
|
||||
|
||||
|
|
@ -334,6 +336,7 @@ public class WebAuthnIdlessTest extends AbstractWebAuthnVirtualTest {
|
|||
events.expectLogout(sessionId)
|
||||
.removeDetail(Details.REDIRECT_URI)
|
||||
.user(userId)
|
||||
.client("account")
|
||||
.assertEvent();
|
||||
}
|
||||
|
||||
|
|
@ -367,6 +370,7 @@ public class WebAuthnIdlessTest extends AbstractWebAuthnVirtualTest {
|
|||
events.expectLogout(sessionId)
|
||||
.removeDetail(Details.REDIRECT_URI)
|
||||
.user(userId)
|
||||
.client("account")
|
||||
.assertEvent();
|
||||
}
|
||||
else {
|
||||
|
|
|
|||
|
|
@ -151,6 +151,7 @@ public class WebAuthnRegisterAndLoginTest extends AbstractWebAuthnVirtualTest {
|
|||
events.expectLogout(sessionId)
|
||||
.removeDetail(Details.REDIRECT_URI)
|
||||
.user(userId)
|
||||
.client("account")
|
||||
.assertEvent();
|
||||
|
||||
// login by user
|
||||
|
|
@ -183,6 +184,7 @@ public class WebAuthnRegisterAndLoginTest extends AbstractWebAuthnVirtualTest {
|
|||
// confirm logout event
|
||||
events.expectLogout(sessionId)
|
||||
.removeDetail(Details.REDIRECT_URI)
|
||||
.client("account")
|
||||
.user(userId)
|
||||
.assertEvent();
|
||||
} finally {
|
||||
|
|
@ -257,6 +259,7 @@ public class WebAuthnRegisterAndLoginTest extends AbstractWebAuthnVirtualTest {
|
|||
events.expectLogout(sessionID)
|
||||
.removeDetail(Details.REDIRECT_URI)
|
||||
.user(userId)
|
||||
.client("account")
|
||||
.assertEvent();
|
||||
|
||||
// Password + WebAuthn security key
|
||||
|
|
|
|||
Loading…
Reference in a new issue