diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java index da7e14b982..14a2941c5b 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java @@ -238,10 +238,9 @@ public class LogoutEndpoint { OIDCAdvancedConfigWrapper wrapper = OIDCAdvancedConfigWrapper.fromClientModel(client); Set postLogoutRedirectUris = wrapper.getPostLogoutRedirectUris() != null ? new HashSet(wrapper.getPostLogoutRedirectUris()) : new HashSet<>(); validatedRedirectUri = RedirectUtils.verifyRedirectUri(session, client.getRootUrl(), redirectUri, postLogoutRedirectUris, true); - } else if (clientId == null) { + } else if (clientId == null && providerConfig.isLegacyLogoutRedirectUri()) { /* - * Only call verifyRealmRedirectUri, in case both clientId and client are null - otherwise - * the logout uri contains a non-existing client, and we should show an INVALID_REDIRECT_URI error + * Only call verifyRealmRedirectUri against all in the realm, in case when "Legacy" switch is enabled and when we don't have a client - usually due both clientId and client are null */ validatedRedirectUri = RedirectUtils.verifyRealmRedirectUri(session, redirectUri); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RPInitiatedLogoutTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RPInitiatedLogoutTest.java index 9b2a45b307..a2f2112e79 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RPInitiatedLogoutTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RPInitiatedLogoutTest.java @@ -83,6 +83,7 @@ import org.keycloak.testsuite.pages.PageUtils; import org.keycloak.testsuite.updaters.ClientAttributeUpdater; import org.keycloak.testsuite.updaters.RealmAttributeUpdater; import org.keycloak.testsuite.updaters.UserAttributeUpdater; +import org.keycloak.testsuite.util.ClientBuilder; import org.keycloak.testsuite.util.ClientManager; import org.keycloak.testsuite.util.InfinispanTestTimeServiceRule; import org.keycloak.testsuite.util.Matchers; @@ -1068,6 +1069,33 @@ public class RPInitiatedLogoutTest extends AbstractTestRealmKeycloakTest { } } + @Test + public void logoutWithIdTokenAndRemovedClient() throws Exception { + ClientRepresentation clientRep = ClientBuilder.create() + .clientId("my-foo-client") + .enabled(true) + .baseUrl("https://foo/bar") + .addRedirectUri(APP_REDIRECT_URI) + .secret("password") + .build(); + try (Response response = testRealm().clients().create(clientRep)) { + String uuid = ApiUtil.getCreatedId(response); + oauth.clientId("my-foo-client"); + + OAuthClient.AccessTokenResponse tokenResponse = loginUser(); + + // Remove client after login of user + testRealm().clients().get(uuid).remove(); + + String logoutUrl = oauth.getLogoutUrl().postLogoutRedirectUri(APP_REDIRECT_URI).idTokenHint(tokenResponse.getIdToken()).build(); + driver.navigate().to(logoutUrl); + + // Invalid redirect URI page is shown. It was not possible to verify post_logout_redirect_uri due the client was removed + errorPage.assertCurrent(); + events.expectLogoutError(OAuthErrorException.INVALID_REDIRECT_URI).detail(Details.REDIRECT_URI, APP_REDIRECT_URI).assertEvent(); + } + } + // SUPPORT METHODS private OAuthClient.AccessTokenResponse loginUser() { return loginUser(false);