[KEYCLOAK-13005] Make sure the master URL is used if the consumer POST or REDIRECT URL is an empty string
- Fixes issue where admin console sets an empty string when the consumer POST or REDIRECT URL is deleted
This commit is contained in:
Stefan Guilhen
Hynek Mlnařík
parent
db8cb63565
commit
da1138a8d2
3 changed files with 28 additions and 5 deletions
|
|
@ -307,7 +307,7 @@ public class SamlService extends AuthorizationEndpointBase {
|
|||
} else {
|
||||
redirect = client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE);
|
||||
}
|
||||
if (redirect == null) {
|
||||
if (redirect == null || redirect.trim().isEmpty()) {
|
||||
redirect = client.getManagementUrl();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -56,10 +56,10 @@ public class SamlSPDescriptorClientInstallation implements ClientInstallationPro
|
|||
logoutUrl = client.getAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE);
|
||||
binding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
|
||||
}
|
||||
if (assertionUrl == null || assertionUrl.isEmpty()) assertionUrl = client.getManagementUrl();
|
||||
if (assertionUrl == null || assertionUrl.isEmpty()) assertionUrl = FALLBACK_ERROR_URL_STRING;
|
||||
if (logoutUrl == null || assertionUrl.isEmpty()) logoutUrl = client.getManagementUrl();
|
||||
if (logoutUrl == null || assertionUrl.isEmpty()) logoutUrl = FALLBACK_ERROR_URL_STRING;
|
||||
if (assertionUrl == null || assertionUrl.trim().isEmpty()) assertionUrl = client.getManagementUrl();
|
||||
if (assertionUrl == null || assertionUrl.trim().isEmpty()) assertionUrl = FALLBACK_ERROR_URL_STRING;
|
||||
if (logoutUrl == null || logoutUrl.trim().isEmpty()) logoutUrl = client.getManagementUrl();
|
||||
if (logoutUrl == null || logoutUrl.trim().isEmpty()) logoutUrl = FALLBACK_ERROR_URL_STRING;
|
||||
String nameIdFormat = samlClient.getNameIDFormat();
|
||||
if (nameIdFormat == null) nameIdFormat = SamlProtocol.SAML_DEFAULT_NAMEID_FORMAT;
|
||||
String spCertificate = SPMetadataDescriptor.xmlKeyInfo(" ", null, samlClient.getClientSigningCertificate(), KeyTypes.SIGNING.value(), true);
|
||||
|
|
|
|||
|
|
@ -816,6 +816,29 @@ public class SAMLServletAdapterTest extends AbstractSAMLServletAdapterTest {
|
|||
testSuccessfulAndUnauthorizedLogin(salesPostServletPage, testRealmSAMLPostLoginPage);
|
||||
}
|
||||
|
||||
/**
|
||||
* KEYCLOAK-13005: setting the Consumer Service POST Binding URL in the admin console and then deleting it (i.e. erase
|
||||
* the field contents) leads to failure to properly redirect back to the app after a successful login. It happens because
|
||||
* the admin console sets the value of a field that was previously configured to an empty string instead of null, so the
|
||||
* code must verify if the configured URL is not null and non-empty.
|
||||
*
|
||||
* This test verifies the fix for the issue works by mimicking the behavior of the admin console - i.e. setting an empty
|
||||
* string in the {@code saml_assertion_consumer_url_post} attribute. It is expected that in this situation the master
|
||||
* URL is picked and redirection to the app works after a successful login.
|
||||
*
|
||||
* @throws Exception if an error occurs while running the test.
|
||||
*/
|
||||
@Test
|
||||
public void salesPostEmptyConsumerPostURL() throws Exception {
|
||||
try (Closeable client = ClientAttributeUpdater.forClient(adminClient, testRealmPage.getAuthRealm(), SalesPostServlet.CLIENT_NAME)
|
||||
.setAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE, "")
|
||||
.update()) {
|
||||
testSuccessfulAndUnauthorizedLogin(salesPostServletPage, testRealmSAMLPostLoginPage);
|
||||
} finally {
|
||||
salesPostEncServletPage.logout();
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void salesPostEncTest() {
|
||||
testSuccessfulAndUnauthorizedLogin(salesPostEncServletPage, testRealmSAMLPostLoginPage);
|
||||
|
|
|
|||
Loading…
Reference in a new issue