Ensure 'iss' is returned when 'prompt=none' and user is not authenticated, per RFC9207
Closes keycloak/keycloak#25584 Signed-off-by: Joshua Sorah <jsorah@redhat.com>
This commit is contained in:
parent
57cbb391f3
commit
d411eafc42
2 changed files with 11 additions and 0 deletions
|
@ -50,6 +50,7 @@ import org.keycloak.representations.AccessTokenResponse;
|
||||||
import org.keycloak.representations.adapters.action.PushNotBeforeAction;
|
import org.keycloak.representations.adapters.action.PushNotBeforeAction;
|
||||||
import org.keycloak.services.CorsErrorResponseException;
|
import org.keycloak.services.CorsErrorResponseException;
|
||||||
import org.keycloak.services.ServicesLogger;
|
import org.keycloak.services.ServicesLogger;
|
||||||
|
import org.keycloak.services.Urls;
|
||||||
import org.keycloak.services.clientpolicy.ClientPolicyException;
|
import org.keycloak.services.clientpolicy.ClientPolicyException;
|
||||||
import org.keycloak.services.clientpolicy.context.ImplicitHybridTokenResponse;
|
import org.keycloak.services.clientpolicy.context.ImplicitHybridTokenResponse;
|
||||||
import org.keycloak.services.clientpolicy.context.TokenRefreshContext;
|
import org.keycloak.services.clientpolicy.context.TokenRefreshContext;
|
||||||
|
@ -333,6 +334,12 @@ public class OIDCLoginProtocol implements LoginProtocol {
|
||||||
redirectUri.addParam(OAuth2Constants.STATE, state);
|
redirectUri.addParam(OAuth2Constants.STATE, state);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// RFC 9207 support + compatibility flag
|
||||||
|
OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientModel(session.getContext().getClient());
|
||||||
|
if (!clientConfig.isExcludeIssuerFromAuthResponse()) {
|
||||||
|
redirectUri.addParam(OAuth2Constants.ISSUER, Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
|
||||||
|
}
|
||||||
|
|
||||||
// Remove authenticationSession from current tab
|
// Remove authenticationSession from current tab
|
||||||
new AuthenticationSessionManager(session).removeTabIdInAuthenticationSession(realm, authSession);
|
new AuthenticationSessionManager(session).removeTabIdInAuthenticationSession(realm, authSession);
|
||||||
|
|
||||||
|
|
|
@ -263,6 +263,9 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void promptNoneNotLogged() {
|
public void promptNoneNotLogged() {
|
||||||
|
|
||||||
|
String expectedIssuer = oauth.doWellKnownRequest(oauth.getRealm()).getIssuer();
|
||||||
|
|
||||||
// Send request with prompt=none
|
// Send request with prompt=none
|
||||||
driver.navigate().to(oauth.getLoginFormUrl() + "&prompt=none");
|
driver.navigate().to(oauth.getLoginFormUrl() + "&prompt=none");
|
||||||
|
|
||||||
|
@ -273,6 +276,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
|
||||||
|
|
||||||
// Assert error response was sent because not logged in
|
// Assert error response was sent because not logged in
|
||||||
OAuthClient.AuthorizationEndpointResponse resp = new OAuthClient.AuthorizationEndpointResponse(oauth);
|
OAuthClient.AuthorizationEndpointResponse resp = new OAuthClient.AuthorizationEndpointResponse(oauth);
|
||||||
|
Assert.assertEquals(expectedIssuer, resp.getIssuer());
|
||||||
Assert.assertNull(resp.getCode());
|
Assert.assertNull(resp.getCode());
|
||||||
Assert.assertEquals(OAuthErrorException.LOGIN_REQUIRED, resp.getError());
|
Assert.assertEquals(OAuthErrorException.LOGIN_REQUIRED, resp.getError());
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue