From 37099f317734b5ed5b19fa38cbb07a67ced96bae Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Thu, 22 May 2014 17:51:51 +0100 Subject: [PATCH] KEYCLOAK-494 Session state iframe uses first redirect uri for a client --- integration/js/src/main/resources/keycloak.js | 2 +- .../services/resources/RealmsResource.java | 42 ++++++++++--------- 2 files changed, 24 insertions(+), 20 deletions(-) diff --git a/integration/js/src/main/resources/keycloak.js b/integration/js/src/main/resources/keycloak.js index 84ae29c09a1..1cfba8100ac 100755 --- a/integration/js/src/main/resources/keycloak.js +++ b/integration/js/src/main/resources/keycloak.js @@ -538,7 +538,7 @@ var Keycloak = function (config) { loginIframe.iframe = iframe; } - var src = getRealmUrl() + '/login-status-iframe.html?client_id=' + encodeURIComponent(kc.clientId); + var src = getRealmUrl() + '/login-status-iframe.html?client_id=' + encodeURIComponent(kc.clientId) + '&origin=' + window.location.origin; iframe.setAttribute('src', src ); iframe.style.display = 'none'; document.body.appendChild(iframe); diff --git a/services/src/main/java/org/keycloak/services/resources/RealmsResource.java b/services/src/main/java/org/keycloak/services/resources/RealmsResource.java index 18c6caa5217..23359d5e398 100755 --- a/services/src/main/java/org/keycloak/services/resources/RealmsResource.java +++ b/services/src/main/java/org/keycloak/services/resources/RealmsResource.java @@ -2,6 +2,7 @@ package org.keycloak.services.resources; import org.jboss.logging.Logger; import org.jboss.resteasy.annotations.cache.NoCache; +import org.jboss.resteasy.spi.BadRequestException; import org.jboss.resteasy.spi.NotFoundException; import org.jboss.resteasy.spi.ResteasyProviderFactory; import org.jboss.resteasy.spi.UnauthorizedException; @@ -98,7 +99,8 @@ public class RealmsResource { @Produces(MediaType.TEXT_HTML) @NoCache public String getLoginStatusIframe(final @PathParam("realm") String name, - @QueryParam("client_id") String client_id) { + @QueryParam("client_id") String client_id, + @QueryParam("origin") String origin) { logger.info("getLoginStatusIframe"); AuthenticationManager auth = new AuthenticationManager(providers); @@ -116,31 +118,33 @@ public class RealmsResource { InputStream is = getClass().getClassLoader().getResourceAsStream("login-status-iframe.html"); if (is == null) throw new NotFoundException("Could not find login-status-iframe.html "); - Set redirectUris = TokenService.resolveValidRedirects(uriInfo, client.getRedirectUris()); - String origin = null; - for (String redirect : redirectUris) { - int index = redirect.indexOf("://"); - if (index == -1) continue; - index = redirect.indexOf('/', index + 3); - if (index == -1) { - origin = redirect; - } else { - origin = redirect.substring(0, index); + boolean valid = false; + for (String o : client.getWebOrigins()) { + if (o.equals("*") || o.equals(origin)) { + valid = true; + break; } - break; - } - String file = null; + + for (String r : TokenService.resolveValidRedirects(uriInfo, client.getRedirectUris())) { + r = r.substring(0, r.indexOf('/', 8)); + if (r.equals(origin)) { + valid = true; + break; + } + } + + if (!valid) { + throw new BadRequestException("Invalid origin"); + } + try { - file = StreamUtil.readString(is); + String file = StreamUtil.readString(is); + return file.replace("ORIGIN", origin); } catch (IOException e) { throw new RuntimeException(e); } - file = file.replace("ORIGIN", origin); - //System.out.println(file); - return file; - } @Path("{realm}/tokens")