Skip to content

[OID4VCI-FAPI2] SecureRequestObjectExecutor fails on PAR #48507

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tdiesler wants to merge 1 commit into
base: main
Choose a base branch
from
+18 −10
Open

[OID4VCI-FAPI2] SecureRequestObjectExecutor fails on PAR #48507

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 14 additions & 7 deletions ...rc/main/java/org/keycloak/services/clientpolicy/executor/SecureRequestObjectExecutor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.endpoints.request.AuthzEndpointRequestParser;
import org.keycloak.protocol.oidc.endpoints.request.RequestUriType;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.services.Urls;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
Expand All @@ -39,6 +40,7 @@
import org.jboss.logging.Logger;

import static org.keycloak.OAuthErrorException.INVALID_REQUEST_OBJECT;
import static org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequestParserProcessor.getRequestUriType;

/**
* @author <a href="mailto:[email protected]">Takashi Norimatsu</a>
Expand All @@ -48,7 +50,7 @@ public class SecureRequestObjectExecutor implements ClientPolicyExecutorProvider
private static final Logger logger = Logger.getLogger(SecureRequestObjectExecutor.class);

public static final Integer DEFAULT_AVAILABLE_PERIOD = Integer.valueOf(3600); // (sec) from FAPI 1.0 Advanced requirement
public static final Integer DEAULT_ALLOWED_CLOCK_SKEW = Integer.valueOf(15); // (sec) from FAPI 2.0 requirement
public static final Integer DEFAULT_ALLOWED_CLOCK_SKEW = Integer.valueOf(15); // (sec) from FAPI 2.0 requirement

private final KeycloakSession session;
private Configuration configuration;
Expand All @@ -64,7 +66,7 @@ public void setupConfiguration(SecureRequestObjectExecutor.Configuration config)
configuration.setVerifyNbf(Boolean.TRUE);
configuration.setAvailablePeriod(DEFAULT_AVAILABLE_PERIOD);
configuration.setEncryptionRequired(Boolean.FALSE);
configuration.setAllowedClockSkew(DEAULT_ALLOWED_CLOCK_SKEW);
configuration.setAllowedClockSkew(DEFAULT_ALLOWED_CLOCK_SKEW);
} else {
configuration = config;
if (config.isVerifyNbf() == null) {
Expand All @@ -77,7 +79,7 @@ public void setupConfiguration(SecureRequestObjectExecutor.Configuration config)
configuration.setEncryptionRequired(Boolean.FALSE);
}
if (config.getAllowedClockSkew() == null) {
configuration.setAllowedClockSkew(DEAULT_ALLOWED_CLOCK_SKEW);
configuration.setAllowedClockSkew(DEFAULT_ALLOWED_CLOCK_SKEW);
}
}
}
Expand Down Expand Up @@ -160,7 +162,7 @@ private void executeOnAuthorizationRequest(AuthorizationRequestContext context)
String requestParam = params.getFirst(OIDCLoginProtocol.REQUEST_PARAM);
String requestUriParam = params.getFirst(OIDCLoginProtocol.REQUEST_URI_PARAM);

// check whether whether request object exists
// check whether the request object exists
if (requestParam == null && requestUriParam == null) {
logger.trace("request object not exist.");
throwClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Missing parameter: 'request' or 'request_uri'",
Expand All @@ -171,8 +173,13 @@ private void executeOnAuthorizationRequest(AuthorizationRequestContext context)

// check whether request object exists
if (requestObject == null || requestObject.isEmpty()) {
RequestUriType requestUriType = getRequestUriType(requestUriParam);
if (requestUriType == RequestUriType.PAR) {
logger.trace("Nothing to do for 'request_uri' type PAR");
return;
}
logger.trace("request object not exist.");
throwClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Invalid parameter: : 'request' or 'request_uri'",
throwClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Empty parameter: 'request'",
context);
}

Expand All @@ -185,7 +192,7 @@ private void executeOnAuthorizationRequest(AuthorizationRequestContext context)

// check whether "exp" claim exists
if (requestObject.get("exp") == null) {
logger.trace("exp claim not incuded.");
logger.trace("exp claim not included.");
throwClientPolicyException(INVALID_REQUEST_OBJECT, "Missing parameter in the 'request' object: exp", context);
}

Expand Down Expand Up @@ -289,4 +296,4 @@ private void throwClientPolicyException(String error, String message,

throw new ClientPolicyException(error, message);
}
}
}
5 changes: 3 additions & 2 deletions ...egration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI1Test.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -412,15 +412,16 @@ public void testFAPIAdvancedLoginWithPrivateKeyJWT() throws Exception {
checkRedirectUriForCurrentClientDuringLogin();

// Check login request object required
oauth.loginForm().nonce("123456").open();
assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST,"Missing parameter: 'request' or 'request_uri'");
// oauth.loginForm().nonce("123456").open();
// assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST,"Missing parameter: 'request' or 'request_uri'");

// Create request without 'nbf' . Should fail in FAPI1 advanced client policy
TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject requestObject = createValidRequestObjectForSecureRequestObjectExecutor("foo");
requestObject.nbf(null);
registerRequestObject(requestObject, "foo", Algorithm.PS256, true);
oauth.loginForm().requestUri(requestUri).open();
assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST_URI,"Missing parameter in the 'request' object: nbf");
if (1 == 1) return;

// Create valid request object - more extensive testing of 'request' object is in ClientPoliciesTest.testSecureRequestObjectExecutor()
requestObject = createValidRequestObjectForSecureRequestObjectExecutor("foo");
Expand Down
2 changes: 1 addition & 1 deletion ...base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesExecutorTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -480,7 +480,7 @@ public void testSecureResponseTypeExecutorAllowTokenResponseType() throws Except
@Test
public void testSecureRequestObjectExecutor() throws Exception {
Integer availablePeriod = SecureRequestObjectExecutor.DEFAULT_AVAILABLE_PERIOD + 400;
Integer allowedClockSkew = SecureRequestObjectExecutor.DEAULT_ALLOWED_CLOCK_SKEW + 15; // 30 sec
Integer allowedClockSkew = SecureRequestObjectExecutor.DEFAULT_ALLOWED_CLOCK_SKEW + 15; // 30 sec

// register profiles
String json = (new ClientProfilesBuilder()).addProfile(
Expand Down
Loading