Details
diff --git a/adapters/oidc/js/src/main/resources/keycloak.js b/adapters/oidc/js/src/main/resources/keycloak.js
index 01f0523..e6af130 100755
--- a/adapters/oidc/js/src/main/resources/keycloak.js
+++ b/adapters/oidc/js/src/main/resources/keycloak.js
@@ -210,11 +210,18 @@
var nonce = createUUID();
var redirectUri = adapter.redirectUri(options);
+
+ var callbackState = {
+ state: state,
+ nonce: nonce,
+ redirectUri: encodeURIComponent(redirectUri),
+ }
+
if (options && options.prompt) {
- redirectUri += (redirectUri.indexOf('?') == -1 ? '?' : '&') + 'prompt=' + options.prompt;
+ callbackState.prompt = options.prompt;
}
- callbackStorage.add({ state: state, nonce: nonce, redirectUri: encodeURIComponent(redirectUri) });
+ callbackStorage.add(callbackState);
var action = 'auth';
if (options && options.action == 'register') {
@@ -747,6 +754,7 @@
if (oauthState && (oauth.code || oauth.error || oauth.access_token || oauth.id_token)) {
oauth.redirectUri = oauthState.redirectUri;
oauth.storedNonce = oauthState.nonce;
+ oauth.prompt = oauthState.prompt;
if (oauth.fragment) {
oauth.newUrl += '#' + oauth.fragment;
@@ -1218,9 +1226,6 @@
case 'redirect_fragment':
oauth.fragment = queryParams[param];
break;
- case 'prompt':
- oauth.prompt = queryParams[param];
- break;
default:
if (responseMode != 'query' || !handleQueryParam(param, queryParams[param], oauth)) {
oauth.newUrl += (oauth.newUrl.indexOf('?') == -1 ? '?' : '&') + param + '=' + queryParams[param];
diff --git a/adapters/oidc/js/src/main/resources/login-status-iframe.html b/adapters/oidc/js/src/main/resources/login-status-iframe.html
index 9bc8fd9..6bea92a 100755
--- a/adapters/oidc/js/src/main/resources/login-status-iframe.html
+++ b/adapters/oidc/js/src/main/resources/login-status-iframe.html
@@ -21,13 +21,16 @@
var init;
function checkState(clientId, origin, sessionState, callback) {
- if (!init) {
+ var cookie = getCookie();
+
+ if (!cookie) {
+ callback('changed');
+ } else if (!init) {
var req = new XMLHttpRequest();
var url = location.href + "/init";
url += "?client_id=" + encodeURIComponent(clientId);
url += "&origin=" + encodeURIComponent(origin);
- url += "&session_state=" + encodeURIComponent(sessionState);
req.open('GET', url, true);
@@ -50,7 +53,6 @@
req.send();
} else {
if (clientId == init.clientId && origin == init.origin) {
- var cookie = getCookie();
if (sessionState == cookie) {
callback('unchanged');
} else {
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java
index c46ba10..5d2d054 100755
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java
@@ -68,27 +68,19 @@ public class LoginStatusIframeEndpoint {
@GET
@Path("init")
- public Response preCheck(@QueryParam("client_id") String clientId, @QueryParam("origin") String origin, @QueryParam("session_state") String sessionState) {
+ public Response preCheck(@QueryParam("client_id") String clientId, @QueryParam("origin") String origin) {
try {
RealmModel realm = session.getContext().getRealm();
- String sessionId = sessionState.split("/")[2];
- UserSessionModel userSession = session.sessions().getUserSession(realm, sessionId);
- if (userSession == null) {
- return Response.status(Response.Status.NOT_FOUND).build();
- }
-
ClientModel client = session.realms().getClientByClientId(clientId, realm);
if (client != null) {
Set<String> validWebOrigins = WebOriginsUtils.resolveValidWebOrigins(uriInfo, client);
validWebOrigins.add(UriUtils.getOrigin(uriInfo.getRequestUri()));
-
if (validWebOrigins.contains(origin)) {
return Response.noContent().build();
}
}
} catch (Throwable t) {
}
-
return Response.status(Response.Status.FORBIDDEN).build();
}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/LoginStatusIframeEndpointTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/LoginStatusIframeEndpointTest.java
index 2d0a269..4bb437c 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/LoginStatusIframeEndpointTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/LoginStatusIframeEndpointTest.java
@@ -133,7 +133,6 @@ public class LoginStatusIframeEndpointTest extends AbstractKeycloakTest {
get = new HttpGet(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/protocol/openid-connect/login-status-iframe.html/init?"
+ "client_id=invalid"
- + "&session_state=" + sessionCookie.getValue()
+ "&origin=" + suiteContext.getAuthServerInfo().getContextRoot()
);
response = client.execute(get);
@@ -142,16 +141,6 @@ public class LoginStatusIframeEndpointTest extends AbstractKeycloakTest {
get = new HttpGet(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/protocol/openid-connect/login-status-iframe.html/init?"
+ "client_id=" + Constants.ADMIN_CONSOLE_CLIENT_ID
- + "&session_state=invalid"
- + "&origin=" + suiteContext.getAuthServerInfo().getContextRoot()
- );
- response = client.execute(get);
- assertEquals(403, response.getStatusLine().getStatusCode());
- response.close();
-
- get = new HttpGet(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/protocol/openid-connect/login-status-iframe.html/init?"
- + "client_id=" + Constants.ADMIN_CONSOLE_CLIENT_ID
- + "&session_state=" + sessionCookie.getValue()
+ "&origin=http://invalid"
);
response = client.execute(get);
@@ -160,16 +149,6 @@ public class LoginStatusIframeEndpointTest extends AbstractKeycloakTest {
get = new HttpGet(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/protocol/openid-connect/login-status-iframe.html/init?"
+ "client_id=" + Constants.ADMIN_CONSOLE_CLIENT_ID
- + "&session_state=master/random/random"
- + "&origin=" + suiteContext.getAuthServerInfo().getContextRoot()
- );
- response = client.execute(get);
- assertEquals(404, response.getStatusLine().getStatusCode());
- response.close();
-
- get = new HttpGet(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/protocol/openid-connect/login-status-iframe.html/init?"
- + "client_id=" + Constants.ADMIN_CONSOLE_CLIENT_ID
- + "&session_state=" + sessionCookie.getValue()
+ "&origin=" + suiteContext.getAuthServerInfo().getContextRoot()
);
response = client.execute(get);
