The redirect URI cannot be verified during logout in the case when client was removed

closes #15866
2022-12-06 14:50:07 +01:00 · 2022-12-06 14:50:07 +01:00 · f4e91a5312
commit f4e91a5312
parent 264c5a6cdb
2 changed files with 30 additions and 3 deletions
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java
@ -238,10 +238,9 @@ public class LogoutEndpoint {
                OIDCAdvancedConfigWrapper wrapper = OIDCAdvancedConfigWrapper.fromClientModel(client);
                Set<String> postLogoutRedirectUris = wrapper.getPostLogoutRedirectUris() != null ? new HashSet(wrapper.getPostLogoutRedirectUris()) : new HashSet<>();
                validatedRedirectUri = RedirectUtils.verifyRedirectUri(session, client.getRootUrl(), redirectUri, postLogoutRedirectUris, true);
-            } else if (clientId == null) {
+            } else if (clientId == null && providerConfig.isLegacyLogoutRedirectUri()) {
                /*
-                 * Only call verifyRealmRedirectUri, in case both clientId and client are null - otherwise
-                 * the logout uri contains a non-existing client, and we should show an INVALID_REDIRECT_URI error
+                 * Only call verifyRealmRedirectUri against all in the realm, in case when "Legacy" switch is enabled and when we don't have a client - usually due both clientId and client are null
                 */
                validatedRedirectUri = RedirectUtils.verifyRealmRedirectUri(session, redirectUri);
            }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RPInitiatedLogoutTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RPInitiatedLogoutTest.java
@ -83,6 +83,7 @@ import org.keycloak.testsuite.pages.PageUtils;
 import org.keycloak.testsuite.updaters.ClientAttributeUpdater;
 import org.keycloak.testsuite.updaters.RealmAttributeUpdater;
 import org.keycloak.testsuite.updaters.UserAttributeUpdater;
+import org.keycloak.testsuite.util.ClientBuilder;
 import org.keycloak.testsuite.util.ClientManager;
 import org.keycloak.testsuite.util.InfinispanTestTimeServiceRule;
 import org.keycloak.testsuite.util.Matchers;
@ -1068,6 +1069,33 @@ public class RPInitiatedLogoutTest extends AbstractTestRealmKeycloakTest {
        }
    }

+    @Test
+    public void logoutWithIdTokenAndRemovedClient() throws Exception {
+        ClientRepresentation clientRep = ClientBuilder.create()
+                .clientId("my-foo-client")
+                .enabled(true)
+                .baseUrl("https://foo/bar")
+                .addRedirectUri(APP_REDIRECT_URI)
+                .secret("password")
+                .build();
+        try (Response response = testRealm().clients().create(clientRep)) {
+            String uuid = ApiUtil.getCreatedId(response);
+            oauth.clientId("my-foo-client");
+
+            OAuthClient.AccessTokenResponse tokenResponse = loginUser();
+
+            // Remove client after login of user
+            testRealm().clients().get(uuid).remove();
+
+            String logoutUrl = oauth.getLogoutUrl().postLogoutRedirectUri(APP_REDIRECT_URI).idTokenHint(tokenResponse.getIdToken()).build();
+            driver.navigate().to(logoutUrl);
+
+            // Invalid redirect URI page is shown. It was not possible to verify post_logout_redirect_uri due the client was removed
+            errorPage.assertCurrent();
+            events.expectLogoutError(OAuthErrorException.INVALID_REDIRECT_URI).detail(Details.REDIRECT_URI, APP_REDIRECT_URI).assertEvent();
+        }
+    }
+
    // SUPPORT METHODS
    private OAuthClient.AccessTokenResponse loginUser() {
        return loginUser(false);