KEYCLOAK_SESSION not working for some user federation setups when user ID has special chars (#14560)

closes #14354
This commit is contained in:
Marek Posolda 2022-10-05 08:59:30 +02:00 committed by GitHub
parent 7ae1fa4833
commit c59660ca86
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 79 additions and 3 deletions

View file

@ -570,4 +570,25 @@ public class Encode
}
}
/**
* @param string
* @return URL encoded input
*/
public static String urlEncode(String string) {
try {
return URLEncoder.encode(string, UTF_8);
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
}
/**
* @param string
* @return URL decoded input
*/
public static String urlDecode(String string) {
return decode(string);
}
}

View file

@ -0,0 +1,26 @@
package org.keycloak.common.util;
import org.junit.Assert;
import org.junit.Test;
/**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
public class URLEncodingTest {
@Test
public void testUrlEncoding() {
Assert.assertEquals("some", Encode.urlEncode("some"));
Assert.assertEquals("330cbb52-c3eb-4c4a-9f23-77a8094cd969", Encode.urlEncode("330cbb52-c3eb-4c4a-9f23-77a8094cd969"));
Assert.assertEquals("sp%C3%A9cial.char", Encode.urlEncode("spécial.char"));
Assert.assertEquals("sp%C3%A9cial.ch%2Far.%C5%BE%C3%BD%C3%A1%C3%A1", Encode.urlEncode("spécial.ch/ar.žýáá"));
}
@Test
public void testUrlDecoding() {
Assert.assertEquals("some", Encode.urlDecode("some"));
Assert.assertEquals("330cbb52-c3eb-4c4a-9f23-77a8094cd969", Encode.urlDecode("330cbb52-c3eb-4c4a-9f23-77a8094cd969"));
Assert.assertEquals("spécial.char", Encode.urlDecode("sp%C3%A9cial.char"));
Assert.assertEquals("spécial.ch/ar.žýáá", Encode.urlDecode("sp%C3%A9cial.ch%2Far.%C5%BE%C3%BD%C3%A1%C3%A1"));
}
}

View file

@ -37,6 +37,7 @@ import org.keycloak.common.ClientConnection;
import org.keycloak.common.Profile;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.Encode;
import org.keycloak.common.util.SecretGenerator;
import org.keycloak.common.util.Time;
import org.keycloak.crypto.SignatureProvider;
@ -784,7 +785,8 @@ public class AuthenticationManager {
CookieHelper.addCookie(KEYCLOAK_IDENTITY_COOKIE, encoded, cookiePath, null, null, maxAge, secureOnly, true, SameSiteAttributeValue.NONE);
//builder.cookie(new NewCookie(cookieName, encoded, cookiePath, null, null, maxAge, secureOnly));// todo httponly , true);
String sessionCookieValue = realm.getName() + "/" + user.getId();
// With user-storage providers, user ID can contain special characters, which need to be encoded
String sessionCookieValue = realm.getName() + "/" + Encode.urlEncode(user.getId());
if (session != null) {
sessionCookieValue += "/" + session.getId();
}

View file

@ -50,6 +50,7 @@ import org.keycloak.testsuite.pages.VerifyEmailPage;
import org.keycloak.testsuite.updaters.RealmAttributeUpdater;
import org.keycloak.testsuite.util.GreenMailRule;
import org.keycloak.testsuite.util.TestCleanup;
import org.openqa.selenium.Cookie;
import javax.mail.internet.MimeMessage;
import javax.ws.rs.NotFoundException;
@ -72,14 +73,18 @@ import java.util.stream.Stream;
import static java.util.Calendar.DAY_OF_WEEK;
import static java.util.Calendar.HOUR_OF_DAY;
import static java.util.Calendar.MINUTE;
import static org.hamcrest.Matchers.contains;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.hasSize;
import static org.hamcrest.Matchers.is;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.keycloak.models.UserModel.RequiredAction.UPDATE_PROFILE;
import static org.keycloak.services.managers.AuthenticationManager.KEYCLOAK_SESSION_COOKIE;
import static org.keycloak.services.util.CookieHelper.LEGACY_COOKIE;
import static org.keycloak.storage.UserStorageProviderModel.CACHE_POLICY;
import static org.keycloak.storage.UserStorageProviderModel.EVICTION_DAY;
import static org.keycloak.storage.UserStorageProviderModel.EVICTION_HOUR;
@ -242,6 +247,26 @@ public class UserStorageTest extends AbstractAuthTest {
loginBadPassword("tbrady");
}
@Test
public void testLoginSuccessWithSpecialCharacter() {
testRealmAccountPage.navigateTo();
testRealmLoginPage.form().login("spécial", "pw");
assertCurrentUrlStartsWith(testRealmAccountPage);
Cookie sameSiteSessionCookie = driver.manage().getCookieNamed(KEYCLOAK_SESSION_COOKIE);
Cookie legacySessionCookie = driver.manage().getCookieNamed(KEYCLOAK_SESSION_COOKIE + LEGACY_COOKIE);
String cookieValue = sameSiteSessionCookie.getValue();
Assert.assertThat(cookieValue.contains("spécial"), is(false));
Assert.assertThat(cookieValue.contains("sp%C3%A9cial"), is(true));
String legacyCookieValue = legacySessionCookie.getValue();
Assert.assertThat(legacyCookieValue.contains("spécial"), is(false));
Assert.assertThat(legacyCookieValue.contains("sp%C3%A9cial"), is(true));
testRealmAccountPage.logOut();
}
@Test
public void testUpdate() {
UserRepresentation thor = ApiUtil.findUserByUsername(testRealmResource(), "thor");
@ -419,11 +444,12 @@ public class UserStorageTest extends AbstractAuthTest {
usernames.add(user.getUsername());
log.info(user.getUsername());
}
Assert.assertEquals(8, queried.size());
Assert.assertEquals(9, queried.size());
Assert.assertTrue(usernames.contains("thor"));
Assert.assertTrue(usernames.contains("zeus"));
Assert.assertTrue(usernames.contains("apollo"));
Assert.assertTrue(usernames.contains("perseus"));
Assert.assertTrue(usernames.contains("spécial"));
Assert.assertTrue(usernames.contains("tbrady"));
Assert.assertTrue(usernames.contains("rob"));
Assert.assertTrue(usernames.contains("jules"));

View file

@ -2,3 +2,4 @@ thor=hammer
zeus=pw
apollo=pw
perseus=pw
spécial=pw