Ensure 'iss' is returned when 'prompt=none' and user is not authenticated, per RFC9207

Closes keycloak/keycloak#25584

Signed-off-by: Joshua Sorah <jsorah@redhat.com>
This commit is contained in:
Joshua Sorah 2023-12-14 14:34:07 -05:00 committed by Marek Posolda
parent 57cbb391f3
commit d411eafc42
2 changed files with 11 additions and 0 deletions

View file

@ -50,6 +50,7 @@ import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.adapters.action.PushNotBeforeAction; import org.keycloak.representations.adapters.action.PushNotBeforeAction;
import org.keycloak.services.CorsErrorResponseException; import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.ServicesLogger; import org.keycloak.services.ServicesLogger;
import org.keycloak.services.Urls;
import org.keycloak.services.clientpolicy.ClientPolicyException; import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.ImplicitHybridTokenResponse; import org.keycloak.services.clientpolicy.context.ImplicitHybridTokenResponse;
import org.keycloak.services.clientpolicy.context.TokenRefreshContext; import org.keycloak.services.clientpolicy.context.TokenRefreshContext;
@ -333,6 +334,12 @@ public class OIDCLoginProtocol implements LoginProtocol {
redirectUri.addParam(OAuth2Constants.STATE, state); redirectUri.addParam(OAuth2Constants.STATE, state);
} }
// RFC 9207 support + compatibility flag
OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientModel(session.getContext().getClient());
if (!clientConfig.isExcludeIssuerFromAuthResponse()) {
redirectUri.addParam(OAuth2Constants.ISSUER, Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
}
// Remove authenticationSession from current tab // Remove authenticationSession from current tab
new AuthenticationSessionManager(session).removeTabIdInAuthenticationSession(realm, authSession); new AuthenticationSessionManager(session).removeTabIdInAuthenticationSession(realm, authSession);

View file

@ -263,6 +263,9 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
@Test @Test
public void promptNoneNotLogged() { public void promptNoneNotLogged() {
String expectedIssuer = oauth.doWellKnownRequest(oauth.getRealm()).getIssuer();
// Send request with prompt=none // Send request with prompt=none
driver.navigate().to(oauth.getLoginFormUrl() + "&prompt=none"); driver.navigate().to(oauth.getLoginFormUrl() + "&prompt=none");
@ -273,6 +276,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Assert error response was sent because not logged in // Assert error response was sent because not logged in
OAuthClient.AuthorizationEndpointResponse resp = new OAuthClient.AuthorizationEndpointResponse(oauth); OAuthClient.AuthorizationEndpointResponse resp = new OAuthClient.AuthorizationEndpointResponse(oauth);
Assert.assertEquals(expectedIssuer, resp.getIssuer());
Assert.assertNull(resp.getCode()); Assert.assertNull(resp.getCode());
Assert.assertEquals(OAuthErrorException.LOGIN_REQUIRED, resp.getError()); Assert.assertEquals(OAuthErrorException.LOGIN_REQUIRED, resp.getError());