Prosoft Git

keycloak-memoizeit

stuff

5/19/2014 4:08:38 PM
Bill Burke

Bill Burke

Commit: a532069

Tree: 6eb3da0

Parents: 11c23a7

Changes

services/src/main/java/org/keycloak/services/managers/RealmManager.java 4(+3 -1)

services/src/main/java/org/keycloak/services/resources/TokenService.java 10(+7 -3)

Details

services/src/main/java/org/keycloak/services/managers/RealmManager.java 4(+3 -1) 

diff --git a/services/src/main/java/org/keycloak/services/managers/RealmManager.java b/services/src/main/java/org/keycloak/services/managers/RealmManager.java
index 6ea351a..15648c8 100755
--- a/services/src/main/java/org/keycloak/services/managers/RealmManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/RealmManager.java
@@ -279,8 +279,10 @@ public class RealmManager {
         if (application == null) {
             application = new ApplicationManager(this).createApplication(realm, Constants.ACCOUNT_MANAGEMENT_APP);
             application.setEnabled(true);
-            String redirectUri = contextPath + "/realms/" + realm.getName() + "/account/*";
+            String base = contextPath + "/realms/" + realm.getName() + "/account";
+            String redirectUri = base + "/*";
             application.addRedirectUri(redirectUri);
+            application.setBaseUrl(base);
 
             for (String role : AccountRoles.ALL) {
                 application.addDefaultRole(role);

services/src/main/java/org/keycloak/services/resources/TokenService.java 10(+7 -3) 

diff --git a/services/src/main/java/org/keycloak/services/resources/TokenService.java b/services/src/main/java/org/keycloak/services/resources/TokenService.java
index 9b47de5..1d92234 100755
--- a/services/src/main/java/org/keycloak/services/resources/TokenService.java
+++ b/services/src/main/java/org/keycloak/services/resources/TokenService.java
@@ -18,6 +18,7 @@ import org.keycloak.authentication.AuthenticationProviderException;
 import org.keycloak.authentication.AuthenticationProviderManager;
 import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.jose.jws.crypto.RSAProvider;
+import org.keycloak.models.ApplicationModel;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.Constants;
 import org.keycloak.models.KeycloakSession;
@@ -221,10 +222,9 @@ public class TokenService {
 
         ClientModel client = authorizeClient(authorizationHeader, form, audit);
 
-        if (client.isPublicClient()) {
-            // we don't allow public clients to invoke grants/access to prevent phishing attacks
+        if ( (client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) {
             audit.error(Errors.NOT_ALLOWED);
-            throw new ForbiddenException("Public clients are not allowed to invoke grants/access");
+            throw new ForbiddenException("Bearer-only applications are not allowed to invoke grants/access");
         }
 
         if (!realm.isEnabled()) {
@@ -745,6 +745,10 @@ public class TokenService {
             audit.error(Errors.CLIENT_DISABLED);
             return oauth.forwardToSecurityFailure("Login requester not enabled.");
         }
+        if ( (client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) {
+            audit.error(Errors.NOT_ALLOWED);
+            return oauth.forwardToSecurityFailure("Bearer-only applications are not allowed to initiate login");
+        }
         redirect = verifyRedirectUri(uriInfo, redirect, client);
         if (redirect == null) {
             audit.error(Errors.INVALID_REDIRECT_URI);

Bonobo Git Server (6.3.0.632) © 2015 Jakub Chodounský · Official Page · Github