Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix account console for usage with secure-session client-policy (#37447) #39539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pedroigor merged 2 commits into from
May 15, 2025
Merged

Fix account console for usage with secure-session client-policy (#37447) #39539

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4e451bf
Fix account console for usage with secure-session client-policy (#37447)
thomasdarimont Mar 26, 2025
c49b13f
Make the account console to work without a change in behaviour in Ter…
mposolda May 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 17 additions & 4 deletions services/src/main/java/org/keycloak/services/resources/account/AccountConsole.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -266,17 +266,30 @@ private Response redirectToLogin(String path) {
UriBuilder uriBuilder = UriBuilder.fromUri(OIDCLoginProtocolService.authUrl(session.getContext().getUri()).build(realm.getName()).toString())
.queryParam(OAuth2Constants.CLIENT_ID, Constants.ACCOUNT_CONSOLE_CLIENT_ID)
.queryParam(OAuth2Constants.REDIRECT_URI, targetUri)
// dummy state param to make it usable with secure-session client policy.
// Once bootstrapped the account-console frontend will send the actual state with the authorize request.
.queryParam(OAuth2Constants.STATE, UUID.randomUUID().toString())
.queryParam(OAuth2Constants.RESPONSE_TYPE, OAuth2Constants.CODE)
.queryParam(OAuth2Constants.CODE_CHALLENGE, pkceChallenge)
.queryParam(OAuth2Constants.CODE_CHALLENGE_METHOD, OAuth2Constants.PKCE_METHOD_S256);

if (!queryParameters.isEmpty()) {
String error = queryParameters.getFirst(OAuth2Constants.ERROR);
if (error != null) {
try {
return renderAccountConsole();
} catch (IOException | FreeMarkerException e) {
throw new ServerErrorException(Status.INTERNAL_SERVER_ERROR);
String state = queryParameters.getFirst(OAuth2Constants.STATE);
if (state != null) {
// Omit the "state" parameter to make sure that account console displays the error (it may not be shown due the keycloak.js, which will not be able to find the "callback data" in the browser callbackStorage)
URI url = session.getContext().getUri(UrlType.FRONTEND)
.getRequestUriBuilder()
.replaceQueryParam(OAuth2Constants.STATE, null)
.build();
return Response.status(302).location(url).build();
} else {
try {
return renderAccountConsole();
} catch (IOException | FreeMarkerException e) {
throw new ServerErrorException(Status.INTERNAL_SERVER_ERROR);
}
}
}
String scope = queryParameters.getFirst(OIDCLoginProtocol.SCOPE_PARAM);
Expand Down
31 changes: 31 additions & 0 deletions ...base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesExecutorTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,7 @@
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
import org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.ErrorPage;
import org.keycloak.testsuite.pages.LogoutConfirmPage;
import org.keycloak.testsuite.pages.OAuth2DeviceVerificationPage;
Expand Down Expand Up @@ -135,6 +136,9 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest {
@Page
protected OAuthGrantPage grantPage;

@Page
protected AppPage appPage;

@Page
protected ErrorPage errorPage;

Expand Down Expand Up @@ -917,6 +921,33 @@ public void testSecureSessionEnforceExecutor() throws Exception {
successfulLoginAndLogout(clientBetaId, clientBetaSecret, "somenonce", "somestate");
}

// GH issue 37447
@Test
public void testSecureSessionEnforceExecutorWithAccountConsole() throws Exception {
// register profiles
String json = (new ClientProfilesBuilder()).addProfile(
(new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forste Profilen")
.addExecutor(SecureSessionEnforceExecutorFactory.PROVIDER_ID, null)
.toRepresentation()
).toString();
updateProfiles(json);

// register policies
json = (new ClientPoliciesBuilder()).addPolicy(
(new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forste Politikken", Boolean.TRUE)
.addCondition(AnyClientConditionFactory.PROVIDER_ID,
createAnyClientConditionConfig())
.addProfile(PROFILE_NAME)
.toRepresentation()
).toString();
updatePolicies(json);

// Test account-console is loaded successfully when "secure-session-enforce" executor is present
appPage.open();
appPage.openAccount();
loginPage.assertCurrent();
}

@Test
public void testSecureSigningAlgorithmEnforceExecutor() throws Exception {
// register profiles
Expand Down
Loading