fix relative uri problem

docbook/reference/en/en-US/modules/jboss-adapter.xml

@@ -1,4 +1,4 @@
-<section>
+<section id="jboss-adapter">
     <title>JBoss/Wildfly Adapter</title>
     <para>
         To be able to secure WAR apps deployed on JBoss AS 7.1.1, JBoss EAP 6.x, or Wildfly, you must install and
@@ -7,7 +7,7 @@
         to crack open your WARs at all and can apply Keycloak via the Keycloak Subsystem configuration in standalone.xml.
         Both methods are described in this section.
     </para>
-    <section>
+    <section id="jboss-adapter-installation">
         <title>Adapter Installation</title>
     <para>
         This is a adapter zip file for AS7, EAP, and Wildfly in the <literal>adapters/</literal> directory in the Keycloak

docbook/reference/en/en-US/modules/server-installation.xml

@@ -106,6 +106,11 @@ keycloak-war-dist-all-1.0-rc-1-SNAPSHOT/
     $ cp -r configuration $JBOSS_HOME/standalone
 </programlisting>
         </para>
+        <para>
+            After these steps you should also <link linkend='jboss-adapter-installation'>install the client adapter</link>
+            as this may contain modules the server needs (like Bouncycastle).  You will also need to install the adapter
+            to run the examples on the same server.
+        </para>
         <para>
             After booting up the JBoss or Wildfly distro, you can then make sure it is installed properly
             by logging into the admin console at<ulink

services/src/main/java/org/keycloak/services/resources/TokenService.java

@@ -1288,6 +1288,9 @@ public class TokenService {
 
                 valid = matchesRedirects(resolveValidRedirects, r);
             }
+            if (valid && redirectUri.startsWith("/")) {
+                redirectUri = relativeToAbsoluteURI(uriInfo, redirectUri);
+            }
             redirectUri = valid ? redirectUri : null;
         }
 
@@ -1302,18 +1305,24 @@ public class TokenService {
         // If the valid redirect URI is relative (no scheme, host, port) then use the request's scheme, host, and port
         Set<String> resolveValidRedirects = new HashSet<String>();
         for (String validRedirect : validRedirects) {
+            resolveValidRedirects.add(validRedirect); // add even relative urls.
             if (validRedirect.startsWith("/")) {
+                validRedirect = relativeToAbsoluteURI(uriInfo, validRedirect);
+                logger.debugv("replacing relative valid redirect with: {0}", validRedirect);
+                resolveValidRedirects.add(validRedirect);
+            }
+        }
+        return resolveValidRedirects;
+    }
+
+    public static String relativeToAbsoluteURI(UriInfo uriInfo, String relative) {
         URI baseUri = uriInfo.getBaseUri();
         String uri = baseUri.getScheme() + "://" + baseUri.getHost();
         if (baseUri.getPort() != -1) {
             uri += ":" + baseUri.getPort();
         }
-                validRedirect = uri + validRedirect;
-                logger.debugv("replacing relative valid redirect with: {0}", validRedirect);
-            }
-            resolveValidRedirects.add(validRedirect);
-        }
-        return resolveValidRedirects;
+        relative = uri + relative;
+        return relative;
     }
 
     private boolean checkSsl() {

testsuite/integration/src/test/java/org/keycloak/testsuite/adapter/RelativeUriAdapterTest.java

@@ -149,7 +149,7 @@ public class RelativeUriAdapterTest {
         // test logout
 
         String logoutUri = TokenService.logoutUrl(UriBuilder.fromUri("http://localhost:8081/auth"))
-                .queryParam(OAuth2Constants.REDIRECT_URI, "http://localhost:8081/customer-portal").build("demo").toString();
+                .queryParam(OAuth2Constants.REDIRECT_URI, "/customer-portal").build("demo").toString();
         driver.navigate().to(logoutUri);
         Assert.assertTrue(driver.getCurrentUrl().startsWith(LOGIN_URL));
         driver.navigate().to("http://localhost:8081/product-portal");