libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

Fix for Issue# 32622 (https://github.com/keycloak/keycloak/issues/32622)

Browse source 
The expected Destination Path needs to properly point to the client that is created for IDP-initiated SSO flow. This is especially an issue when Keycloak is behind a reverse proxy that terminates TLS.

Signed-off-by: Manish Mehta <ManishMehta@users.noreply.github.com>
This commit is contained in:
Manish Mehta 2024-09-18 18:47:01 -07:00 committed by Marek Posolda
parent 1d23c3c720
commit d57050656e
2 changed files with 9 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
services/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java
View file

@ -814,7 +814,7 @@ public class SAMLEndpoint {
private String getExpectedDestination(String providerAlias, String clientId) {
if(clientId != null) {
return session.getContext().getUri().getAbsolutePath().toString();
return Urls.identityProviderAuthnResponse(session.getContext().getUri().getBaseUri(), providerAlias, realm.getName(), clientId).toString();
}
return Urls.identityProviderAuthnResponse(session.getContext().getUri().getBaseUri(), providerAlias, realm.getName()).toString();
}

8
services/src/main/java/org/keycloak/services/Urls.java
View file

@ -18,6 +18,7 @@ package org.keycloak.services;
import org.keycloak.common.Version;
import org.keycloak.models.Constants;
import org.keycloak.broker.saml.SAMLEndpoint;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.protocol.oidc.endpoints.LogoutEndpoint;
@ -53,6 +54,13 @@ public class Urls {
.build(realmName, providerAlias);
}
public static URI identityProviderAuthnResponse(URI baseUri, String providerAlias, String realmName, String client_id) {
return realmBase(baseUri).path(RealmsResource.class, "getBrokerService")
.path(IdentityBrokerService.class, "getEndpoint")
.path(SAMLEndpoint.class, "redirectBindingIdpInitiated")
.build(realmName, providerAlias, client_id);
}
public static URI identityProviderAuthnRequest(URI baseUri, String providerAlias, String realmName, String accessCode, String clientId, String tabId, String clientData, String loginHint) {
UriBuilder uriBuilder = realmBase(baseUri).path(RealmsResource.class, "getBrokerService")
.path(IdentityBrokerService.class, "performLogin");