Skip to content

Commit

Permalink
Base64Url encode the issuer when binding the session and subject for …
Browse files Browse the repository at this point in the history 
…brokered users

Signed-off-by: Pedro Igor <[email protected]>
  • Loading branch information
@pedroigor
pedroigor committed Sep 2, 2024
1 parent 028732a commit a696e5e
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 5 deletions.
4 changes: 2 additions & 2 deletions services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -531,7 +531,7 @@ protected BrokeredIdentityContext extractIdentity(AccessTokenResponse tokenRespo

identity.setEmail(email);

identity.setBrokerUserId(issuer + "." + id);
identity.setBrokerUserId(Base64Url.encode(issuer.getBytes(StandardCharsets.UTF_8)) + "." + id);

if (preferredUsername == null) {
preferredUsername = email;
Expand All @@ -543,7 +543,7 @@ protected BrokeredIdentityContext extractIdentity(AccessTokenResponse tokenRespo

identity.setUsername(preferredUsername);
if (tokenResponse != null && tokenResponse.getSessionState() != null) {
identity.setBrokerSessionId(issuer + "." + tokenResponse.getSessionState());
identity.setBrokerSessionId(Base64Url.encode(issuer.getBytes(StandardCharsets.UTF_8)) + "." + tokenResponse.getSessionState());
}
if (tokenResponse != null) identity.getContextData().put(FEDERATED_ACCESS_TOKEN_RESPONSE, tokenResponse);
if (tokenResponse != null) processAccessTokenResponse(identity, tokenResponse);
Expand Down
10 changes: 7 additions & 3 deletions services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@

import org.jboss.logging.Logger;
import org.jboss.resteasy.reactive.NoCache;
import org.keycloak.common.util.Base64Url;
import org.keycloak.http.HttpRequest;
import org.keycloak.OAuth2Constants;
import org.keycloak.OAuthErrorException;
Expand Down Expand Up @@ -74,6 +75,7 @@
import org.keycloak.sessions.RootAuthenticationSessionModel;
import org.keycloak.util.TokenUtil;

import java.nio.charset.StandardCharsets;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Collectors;
import java.util.stream.Stream;
Expand Down Expand Up @@ -569,11 +571,13 @@ public Response backchannelLogout() {

BackchannelLogoutResponse backchannelLogoutResponse;

String issuerBase64 = Base64Url.encode(logoutToken.getIssuer().getBytes(StandardCharsets.UTF_8));

if (logoutToken.getSid() != null) {
backchannelLogoutResponse = backchannelLogoutWithSessionId(logoutToken.getIssuer() + "." + logoutToken.getSid(),
logoutOfflineSessions, logoutToken.getIssuer() + "." + logoutToken.getSubject());
backchannelLogoutResponse = backchannelLogoutWithSessionId(issuerBase64 + "." + logoutToken.getSid(),
logoutOfflineSessions, issuerBase64 + "." + logoutToken.getSubject());
} else {
backchannelLogoutResponse = backchannelLogoutFederatedUserId(logoutToken.getIssuer() + "." + logoutToken.getSubject(),
backchannelLogoutResponse = backchannelLogoutFederatedUserId(issuerBase64 + "." + logoutToken.getSubject(),
logoutOfflineSessions);
}

Expand Down

0 comments on commit a696e5e

Please sign in to comment.