Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Restrict access to whoami endpoint for the admin console and users with realm access #28930

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mposolda merged 1 commit into from
May 15, 2024
Merged

Restrict access to whoami endpoint for the admin console and users with realm access #28930

mposolda merged 1 commit into from
May 15, 2024

Conversation

@rmartinc
Copy link
Contributor

@rmartinc rmartinc commented Apr 19, 2024

Closes #25219

This PR modifies the whoami endpoint to return forbidden/403 in two situations: the azp or issuedFor is not security-admin-console (we are ensuring this endpoint is just used for the admin console); the user mapped to the token has no pemissions/access to the requested realm (previously it returned a response with empty realm access). This is what was decided when the issue #25219 was discussed inside the team.

Besides the test AdminConsolePermissionsCalculatedTest was removed because it makes no sense since the whoami endpoint was changed to just return the access for one realm (#21553). I have added some tests in the class AdminConsoleWhoAmILocaleTest. Maybe we can rename that class because now it's testing more than just the locale part, but I finally didn't do it. If you prefer to call it AdminConsoleWhoAmITest or similar just let me know.

@rmartinc rmartinc requested review from a team as code owners April 19, 2024 14:55
keycloak-github-bot[bot]
keycloak-github-bot bot reviewed Apr 19, 2024
View reviewed changes
Copy link

@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link

keycloak-github-bot bot commented Apr 19, 2024

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.account.AccountRestServiceTest#updateConsentForClientWithPut

Keycloak CI - Java Distribution IT (windows-latest - temurin - 19)

java.lang.AssertionError
	at org.junit.Assert.fail(Assert.java:87)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.junit.Assert.assertTrue(Assert.java:53)
	at org.keycloak.testsuite.account.AccountRestServiceTest.updateConsentForClientWithPut(AccountRestServiceTest.java:1465)
...

Report flaky test

org.keycloak.testsuite.account.AccountRestServiceTest#createConsentForClientWithPut

Keycloak CI - Java Distribution IT (windows-latest - temurin - 19)

java.lang.AssertionError: 
type
Expected: is "GRANT_CONSENT"
     but: was "UPDATE_CONSENT"
	at org.hamcrest.MatcherAssert.assertThat(MatcherAssert.java:20)
...

Report flaky test

org.keycloak.testsuite.account.AccountRestServiceTest#createConsentForClient

Keycloak CI - Java Distribution IT (windows-latest - temurin - 19)

java.lang.AssertionError: 
type
Expected: is "GRANT_CONSENT"
     but: was "UPDATE_CONSENT"
	at org.hamcrest.MatcherAssert.assertThat(MatcherAssert.java:20)
...

Report flaky test

@mposolda mposolda self-assigned this Apr 22, 2024
graziang
graziang approved these changes May 8, 2024
View reviewed changes
Copy link
Contributor

@graziang graziang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

mposolda
mposolda approved these changes May 15, 2024
View reviewed changes
Copy link
Contributor

@mposolda mposolda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rmartinc @graziang Thanks for the fix and review!

@mposolda mposolda merged commit 89d7108 into keycloak:main May 15, 2024
This was referenced May 17, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mposolda mposolda mposolda approved these changes

+2 more reviewers

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot[bot] left review comments

@graziang graziang graziang approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@mposolda mposolda

Labels

flaky-test team/cloud-native team/core-clients team/core-iam

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Restrict the access to 'whoami' endpoint for tokens issued for the admin console client

3 participants

@rmartinc @mposolda @graziang