libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

[KEYCLOAK-13005] Make sure the master URL is used if the consumer POST or REDIRECT URL is an empty string

Browse source 
- Fixes issue where admin console sets an empty string when the consumer POST or REDIRECT URL is deleted
This commit is contained in:
Stefan Guilhen 2020-04-05 23:26:40 -03:00 committed by Hynek Mlnařík
parent db8cb63565
commit da1138a8d2
3 changed files with 28 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
services/src/main/java/org/keycloak/protocol/saml/SamlService.java
View file

@ -307,7 +307,7 @@ public class SamlService extends AuthorizationEndpointBase {
} else { } else {
redirect = client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE); redirect = client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE);
} }
if (redirect == null) { if (redirect == null || redirect.trim().isEmpty()) {
redirect = client.getManagementUrl(); redirect = client.getManagementUrl();
} }

8
services/src/main/java/org/keycloak/protocol/saml/installation/SamlSPDescriptorClientInstallation.java
View file

@ -56,10 +56,10 @@ public class SamlSPDescriptorClientInstallation implements ClientInstallationPro
logoutUrl = client.getAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE); logoutUrl = client.getAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE);
binding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get(); binding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
} }
if (assertionUrl == null || assertionUrl.isEmpty()) assertionUrl = client.getManagementUrl(); if (assertionUrl == null || assertionUrl.trim().isEmpty()) assertionUrl = client.getManagementUrl();
if (assertionUrl == null || assertionUrl.isEmpty()) assertionUrl = FALLBACK_ERROR_URL_STRING; if (assertionUrl == null || assertionUrl.trim().isEmpty()) assertionUrl = FALLBACK_ERROR_URL_STRING;
if (logoutUrl == null || assertionUrl.isEmpty()) logoutUrl = client.getManagementUrl(); if (logoutUrl == null || logoutUrl.trim().isEmpty()) logoutUrl = client.getManagementUrl();
if (logoutUrl == null || assertionUrl.isEmpty()) logoutUrl = FALLBACK_ERROR_URL_STRING; if (logoutUrl == null || logoutUrl.trim().isEmpty()) logoutUrl = FALLBACK_ERROR_URL_STRING;
String nameIdFormat = samlClient.getNameIDFormat(); String nameIdFormat = samlClient.getNameIDFormat();
if (nameIdFormat == null) nameIdFormat = SamlProtocol.SAML_DEFAULT_NAMEID_FORMAT; if (nameIdFormat == null) nameIdFormat = SamlProtocol.SAML_DEFAULT_NAMEID_FORMAT;
String spCertificate = SPMetadataDescriptor.xmlKeyInfo(" ", null, samlClient.getClientSigningCertificate(), KeyTypes.SIGNING.value(), true); String spCertificate = SPMetadataDescriptor.xmlKeyInfo(" ", null, samlClient.getClientSigningCertificate(), KeyTypes.SIGNING.value(), true);

23
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SAMLServletAdapterTest.java
View file

@ -816,6 +816,29 @@ public class SAMLServletAdapterTest extends AbstractSAMLServletAdapterTest {
testSuccessfulAndUnauthorizedLogin(salesPostServletPage, testRealmSAMLPostLoginPage); testSuccessfulAndUnauthorizedLogin(salesPostServletPage, testRealmSAMLPostLoginPage);
} }
/**
* KEYCLOAK-13005: setting the Consumer Service POST Binding URL in the admin console and then deleting it (i.e. erase
* the field contents) leads to failure to properly redirect back to the app after a successful login. It happens because
* the admin console sets the value of a field that was previously configured to an empty string instead of null, so the
* code must verify if the configured URL is not null and non-empty.
*
* This test verifies the fix for the issue works by mimicking the behavior of the admin console - i.e. setting an empty
* string in the {@code saml_assertion_consumer_url_post} attribute. It is expected that in this situation the master
* URL is picked and redirection to the app works after a successful login.
*
* @throws Exception if an error occurs while running the test.
*/
@Test
public void salesPostEmptyConsumerPostURL() throws Exception {
try (Closeable client = ClientAttributeUpdater.forClient(adminClient, testRealmPage.getAuthRealm(), SalesPostServlet.CLIENT_NAME)
.setAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE, "")
.update()) {
testSuccessfulAndUnauthorizedLogin(salesPostServletPage, testRealmSAMLPostLoginPage);
} finally {
salesPostEncServletPage.logout();
}
}
@Test @Test
public void salesPostEncTest() { public void salesPostEncTest() {
testSuccessfulAndUnauthorizedLogin(salesPostEncServletPage, testRealmSAMLPostLoginPage); testSuccessfulAndUnauthorizedLogin(salesPostEncServletPage, testRealmSAMLPostLoginPage);