Ensure 'iss' is returned when 'prompt=none' and user is not authenticated, per RFC9207
Closes keycloak/keycloak#25584 Signed-off-by: Joshua Sorah <jsorah@redhat.com>
This commit is contained in:
parent
57cbb391f3
commit
d411eafc42
2 changed files with 11 additions and 0 deletions
|
@ -50,6 +50,7 @@ import org.keycloak.representations.AccessTokenResponse;
|
|||
import org.keycloak.representations.adapters.action.PushNotBeforeAction;
|
||||
import org.keycloak.services.CorsErrorResponseException;
|
||||
import org.keycloak.services.ServicesLogger;
|
||||
import org.keycloak.services.Urls;
|
||||
import org.keycloak.services.clientpolicy.ClientPolicyException;
|
||||
import org.keycloak.services.clientpolicy.context.ImplicitHybridTokenResponse;
|
||||
import org.keycloak.services.clientpolicy.context.TokenRefreshContext;
|
||||
|
@ -333,6 +334,12 @@ public class OIDCLoginProtocol implements LoginProtocol {
|
|||
redirectUri.addParam(OAuth2Constants.STATE, state);
|
||||
}
|
||||
|
||||
// RFC 9207 support + compatibility flag
|
||||
OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientModel(session.getContext().getClient());
|
||||
if (!clientConfig.isExcludeIssuerFromAuthResponse()) {
|
||||
redirectUri.addParam(OAuth2Constants.ISSUER, Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
|
||||
}
|
||||
|
||||
// Remove authenticationSession from current tab
|
||||
new AuthenticationSessionManager(session).removeTabIdInAuthenticationSession(realm, authSession);
|
||||
|
||||
|
|
|
@ -263,6 +263,9 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
|
|||
|
||||
@Test
|
||||
public void promptNoneNotLogged() {
|
||||
|
||||
String expectedIssuer = oauth.doWellKnownRequest(oauth.getRealm()).getIssuer();
|
||||
|
||||
// Send request with prompt=none
|
||||
driver.navigate().to(oauth.getLoginFormUrl() + "&prompt=none");
|
||||
|
||||
|
@ -273,6 +276,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
|
|||
|
||||
// Assert error response was sent because not logged in
|
||||
OAuthClient.AuthorizationEndpointResponse resp = new OAuthClient.AuthorizationEndpointResponse(oauth);
|
||||
Assert.assertEquals(expectedIssuer, resp.getIssuer());
|
||||
Assert.assertNull(resp.getCode());
|
||||
Assert.assertEquals(OAuthErrorException.LOGIN_REQUIRED, resp.getError());
|
||||
|
||||
|
|
Loading…
Reference in a new issue