Prosoft Git

keycloak-uncached

KEYCLOAK-957 Access Token Request does not verify redirect_uri

1/14/2015 6:59:04 AM
Stian Thorgersen

Stian Thorgersen

Commit: d0b614f

Tree: b874bef

Parents: c325b9f

Changes

services/src/main/java/org/keycloak/protocol/oidc/OpenIDConnectService.java 11(+11 -0)

testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java 19(+19 -0)

Details

services/src/main/java/org/keycloak/protocol/oidc/OpenIDConnectService.java 11(+11 -0) 

diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OpenIDConnectService.java b/services/src/main/java/org/keycloak/protocol/oidc/OpenIDConnectService.java
index 0781c04..c33ef91 100755
--- a/services/src/main/java/org/keycloak/protocol/oidc/OpenIDConnectService.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/OpenIDConnectService.java
@@ -583,6 +583,7 @@ public class OpenIDConnectService {
             return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(res)
                     .build();
         }
+
         ClientSessionModel clientSession = accessCode.getClientSession();
         event.detail(Details.CODE_ID, clientSession.getId());
         if (!accessCode.isValid(ClientSessionModel.Action.CODE_TO_TOKEN)) {
@@ -601,6 +602,16 @@ public class OpenIDConnectService {
 
         ClientModel client = authorizeClient(authorizationHeader, formData, event);
 
+        String redirectUri = clientSession.getRedirectUri();
+        if (redirectUri != null && !redirectUri.equals(formData.getFirst(OAuth2Constants.REDIRECT_URI))) {
+            Map<String, String> res = new HashMap<String, String>();
+            res.put(OAuth2Constants.ERROR, "invalid_grant");
+            res.put(OAuth2Constants.ERROR_DESCRIPTION, "Incorrect redirect_uri");
+            event.error(Errors.INVALID_CODE);
+            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(res)
+                    .build();
+        }
+
         if (!client.getClientId().equals(clientSession.getClient().getClientId())) {
             Map<String, String> res = new HashMap<String, String>();
             res.put(OAuth2Constants.ERROR, "invalid_grant");

testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java 19(+19 -0) 

diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
index f0e2339..ed47774 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
@@ -142,6 +142,25 @@ public class AccessTokenTest {
     }
 
     @Test
+    public void accessTokenInvalidRedirectUri() throws Exception {
+        oauth.doLogin("test-user@localhost", "password");
+
+        Event loginEvent = events.expectLogin().assertEvent();
+        String codeId = loginEvent.getDetails().get(Details.CODE_ID);
+
+        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
+
+        oauth.redirectUri("http://invalid");
+
+        AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
+        Assert.assertEquals(400, response.getStatusCode());
+        Assert.assertEquals("invalid_grant", response.getError());
+        Assert.assertEquals("Incorrect redirect_uri", response.getErrorDescription());
+
+        events.expectCodeToToken(codeId, loginEvent.getSessionId()).error("invalid_code").removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).assertEvent();
+    }
+
+    @Test
     public void accessTokenUserSessionExpired() {
         oauth.doLogin("test-user@localhost", "password");

Bonobo Git Server (6.3.0.632) © 2015 Jakub Chodounský · Official Page · Github