Skip secure redirect validation if redirect URI-dependent flows are n…

…ot used closes keycloak#33734 Signed-off-by: Takashi Norimatsu <[email protected]>
tnorimat · Nov 13, 2024 · 140923b · 140923b
1 parent 88a3d1c
commit 140923b
Showing 1 changed file with 56 additions and 0 deletions.
diff --git a/...t/java/org/keycloak/testsuite/client/policies/SecureRedirectUrisEnforcerExecutorTest.java b/...t/java/org/keycloak/testsuite/client/policies/SecureRedirectUrisEnforcerExecutorTest.java
@@ -51,6 +51,62 @@ public void addTestRealms(List<RealmRepresentation> testRealms) {
         testRealms.add(realm);
     }
 
+    @Test
+    public void testNotRedirectBasedFlowClient_normalUri() throws Exception {
+        // register profiles
+        String json = (new ClientPoliciesUtil.ClientProfilesBuilder()).addProfile(
+                (new ClientPoliciesUtil.ClientProfileBuilder()).createProfile(PROFILE_NAME, "Le Premier Profil")
+                        .addExecutor(SecureRedirectUrisEnforcerExecutorFactory.PROVIDER_ID,
+                                createSecureRedirectUrisEnforcerExecutorConfig(it->{}))
+                        .toRepresentation()
+        ).toString();
+        updateProfiles(json);
+
+        // register policies
+        json = (new ClientPoliciesUtil.ClientPoliciesBuilder()).addPolicy(
+                (new ClientPoliciesUtil.ClientPolicyBuilder()).createPolicy(POLICY_NAME, "La Premiere Politique", Boolean.TRUE)
+                        .addCondition(AnyClientConditionFactory.PROVIDER_ID,
+                                createAnyClientConditionConfig())
+                        .addProfile(PROFILE_NAME)
+                        .toRepresentation()
+        ).toString();
+        updatePolicies(json);
+
+        // The executor's check logic is not executed to an auth code flow or implicit flow disabled client.
+
+        // Registration
+        // Success - even if not setting a valid redirect uri
+        String clientId = null;
+        String cId = null;
+        try {
+            clientId = generateSuffixedName(CLIENT_NAME);
+            cId = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
+                clientRep.setSecret("secret");
+                clientRep.setRedirectUris(List.of("http://oauth.redirect/some")); // normally, a redirect url with http scheme is not allowed.
+                clientRep.setStandardFlowEnabled(false);
+                clientRep.setImplicitFlowEnabled(false);
+                clientRep.setServiceAccountsEnabled(true);
+            });
+            ClientRepresentation cRep = getClientByAdmin(cId);
+            assertEquals(new HashSet<>(List.of("http://oauth.redirect/some")), new HashSet<>(cRep.getRedirectUris()));
+        } catch (ClientPolicyException cpe) {
+            fail();
+        }
+
+        // Update
+        // Success - even if not setting a valid redirect uri
+        try {
+            updateClientByAdmin(cId, (ClientRepresentation clientRep) -> {
+                clientRep.setAttributes(new HashMap<>());
+                clientRep.setRedirectUris(List.of("")); // nomally, vacant redirect uri is not allowed.
+            });
+            ClientRepresentation cRep = getClientByAdmin(cId);
+            assertEquals(new HashSet<>(List.of("")), new HashSet<>(cRep.getRedirectUris()));
+        } catch (ClientPolicyException cpe) {
+            fail();
+        }
+    }
+
     @Test
     public void testSecureRedirectUrisEnforcerExecutor_normalUri() throws Exception {
         // register profiles