-
Bug
-
Resolution: Done
-
Major
-
None
-
None
`OidcRequestAuthenticator.resolveCode(String code)` handles getting a token from the code it receives after the user authenticates. Part of that is rewriting the url to remove OAuth parameters for code, state, and session_state, and running a rewrite rule to possibly adjust the redirect_url.
If you enter a rewrite rule that never matches, the behavior is not the same as having no rewrite rules.
For example, the url that the browser goes to after authenticating might be:
http://localhost:8080/debug?code=Qs7fBTc1J63o3KBR_SYLRjBqP48&iss=https%3A%2F%2Fmy.keycloak.server.url%3A443%2Fsso%2Foauth2&state=0fe4f722-74e2-4b17-a705-6cbdbfa7bd30&client_id=myclient-449550
With no rewrite rule, the stripped url that results is:
http://localhost:8080/debug?iss=https%3A%2F%2Fmy.keycloak.server.url%3A443%2Fsso%2Foauth2&client_id=myclient-449550
But if I add a rewrite rule like `"will-not-match": "foobar"` that doesn't even match anything, the stripped url is:
http://localhost:8080/debug
The stripped url is then used as the redirect_url to convert the code into a token. A redirect_url with unexpected query parameters will not match the pre-approved redirect urls in the auth server's client configuration, causing an error instead of successfully obtaining a valid token.
The stripped url should be the same if the rewrite rule makes no changes vs if there is no rewrite rule at all. `OidcRequestAuthenticator.rewrittenRedirectUri` simply returns its input if there's no rewrite rule, so any query parameters left after stripping [code, state, session_state] are retained. But if there's a rewrite rule, the url is rebuilt and the query is omitted from the rebuilt url.
- clones
-
ELY-2242 OidcRequestAuthenticator.rewrittenRedirectUri retains url query when there's no rewrite rule, but removes it when there's a rewrite rule
- Resolved
- is incorporated by
-
JBEAP-22973 (7.4.z) Upgrade Elytron from 1.15.9.Final-redhat-00001 to 1.15.11.Final-redhat-00002
- Closed