Details
diff --git a/broker/oidc/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java b/broker/oidc/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java
index 479422e..3c59a96 100755
--- a/broker/oidc/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java
+++ b/broker/oidc/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java
@@ -70,7 +70,10 @@ public class KeycloakOIDCIdentityProvider extends OIDCIdentityProvider {
for (String sessionId : action.getKeycloakSessionIds()) {
String brokerSessionId = getConfig().getAlias() + "." + sessionId;
UserSessionModel userSession = session.sessions().getUserSessionByBrokerSessionId(realm, brokerSessionId);
- if (userSession != null) {
+ if (userSession != null
+ && userSession.getState() != UserSessionModel.State.LOGGING_OUT
+ && userSession.getState() != UserSessionModel.State.LOGGED_OUT
+ ) {
AuthenticationManager.backchannelLogout(session, realm, userSession, uriInfo, clientConnection, headers);
}
}
diff --git a/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java b/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
index 72c39f1..b840f37 100755
--- a/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
+++ b/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
@@ -139,7 +139,8 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
.path(OIDCEndpoint.class, "logoutResponse")
.build(realm.getName(), getConfig().getAlias()).toString();
logoutUri.queryParam("post_logout_redirect_uri", redirect);
- return Response.status(302).location(logoutUri.build()).build();
+ Response response = Response.status(302).location(logoutUri.build()).build();
+ return response;
}
@Override
diff --git a/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java b/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java
index 7c3335e..6c57274 100755
--- a/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java
+++ b/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java
@@ -21,6 +21,7 @@ import org.keycloak.broker.oidc.util.SimpleHttp;
import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jwk.JWKParser;
+import org.keycloak.jose.jws.Algorithm;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.representations.JSONWebKeySet;
@@ -80,7 +81,7 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory
JSONWebKeySet keySet = JsonSerialization.readValue(keySetString, JSONWebKeySet.class);
for (JWK jwk : keySet.getKeys()) {
JWKParser parse = JWKParser.create(jwk);
- if (parse.getJwk().getPublicKeyUse().equals(JWK.SIG_USE)) {
+ if (parse.getJwk().getPublicKeyUse().equals(JWK.SIG_USE) && keyTypeSupported(jwk.getKeyType())) {
PublicKey key = parse.toPublicKey();
config.setPublicKeySignatureVerifier(KeycloakModelUtils.getPemFromKey(key));
config.setValidateSignature(true);
@@ -95,4 +96,8 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory
}
return config.getConfig();
}
+
+ protected static boolean keyTypeSupported(String type) {
+ return type != null && type.equals("RSA");
+ }
}
diff --git a/model/api/src/main/java/org/keycloak/models/UserSessionModel.java b/model/api/src/main/java/org/keycloak/models/UserSessionModel.java
index d75e780..1db82b6 100755
--- a/model/api/src/main/java/org/keycloak/models/UserSessionModel.java
+++ b/model/api/src/main/java/org/keycloak/models/UserSessionModel.java
@@ -1,53 +1,53 @@
-package org.keycloak.models;
-
-import java.util.List;
-
-/**
- * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
- */
-public interface UserSessionModel {
-
- String getId();
-
- /**
- * If created via a broker external login, this is an identifier that can be
- * used to match external broker backchannel logout requests to a UserSession
- *
- * @return
- */
- String getBrokerSessionId();
- String getBrokerUserId();
-
- UserModel getUser();
-
- String getLoginUsername();
-
- String getIpAddress();
-
- String getAuthMethod();
-
- boolean isRememberMe();
-
- int getStarted();
-
- int getLastSessionRefresh();
-
- void setLastSessionRefresh(int seconds);
-
- List<ClientSessionModel> getClientSessions();
-
- public String getNote(String name);
- public void setNote(String name, String value);
- public void removeNote(String name);
-
- State getState();
- void setState(State state);
-
- public static enum State {
- LOGGING_IN,
- LOGGED_IN,
- LOGGING_OUT,
- LOGGED_OUT
- }
-
-}
+package org.keycloak.models;
+
+import java.util.List;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public interface UserSessionModel {
+
+ String getId();
+
+ /**
+ * If created via a broker external login, this is an identifier that can be
+ * used to match external broker backchannel logout requests to a UserSession
+ *
+ * @return
+ */
+ String getBrokerSessionId();
+ String getBrokerUserId();
+
+ UserModel getUser();
+
+ String getLoginUsername();
+
+ String getIpAddress();
+
+ String getAuthMethod();
+
+ boolean isRememberMe();
+
+ int getStarted();
+
+ int getLastSessionRefresh();
+
+ void setLastSessionRefresh(int seconds);
+
+ List<ClientSessionModel> getClientSessions();
+
+ public String getNote(String name);
+ public void setNote(String name, String value);
+ public void removeNote(String name);
+
+ State getState();
+ void setState(State state);
+
+ public static enum State {
+ LOGGING_IN,
+ LOGGED_IN,
+ LOGGING_OUT,
+ LOGGED_OUT
+ }
+
+}
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/AdminAuth.java b/services/src/main/java/org/keycloak/services/resources/admin/AdminAuth.java
index 3dd1123..25ee060 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/AdminAuth.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/AdminAuth.java
@@ -44,6 +44,7 @@ public class AdminAuth {
public boolean hasRealmRole(String role) {
if (client instanceof ClientModel) {
RoleModel roleModel = realm.getRole(role);
+ if (roleModel == null) return false;
return user.hasRole(roleModel) && client.hasScope(roleModel);
} else {
AccessToken.Access access = token.getRealmAccess();
@@ -63,6 +64,7 @@ public class AdminAuth {
public boolean hasAppRole(ClientModel app, String role) {
if (client instanceof ClientModel) {
RoleModel roleModel = app.getRole(role);
+ if (roleModel == null) return false;
return user.hasRole(roleModel) && client.hasScope(roleModel);
} else {
AccessToken.Access access = token.getResourceAccess(app.getClientId());
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java b/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
index bdde097..34e8272 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
@@ -218,12 +218,12 @@ public class AdminRoot {
}
protected boolean isAdmin(AdminAuth auth) {
- if (auth.hasOneOfRealmRole(AdminRoles.ADMIN, AdminRoles.CREATE_REALM)) {
- return true;
- }
RealmManager realmManager = new RealmManager(session);
if (auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm())) {
+ if (auth.hasOneOfRealmRole(AdminRoles.ADMIN, AdminRoles.CREATE_REALM)) {
+ return true;
+ }
for (RealmModel realm : session.realms().getRealms()) {
ClientModel client = realm.getMasterAdminClient();
if (auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES)) {
