diff --git a/services/src/main/java/org/keycloak/services/clientpolicy/executor/SecureRedirectUrisEnforcerExecutor.java b/services/src/main/java/org/keycloak/services/clientpolicy/executor/SecureRedirectUrisEnforcerExecutor.java index 9fcf368cef12..298644d8f570 100644 --- a/services/src/main/java/org/keycloak/services/clientpolicy/executor/SecureRedirectUrisEnforcerExecutor.java +++ b/services/src/main/java/org/keycloak/services/clientpolicy/executor/SecureRedirectUrisEnforcerExecutor.java @@ -142,7 +142,7 @@ public void setAllowWildcardContextPath(boolean allowWildcardContextPath) { public List getAllowPermittedDomains() { return allowPermittedDomains; } - + public void setAllowPermittedDomains(List permittedDomains) { this.allowPermittedDomains = permittedDomains; } @@ -173,26 +173,14 @@ public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyExcep switch (context.getEvent()) { case REGISTER: if (context instanceof AdminClientRegisterContext || context instanceof DynamicClientRegisterContext) { - ClientRepresentation client = ((ClientCRUDContext)context).getProposedClientRepresentation(); - List redirectUris = client.getRedirectUris(); - if (redirectUris == null || redirectUris.isEmpty()) { - throw invalidRedirectUri(ERR_GENERAL); - } - verifyRedirectUris(client.getRootUrl(), redirectUris); - verifyPostLogoutRedirectUriUpdate(client); + verifyRedirectUris((ClientCRUDContext) context); } else { throw invalidRedirectUri(ERR_GENERAL); } return; case UPDATE: if (context instanceof AdminClientUpdateContext || context instanceof DynamicClientUpdateContext) { - ClientRepresentation client = ((ClientCRUDContext)context).getProposedClientRepresentation(); - List redirectUris = client.getRedirectUris(); - if (redirectUris == null || redirectUris.isEmpty()) { - return; - } - verifyRedirectUris(client.getRootUrl(), redirectUris); - verifyPostLogoutRedirectUriUpdate(client); + verifyRedirectUris((ClientCRUDContext) context); } else { throw invalidRedirectUri(ERR_GENERAL); } @@ -205,12 +193,34 @@ public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyExcep if (client == null) { throw invalidRedirectUri("Invalid parameter: clientId"); } - verifyRedirectUri(redirectUriParam, true); + if (isAuthFlowWithRedirectEnabled(client)) { + verifyRedirectUri(redirectUriParam, true); + } return; default: } } + private void verifyRedirectUris(ClientCRUDContext context) throws ClientPolicyException { + ClientRepresentation client = context.getProposedClientRepresentation(); + if (isAuthFlowWithRedirectEnabled(client)) { + List redirectUris = client.getRedirectUris(); + if (redirectUris == null || redirectUris.isEmpty()) { + throw invalidRedirectUri(ERR_GENERAL); + } + verifyRedirectUris(client.getRootUrl(), redirectUris); + verifyPostLogoutRedirectUriUpdate(client); + } + } + + private boolean isAuthFlowWithRedirectEnabled(ClientModel client) { + return client.isStandardFlowEnabled() || client.isImplicitFlowEnabled(); + } + + private static boolean isAuthFlowWithRedirectEnabled(ClientRepresentation client) { + return client.isStandardFlowEnabled() || client.isImplicitFlowEnabled(); + } + private void verifyPostLogoutRedirectUriUpdate(ClientRepresentation client) throws ClientPolicyException { List postLogoutRedirectUris = OIDCAdvancedConfigWrapper.fromClientRepresentation(client).getPostLogoutRedirectUris(); if (postLogoutRedirectUris == null || postLogoutRedirectUris.isEmpty()) { @@ -240,7 +250,7 @@ void verifyRedirectUri(String redirectUri, boolean isRedirectUriParam) throws Cl logger.debugv("URISyntaxException - input = {0}, errMessage = {1], errReason = {2}, redirectUri = {3}", e.getInput(), e.getMessage(), e.getReason(), redirectUri); throw invalidRedirectUri(ERR_GENERAL); } - + validation.validate(); }