From 731d75c756b94d0aeb9db9d325f803c2f897ea70 Mon Sep 17 00:00:00 2001 From: Bill Burke Date: Mon, 4 Aug 2014 16:04:10 -0400 Subject: [PATCH 1/3] app full scope by default --- .../idm/ApplicationRepresentation.java | 9 ++++++++ .../idm/OAuthClientRepresentation.java | 10 +++++++++ dependencies/server-all/pom.xml | 7 ++++++- examples/demo-template/testrealm.json | 21 ------------------- .../resources/js/controllers/applications.js | 18 +++++++++++++++- .../resources/js/controllers/oauth-clients.js | 16 +++++++++++++- .../partials/application-scope-mappings.html | 13 +++++++++++- .../partials/oauth-client-scope-mappings.html | 12 ++++++++++- .../java/org/keycloak/models/ClientModel.java | 3 +++ .../models/entities/ClientEntity.java | 9 ++++++++ .../models/utils/KeycloakModelUtils.java | 1 + .../models/utils/ModelToRepresentation.java | 2 ++ .../models/utils/RepresentationToModel.java | 4 ++++ .../keycloak/models/cache/ClientAdapter.java | 15 ++++++++++++- .../models/cache/entities/CachedClient.java | 6 ++++++ .../keycloak/models/jpa/ClientAdapter.java | 11 ++++++++++ .../models/jpa/entities/ClientEntity.java | 10 +++++++++ .../keycloak/adapters/ClientAdapter.java | 13 ++++++++++++ .../services/managers/RealmManager.java | 3 +++ .../services/managers/TokenManager.java | 2 ++ .../testsuite/admin/AdminAPITest.java | 1 + .../composites/CompositeRoleTest.java | 4 ++++ .../test/resources/model/testcomposites.json | 4 ++++ .../src/test/resources/testcomposite.json | 4 ++++ 24 files changed, 171 insertions(+), 27 deletions(-) mode change 100644 => 100755 model/api/src/main/java/org/keycloak/models/entities/ClientEntity.java diff --git a/core/src/main/java/org/keycloak/representations/idm/ApplicationRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/ApplicationRepresentation.java index 509f00b4d7..3580e3924f 100755 --- a/core/src/main/java/org/keycloak/representations/idm/ApplicationRepresentation.java +++ b/core/src/main/java/org/keycloak/representations/idm/ApplicationRepresentation.java @@ -21,6 +21,7 @@ public class ApplicationRepresentation { protected Integer notBefore; protected Boolean bearerOnly; protected Boolean publicClient; + protected Boolean fullScopeAllowed; public String getId() { @@ -134,4 +135,12 @@ public class ApplicationRepresentation { public void setPublicClient(Boolean publicClient) { this.publicClient = publicClient; } + + public Boolean isFullScopeAllowed() { + return fullScopeAllowed; + } + + public void setFullScopeAllowed(Boolean fullScopeAllowed) { + this.fullScopeAllowed = fullScopeAllowed; + } } diff --git a/core/src/main/java/org/keycloak/representations/idm/OAuthClientRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/OAuthClientRepresentation.java index 7511de6f20..4c2193d49d 100755 --- a/core/src/main/java/org/keycloak/representations/idm/OAuthClientRepresentation.java +++ b/core/src/main/java/org/keycloak/representations/idm/OAuthClientRepresentation.java @@ -17,6 +17,7 @@ public class OAuthClientRepresentation { protected Integer notBefore; protected Boolean publicClient; protected Boolean directGrantsOnly; + protected Boolean fullScopeAllowed; public String getId() { @@ -98,4 +99,13 @@ public class OAuthClientRepresentation { public void setDirectGrantsOnly(Boolean directGrantsOnly) { this.directGrantsOnly = directGrantsOnly; } + + public Boolean isFullScopeAllowed() { + return fullScopeAllowed; + } + + public void setFullScopeAllowed(Boolean fullScopeAllowed) { + this.fullScopeAllowed = fullScopeAllowed; + } + } diff --git a/dependencies/server-all/pom.xml b/dependencies/server-all/pom.xml index 92f6df07b8..b385cfcb49 100755 --- a/dependencies/server-all/pom.xml +++ b/dependencies/server-all/pom.xml @@ -88,7 +88,12 @@ ${project.version} - + + + org.keycloak + keycloak-ldap-federation + ${project.version} + org.picketlink picketlink-common diff --git a/examples/demo-template/testrealm.json b/examples/demo-template/testrealm.json index 816afd2756..3f0e20a358 100755 --- a/examples/demo-template/testrealm.json +++ b/examples/demo-template/testrealm.json @@ -92,28 +92,7 @@ { "client": "third-party", "roles": ["user"] - }, - { - "client": "customer-portal", - "roles": ["user", "admin" ] - }, - { - "client": "customer-portal-js", - "roles": ["user"] - }, - { - "client": "customer-portal-cli", - "roles": ["user"] - }, - { - "client": "angular-product", - "roles": ["user"] - }, - { - "client": "product-portal", - "roles": ["user", "admin" ] } - ], "applications": [ { diff --git a/forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/applications.js b/forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/applications.js index 60560f3e30..6c77ae700c 100755 --- a/forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/applications.js +++ b/forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/applications.js @@ -348,11 +348,12 @@ module.controller('ApplicationDetailCtrl', function($scope, realm, application, }); module.controller('ApplicationScopeMappingCtrl', function($scope, $http, realm, application, applications, + Application, ApplicationRealmScopeMapping, ApplicationApplicationScopeMapping, ApplicationRole, ApplicationAvailableRealmScopeMapping, ApplicationAvailableApplicationScopeMapping, ApplicationCompositeRealmScopeMapping, ApplicationCompositeApplicationScopeMapping) { $scope.realm = realm; - $scope.application = application; + $scope.application = angular.copy(application); $scope.selectedRealmRoles = []; $scope.selectedRealmMappings = []; $scope.realmMappings = []; @@ -364,6 +365,21 @@ module.controller('ApplicationScopeMappingCtrl', function($scope, $http, realm, $scope.applicationMappings = []; $scope.dummymodel = []; + + $scope.changeFullScopeAllowed = function() { + console.log('change full scope'); + Application.update({ + realm : realm.realm, + application : application.name + }, $scope.application, function() { + $scope.changed = false; + application = angular.copy($scope.application); + updateRealmRoles(); + }); + } + + + function updateRealmRoles() { $scope.realmRoles = ApplicationAvailableRealmScopeMapping.query({realm : realm.realm, application : application.name}); $scope.realmMappings = ApplicationRealmScopeMapping.query({realm : realm.realm, application : application.name}); diff --git a/forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/oauth-clients.js b/forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/oauth-clients.js index 511efe69f6..3f6c1546a7 100755 --- a/forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/oauth-clients.js +++ b/forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/oauth-clients.js @@ -183,11 +183,12 @@ module.controller('OAuthClientDetailCtrl', function($scope, realm, oauth, OAuthC }); module.controller('OAuthClientScopeMappingCtrl', function($scope, $http, realm, oauth, applications, + OAuthClient, OAuthClientRealmScopeMapping, OAuthClientApplicationScopeMapping, ApplicationRole, OAuthClientAvailableRealmScopeMapping, OAuthClientAvailableApplicationScopeMapping, OAuthClientCompositeRealmScopeMapping, OAuthClientCompositeApplicationScopeMapping) { $scope.realm = realm; - $scope.oauth = oauth; + $scope.oauth = angular.copy(oauth); $scope.selectedRealmRoles = []; $scope.selectedRealmMappings = []; $scope.realmMappings = []; @@ -199,6 +200,19 @@ module.controller('OAuthClientScopeMappingCtrl', function($scope, $http, realm, $scope.applicationMappings = []; $scope.dummymodel = []; + $scope.changeFullScopeAllowed = function() { + console.log('change full scope'); + OAuthClient.update({ + realm : realm.realm, + oauth : oauth.name + }, $scope.oauth, function() { + $scope.changed = false; + oauth = angular.copy($scope.oauth); + }); + + } + + function updateRealmRoles() { $scope.realmRoles = OAuthClientAvailableRealmScopeMapping.query({realm : realm.realm, oauth : oauth.name}); $scope.realmMappings = OAuthClientRealmScopeMapping.query({realm : realm.realm, oauth : oauth.name}); diff --git a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/application-scope-mappings.html b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/application-scope-mappings.html index ba1f809535..1f26565eaf 100755 --- a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/application-scope-mappings.html +++ b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/application-scope-mappings.html @@ -21,7 +21,18 @@

{{application.name}} Scope Mappings

-
+ +
+
+ +
+ +
+
+
+
+ +
Realm Roles
diff --git a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/oauth-client-scope-mappings.html b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/oauth-client-scope-mappings.html index f74ca47163..a53b63221c 100755 --- a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/oauth-client-scope-mappings.html +++ b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/oauth-client-scope-mappings.html @@ -19,7 +19,17 @@

{{oauth.name}} Scope Mappings

- + +
+
+ +
+ +
+
+
+ +
Realm Roles
diff --git a/model/api/src/main/java/org/keycloak/models/ClientModel.java b/model/api/src/main/java/org/keycloak/models/ClientModel.java index 33ee8e27f3..9ca5a70fd7 100755 --- a/model/api/src/main/java/org/keycloak/models/ClientModel.java +++ b/model/api/src/main/java/org/keycloak/models/ClientModel.java @@ -50,6 +50,9 @@ public interface ClientModel { String getSecret(); public void setSecret(String secret); + boolean isFullScopeAllowed(); + void setFullScopeAllowed(boolean value); + boolean isPublicClient(); void setPublicClient(boolean flag); diff --git a/model/api/src/main/java/org/keycloak/models/entities/ClientEntity.java b/model/api/src/main/java/org/keycloak/models/entities/ClientEntity.java old mode 100644 new mode 100755 index e7439fc523..0d23c35fb6 --- a/model/api/src/main/java/org/keycloak/models/entities/ClientEntity.java +++ b/model/api/src/main/java/org/keycloak/models/entities/ClientEntity.java @@ -14,6 +14,7 @@ public class ClientEntity extends AbstractIdentifiableEntity { private long allowedClaimsMask; private int notBefore; private boolean publicClient; + private boolean fullScopeAllowed; private String realmId; @@ -100,4 +101,12 @@ public class ClientEntity extends AbstractIdentifiableEntity { public void setScopeIds(List scopeIds) { this.scopeIds = scopeIds; } + + public boolean isFullScopeAllowed() { + return fullScopeAllowed; + } + + public void setFullScopeAllowed(boolean fullScopeAllowed) { + this.fullScopeAllowed = fullScopeAllowed; + } } diff --git a/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java b/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java index 4a00ff9a6d..c36dd10849 100755 --- a/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java +++ b/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java @@ -91,6 +91,7 @@ public final class KeycloakModelUtils { public static ApplicationModel createApplication(RealmModel realm, String name) { ApplicationModel app = realm.addApplication(name); generateSecret(app); + app.setFullScopeAllowed(true); return app; } diff --git a/model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java b/model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java index c201a77cff..9e19b75ce6 100755 --- a/model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java +++ b/model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java @@ -214,6 +214,7 @@ public class ModelToRepresentation { rep.setEnabled(applicationModel.isEnabled()); rep.setAdminUrl(applicationModel.getManagementUrl()); rep.setPublicClient(applicationModel.isPublicClient()); + rep.setFullScopeAllowed(applicationModel.isFullScopeAllowed()); rep.setBearerOnly(applicationModel.isBearerOnly()); rep.setSurrogateAuthRequired(applicationModel.isSurrogateAuthRequired()); rep.setBaseUrl(applicationModel.getBaseUrl()); @@ -242,6 +243,7 @@ public class ModelToRepresentation { rep.setName(model.getClientId()); rep.setEnabled(model.isEnabled()); rep.setPublicClient(model.isPublicClient()); + rep.setFullScopeAllowed(model.isFullScopeAllowed()); rep.setDirectGrantsOnly(model.isDirectGrantsOnly()); Set redirectUris = model.getRedirectUris(); if (redirectUris != null) { diff --git a/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java b/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java index ca22cf0ba5..35a4acb32d 100755 --- a/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java +++ b/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java @@ -353,6 +353,8 @@ public class RepresentationToModel { applicationModel.setBaseUrl(resourceRep.getBaseUrl()); if (resourceRep.isBearerOnly() != null) applicationModel.setBearerOnly(resourceRep.isBearerOnly()); if (resourceRep.isPublicClient() != null) applicationModel.setPublicClient(resourceRep.isPublicClient()); + if (resourceRep.isFullScopeAllowed() != null) applicationModel.setFullScopeAllowed(resourceRep.isFullScopeAllowed()); + else applicationModel.setFullScopeAllowed(true); applicationModel.updateApplication(); if (resourceRep.getNotBefore() != null) { @@ -415,6 +417,7 @@ public class RepresentationToModel { if (rep.isEnabled() != null) resource.setEnabled(rep.isEnabled()); if (rep.isBearerOnly() != null) resource.setBearerOnly(rep.isBearerOnly()); if (rep.isPublicClient() != null) resource.setPublicClient(rep.isPublicClient()); + if (rep.isFullScopeAllowed() != null) resource.setFullScopeAllowed(rep.isFullScopeAllowed()); if (rep.getAdminUrl() != null) resource.setManagementUrl(rep.getAdminUrl()); if (rep.getBaseUrl() != null) resource.setBaseUrl(rep.getBaseUrl()); if (rep.isSurrogateAuthRequired() != null) resource.setSurrogateAuthRequired(rep.isSurrogateAuthRequired()); @@ -521,6 +524,7 @@ public class RepresentationToModel { if (rep.getName() != null) model.setClientId(rep.getName()); if (rep.isEnabled() != null) model.setEnabled(rep.isEnabled()); if (rep.isPublicClient() != null) model.setPublicClient(rep.isPublicClient()); + if (rep.isFullScopeAllowed() != null) model.setFullScopeAllowed(rep.isFullScopeAllowed()); if (rep.isDirectGrantsOnly() != null) model.setDirectGrantsOnly(rep.isDirectGrantsOnly()); if (rep.getClaims() != null) { setClaims(model, rep.getClaims()); diff --git a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/ClientAdapter.java b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/ClientAdapter.java index ae913a112c..1565e4358b 100755 --- a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/ClientAdapter.java +++ b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/ClientAdapter.java @@ -123,6 +123,19 @@ public abstract class ClientAdapter implements ClientModel { updatedClient.setPublicClient(flag); } + @Override + public boolean isFullScopeAllowed() { + if (updatedClient != null) return updatedClient.isFullScopeAllowed(); + return cachedClient.isFullScopeAllowed(); + } + + @Override + public void setFullScopeAllowed(boolean value) { + getDelegateForUpdate(); + updatedClient.setFullScopeAllowed(value); + + } + public boolean isDirectGrantsOnly() { if (updatedClient != null) return updatedClient.isDirectGrantsOnly(); return cachedClient.isDirectGrantsOnly(); @@ -171,7 +184,7 @@ public abstract class ClientAdapter implements ClientModel { public boolean hasScope(RoleModel role) { if (updatedClient != null) return updatedClient.hasScope(role); - if (cachedClient.getScope().contains(role.getId())) return true; + if (cachedClient.isFullScopeAllowed() || cachedClient.getScope().contains(role.getId())) return true; Set roles = getScopeMappings(); diff --git a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedClient.java b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedClient.java index 8e4b0081a8..a48b104c73 100755 --- a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedClient.java +++ b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedClient.java @@ -22,6 +22,7 @@ public class CachedClient { protected boolean enabled; protected String secret; protected boolean publicClient; + protected boolean fullScopeAllowed; protected boolean directGrantsOnly; protected int notBefore; protected Set scope = new HashSet(); @@ -37,6 +38,7 @@ public class CachedClient { directGrantsOnly = model.isDirectGrantsOnly(); publicClient = model.isPublicClient(); allowedClaimsMask = model.getAllowedClaimsMask(); + fullScopeAllowed = model.isFullScopeAllowed(); redirectUris.addAll(model.getRedirectUris()); webOrigins.addAll(model.getWebOrigins()); for (RoleModel role : model.getScopeMappings()) { @@ -92,4 +94,8 @@ public class CachedClient { public Set getWebOrigins() { return webOrigins; } + + public boolean isFullScopeAllowed() { + return fullScopeAllowed; + } } diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/ClientAdapter.java b/model/jpa/src/main/java/org/keycloak/models/jpa/ClientAdapter.java index 6a07b5ea09..16a370e4d2 100755 --- a/model/jpa/src/main/java/org/keycloak/models/jpa/ClientAdapter.java +++ b/model/jpa/src/main/java/org/keycloak/models/jpa/ClientAdapter.java @@ -78,6 +78,16 @@ public abstract class ClientAdapter implements ClientModel { entity.setPublicClient(flag); } + @Override + public boolean isFullScopeAllowed() { + return entity.isFullScopeAllowed(); + } + + @Override + public void setFullScopeAllowed(boolean value) { + entity.setFullScopeAllowed(value); + } + @Override public Set getWebOrigins() { Set result = new HashSet(); @@ -214,6 +224,7 @@ public abstract class ClientAdapter implements ClientModel { @Override public boolean hasScope(RoleModel role) { + if (isFullScopeAllowed()) return true; Set roles = getScopeMappings(); if (roles.contains(role)) return true; diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/ClientEntity.java b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/ClientEntity.java index 2f8625b0f3..7bc66c39b4 100755 --- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/ClientEntity.java +++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/ClientEntity.java @@ -38,6 +38,8 @@ public abstract class ClientEntity { private int notBefore; @Column(name="PUBLIC_CLIENT") private boolean publicClient; + @Column(name="FULL_SCOPE_ALLOWED") + private boolean fullScopeAllowed; @ManyToOne(fetch = FetchType.LAZY) @JoinColumn(name = "REALM_ID") @@ -132,4 +134,12 @@ public abstract class ClientEntity { public void setPublicClient(boolean publicClient) { this.publicClient = publicClient; } + + public boolean isFullScopeAllowed() { + return fullScopeAllowed; + } + + public void setFullScopeAllowed(boolean fullScopeAllowed) { + this.fullScopeAllowed = fullScopeAllowed; + } } diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ClientAdapter.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ClientAdapter.java index 1e468bcd6d..d172ea5c73 100755 --- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ClientAdapter.java +++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ClientAdapter.java @@ -157,6 +157,18 @@ public abstract class ClientAdapter extends A updateMongoEntity(); } + @Override + public boolean isFullScopeAllowed() { + return getMongoEntityAsClient().isFullScopeAllowed(); + } + + @Override + public void setFullScopeAllowed(boolean value) { + getMongoEntityAsClient().setFullScopeAllowed(value); + updateMongoEntity(); + + } + @Override public RealmModel getRealm() { return realm; @@ -207,6 +219,7 @@ public abstract class ClientAdapter extends A @Override public boolean hasScope(RoleModel role) { + if (isFullScopeAllowed()) return true; Set roles = getScopeMappings(); if (roles.contains(role)) return true; diff --git a/services/src/main/java/org/keycloak/services/managers/RealmManager.java b/services/src/main/java/org/keycloak/services/managers/RealmManager.java index c82a803aac..6456d9ed97 100755 --- a/services/src/main/java/org/keycloak/services/managers/RealmManager.java +++ b/services/src/main/java/org/keycloak/services/managers/RealmManager.java @@ -95,6 +95,7 @@ public class RealmManager { adminConsole.setEnabled(true); adminConsole.setPublicClient(true); adminConsole.addRedirectUri(baseUrl + "/*"); + adminConsole.setFullScopeAllowed(false); RoleModel adminRole; if (realm.getName().equals(Config.getAdminRealm())) { @@ -163,6 +164,7 @@ public class RealmManager { } RoleModel adminRole = realmAdminApp.addRole(AdminRoles.REALM_ADMIN); realmAdminApp.setBearerOnly(true); + realmAdminApp.setFullScopeAllowed(false); for (String r : AdminRoles.ALL_REALM_ROLES) { RoleModel role = realmAdminApp.addRole(r); @@ -176,6 +178,7 @@ public class RealmManager { if (application == null) { application = new ApplicationManager(this).createApplication(realm, Constants.ACCOUNT_MANAGEMENT_APP); application.setEnabled(true); + application.setFullScopeAllowed(false); String base = contextPath + "/realms/" + realm.getName() + "/account"; String redirectUri = base + "/*"; application.addRedirectUri(redirectUri); diff --git a/services/src/main/java/org/keycloak/services/managers/TokenManager.java b/services/src/main/java/org/keycloak/services/managers/TokenManager.java index 7fa008e757..0971a07dc3 100755 --- a/services/src/main/java/org/keycloak/services/managers/TokenManager.java +++ b/services/src/main/java/org/keycloak/services/managers/TokenManager.java @@ -135,6 +135,8 @@ public class TokenManager { Set requestedRoles = new HashSet(); Set roleMappings = user.getRoleMappings(); + if (client.isFullScopeAllowed()) return roleMappings; + Set scopeMappings = client.getScopeMappings(); if (client instanceof ApplicationModel) { scopeMappings.addAll(((ApplicationModel) client).getRoles()); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/AdminAPITest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/AdminAPITest.java index d2656b7d07..e22c9d1f26 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/AdminAPITest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/AdminAPITest.java @@ -166,6 +166,7 @@ public class AdminAPITest { if (appRep.isEnabled() != null) Assert.assertEquals(appRep.isEnabled(), storedApp.isEnabled()); if (appRep.isBearerOnly() != null) Assert.assertEquals(appRep.isBearerOnly(), storedApp.isBearerOnly()); if (appRep.isPublicClient() != null) Assert.assertEquals(appRep.isPublicClient(), storedApp.isPublicClient()); + if (appRep.isFullScopeAllowed() != null) Assert.assertEquals(appRep.isFullScopeAllowed(), storedApp.isFullScopeAllowed()); if (appRep.getAdminUrl() != null) Assert.assertEquals(appRep.getAdminUrl(), storedApp.getAdminUrl()); if (appRep.getBaseUrl() != null) Assert.assertEquals(appRep.getBaseUrl(), storedApp.getBaseUrl()); if (appRep.isSurrogateAuthRequired() != null) Assert.assertEquals(appRep.isSurrogateAuthRequired(), storedApp.isSurrogateAuthRequired()); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/composites/CompositeRoleTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/composites/CompositeRoleTest.java index 3a6acd1002..6aaf0682af 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/composites/CompositeRoleTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/composites/CompositeRoleTest.java @@ -86,6 +86,7 @@ public class CompositeRoleTest { realmRole1User.grantRole(realmRole1); final ApplicationModel realmComposite1Application = new ApplicationManager(manager).createApplication(realm, "REALM_COMPOSITE_1_APPLICATION"); + realmComposite1Application.setFullScopeAllowed(false); realmComposite1Application.setEnabled(true); realmComposite1Application.addScopeMapping(realmComposite1); realmComposite1Application.addRedirectUri("http://localhost:8081/app/*"); @@ -94,6 +95,7 @@ public class CompositeRoleTest { realmComposite1Application.setSecret("password"); final ApplicationModel realmRole1Application = new ApplicationManager(manager).createApplication(realm, "REALM_ROLE_1_APPLICATION"); + realmRole1Application.setFullScopeAllowed(false); realmRole1Application.setEnabled(true); realmRole1Application.addScopeMapping(realmRole1); realmRole1Application.addRedirectUri("http://localhost:8081/app/*"); @@ -103,6 +105,7 @@ public class CompositeRoleTest { final ApplicationModel appRoleApplication = new ApplicationManager(manager).createApplication(realm, "APP_ROLE_APPLICATION"); + appRoleApplication.setFullScopeAllowed(false); appRoleApplication.setEnabled(true); appRoleApplication.addRedirectUri("http://localhost:8081/app/*"); appRoleApplication.setBaseUrl("http://localhost:8081/app"); @@ -125,6 +128,7 @@ public class CompositeRoleTest { realmAppRoleUser.grantRole(appRole2); final ApplicationModel appCompositeApplication = new ApplicationManager(manager).createApplication(realm, "APP_COMPOSITE_APPLICATION"); + appCompositeApplication.setFullScopeAllowed(false); appCompositeApplication.setEnabled(true); appCompositeApplication.addRedirectUri("http://localhost:8081/app/*"); appCompositeApplication.setBaseUrl("http://localhost:8081/app"); diff --git a/testsuite/integration/src/test/resources/model/testcomposites.json b/testsuite/integration/src/test/resources/model/testcomposites.json index ef4f999a03..45a2f30de8 100755 --- a/testsuite/integration/src/test/resources/model/testcomposites.json +++ b/testsuite/integration/src/test/resources/model/testcomposites.json @@ -88,6 +88,7 @@ "applications": [ { "name": "REALM_COMPOSITE_1_APPLICATION", + "fullScopeAllowed": false, "enabled": true, "baseUrl": "http://localhost:8081/app", "adminUrl": "http://localhost:8081/app/logout", @@ -95,6 +96,7 @@ }, { "name": "REALM_ROLE_1_APPLICATION", + "fullScopeAllowed": false, "enabled": true, "baseUrl": "http://localhost:8081/app", "adminUrl": "http://localhost:8081/app/logout", @@ -102,6 +104,7 @@ }, { "name": "APP_ROLE_APPLICATION", + "fullScopeAllowed": false, "enabled": true, "baseUrl": "http://localhost:8081/app", "adminUrl": "http://localhost:8081/app/logout", @@ -109,6 +112,7 @@ }, { "name": "APP_COMPOSITE_APPLICATION", + "fullScopeAllowed": false, "enabled": true, "baseUrl": "http://localhost:8081/app", "adminUrl": "http://localhost:8081/app/logout", diff --git a/testsuite/integration/src/test/resources/testcomposite.json b/testsuite/integration/src/test/resources/testcomposite.json index 65e615b2a8..8f3f76fd95 100755 --- a/testsuite/integration/src/test/resources/testcomposite.json +++ b/testsuite/integration/src/test/resources/testcomposite.json @@ -89,6 +89,7 @@ { "name": "REALM_COMPOSITE_1_APPLICATION", "enabled": true, + "fullScopeAllowed": false, "baseUrl": "http://localhost:8081/app", "adminUrl": "http://localhost:8081/app/logout", "redirectUris": [ @@ -98,6 +99,7 @@ }, { "name": "REALM_ROLE_1_APPLICATION", + "fullScopeAllowed": false, "enabled": true, "baseUrl": "http://localhost:8081/app", "adminUrl": "http://localhost:8081/app/logout", @@ -108,6 +110,7 @@ }, { "name": "APP_ROLE_APPLICATION", + "fullScopeAllowed": false, "enabled": true, "baseUrl": "http://localhost:8081/app", "adminUrl": "http://localhost:8081/app/logout", @@ -118,6 +121,7 @@ }, { "name": "APP_COMPOSITE_APPLICATION", + "fullScopeAllowed": false, "enabled": true, "baseUrl": "http://localhost:8081/app", "adminUrl": "http://localhost:8081/app/logout", From a497c697585df9933d10c4a5b08155a636ad0b8e Mon Sep 17 00:00:00 2001 From: Bill Burke Date: Mon, 4 Aug 2014 16:17:35 -0400 Subject: [PATCH 2/3] relative logout --- .../java/org/keycloak/services/resources/TokenService.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/services/src/main/java/org/keycloak/services/resources/TokenService.java b/services/src/main/java/org/keycloak/services/resources/TokenService.java index db6df781d7..67d29bbb5f 100755 --- a/services/src/main/java/org/keycloak/services/resources/TokenService.java +++ b/services/src/main/java/org/keycloak/services/resources/TokenService.java @@ -1069,6 +1069,11 @@ public class TokenService { if (redirectUri != null) { // todo manage legal redirects + if (redirectUri.startsWith("/")) { // handle relative uri + UriBuilder builder = uriInfo.getAbsolutePathBuilder(); + builder.replacePath(redirectUri); + return Response.status(302).location(builder.build()).build(); + } return Response.status(302).location(UriBuilder.fromUri(redirectUri).build()).build(); } else { return Response.ok().build(); From 3746bf28a16e9a0ac2479d5156266999155ac038 Mon Sep 17 00:00:00 2001 From: Bill Burke Date: Mon, 4 Aug 2014 16:26:13 -0400 Subject: [PATCH 3/3] migration doc --- .../en/en-US/modules/MigrationFromOlderVersions.xml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml b/docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml index 1a8a574aeb..6e30bc925f 100755 --- a/docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml +++ b/docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml @@ -11,14 +11,18 @@ Authentication SPI has been removed and rewritten. The new SPI is UserFederationProvider and is more flexible. - - DB Schema has changed again. - ssl-not-required property in adapter config has been removed. Replaced with ssl-required, valid values are all (require SSL for all requests), external (require SSL only for external request) and none (SSL not required). + + DB Schema has changed again. + + + Created applications now have a full scope by default. This means that you don't have to configure + the scope of an application if you don't want to. +