libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

KEYCLOAK-2259

Browse source 
Redirect URIs and token domains are matched case-sensitively
This commit is contained in:
Stian Thorgersen 2016-01-08 15:37:34 +01:00
parent a90d7e54d4
commit ddd99c2411
2 changed files with 39 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java
View file

@ -63,6 +63,8 @@ public class RedirectUtils {
logger.debug("No Redirect URIs supplied"); logger.debug("No Redirect URIs supplied");
redirectUri = null; redirectUri = null;
} else { } else {
redirectUri = lowerCaseHostname(redirectUri);
String r = redirectUri.indexOf('?') != -1 ? redirectUri.substring(0, redirectUri.indexOf('?')) : redirectUri; String r = redirectUri.indexOf('?') != -1 ? redirectUri.substring(0, redirectUri.indexOf('?')) : redirectUri;
Set<String> resolveValidRedirects = resolveValidRedirects(uriInfo, rootUrl, validRedirects); Set<String> resolveValidRedirects = resolveValidRedirects(uriInfo, rootUrl, validRedirects);
@ -96,6 +98,15 @@ public class RedirectUtils {
} }
} }
private static String lowerCaseHostname(String redirectUri) {
int n = redirectUri.indexOf('/', 7);
if (n == -1) {
return redirectUri.toLowerCase();
} else {
return redirectUri.substring(0, n).toLowerCase() + redirectUri.substring(n);
}
}
private static String relativeToAbsoluteURI(UriInfo uriInfo, String rootUrl, String relative) { private static String relativeToAbsoluteURI(UriInfo uriInfo, String rootUrl, String relative) {
if (rootUrl == null) { if (rootUrl == null) {
URI baseUri = uriInfo.getBaseUri(); URI baseUri = uriInfo.getBaseUri();

28
testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/OAuthRedirectUriTest.java
View file

@ -65,8 +65,15 @@ public class OAuthRedirectUriTest {
ClientModel installedApp3 = KeycloakModelUtils.createClient(appRealm, "test-wildcard"); ClientModel installedApp3 = KeycloakModelUtils.createClient(appRealm, "test-wildcard");
installedApp3.setEnabled(true); installedApp3.setEnabled(true);
installedApp3.addRedirectUri("http://example.com/foo/*"); installedApp3.addRedirectUri("http://example.com/foo/*");
installedApp3.addRedirectUri("http://with-dash.example.com/foo/*");
installedApp3.addRedirectUri("http://localhost:8081/foo/*"); installedApp3.addRedirectUri("http://localhost:8081/foo/*");
installedApp3.setSecret("password"); installedApp3.setSecret("password");
ClientModel installedApp4 = KeycloakModelUtils.createClient(appRealm, "test-dash");
installedApp4.setEnabled(true);
installedApp4.addRedirectUri("http://with-dash.example.com");
installedApp4.addRedirectUri("http://with-dash.example.com/foo");
installedApp4.setSecret("password");
} }
}); });
@ -216,6 +223,27 @@ public class OAuthRedirectUriTest {
checkRedirectUri("http://localhost:8081/foobar", false, true); checkRedirectUri("http://localhost:8081/foobar", false, true);
} }
@Test
public void testDash() throws IOException {
oauth.clientId("test-dash");
checkRedirectUri("http://with-dash.example.com/foo", true);
}
@Test
public void testDifferentCaseInHostname() throws IOException {
oauth.clientId("test-dash");
checkRedirectUri("http://with-dash.example.com", true);
checkRedirectUri("http://wiTh-dAsh.example.com", true);
checkRedirectUri("http://with-dash.example.com/foo", true);
checkRedirectUri("http://wiTh-dAsh.example.com/foo", true);
checkRedirectUri("http://with-dash.eXampLe.com/foo", true);
checkRedirectUri("http://wiTh-dAsh.eXampLe.com/foo", true);
checkRedirectUri("http://wiTh-dAsh.eXampLe.com/Foo", false);
checkRedirectUri("http://wiTh-dAsh.eXampLe.com/foO", false);
}
@Test @Test
public void testLocalhost() throws IOException { public void testLocalhost() throws IOException {
oauth.clientId("test-installed"); oauth.clientId("test-installed");