KEYCLOAK-5234 (#4585)

services/src/main/java/org/keycloak/forms/account/freemarker/model/AccountFederatedIdentityBean.java

@@ -46,7 +46,6 @@ public class AccountFederatedIdentityBean {
 
     public AccountFederatedIdentityBean(KeycloakSession session, RealmModel realm, UserModel user, URI baseUri, String stateChecker) {
         this.session = session;
-        URI accountIdentityUpdateUri = Urls.accountFederatedIdentityUpdate(baseUri, realm.getName());
 
         List<IdentityProviderModel> identityProviders = realm.getIdentityProviders();
         Set<FederatedIdentityModel> identities = session.users().getFederatedIdentities(user, realm);
@@ -63,15 +62,8 @@ public AccountFederatedIdentityBean(KeycloakSession session, RealmModel realm, U
                     availableIdentities++;
                 }
 
-                String action = identity != null ? "remove" : "add";
-                String actionUrl = UriBuilder.fromUri(accountIdentityUpdateUri)
-                        .queryParam("action", action)
-                        .queryParam("provider_id", providerId)
-                        .queryParam("stateChecker", stateChecker)
-                        .build().toString();
-
                 String displayName = KeycloakModelUtils.getIdentityProviderDisplayName(session, provider);
-                FederatedIdentityEntry entry = new FederatedIdentityEntry(identity, displayName, provider.getAlias(), provider.getAlias(), actionUrl,
+                FederatedIdentityEntry entry = new FederatedIdentityEntry(identity, displayName, provider.getAlias(), provider.getAlias(),
                 		  															provider.getConfig() != null ? provider.getConfig().get("guiOrder") : null);
                 orderedSet.add(entry);
             }
@@ -105,17 +97,15 @@ public class FederatedIdentityEntry {
         private FederatedIdentityModel federatedIdentityModel;
         private final String providerId;
 		private final String providerName;
-        private final String actionUrl;
         private final String guiOrder;
         private final String displayName;
 
         public FederatedIdentityEntry(FederatedIdentityModel federatedIdentityModel, String displayName, String providerId,
-                                      String providerName, String actionUrl, String guiOrder) {
+                                      String providerName, String guiOrder) {
             this.federatedIdentityModel = federatedIdentityModel;
             this.displayName = displayName;
             this.providerId = providerId;
             this.providerName = providerName;
-            this.actionUrl = actionUrl;
             this.guiOrder = guiOrder;
         }
 
@@ -139,10 +129,6 @@ public boolean isConnected() {
             return federatedIdentityModel != null;
         }
 
-        public String getActionUrl() {
-            return actionUrl;
-        }
-
         public String getGuiOrder() {
             return guiOrder;
         }
@@ -186,4 +172,4 @@ private int parseOrder(FederatedIdentityEntry ip) {
 			return 10000;
 		}
 	}
-}
+}

services/src/main/java/org/keycloak/forms/account/freemarker/model/UrlBean.java

@@ -33,15 +33,13 @@ public class UrlBean {
     private URI baseURI;
     private URI baseQueryURI;
     private URI currentURI;
-    private String stateChecker;
 
     public UrlBean(RealmModel realm, Theme theme, URI baseURI, URI baseQueryURI, URI currentURI, String stateChecker) {
         this.realm = realm.getName();
         this.theme = theme;
         this.baseURI = baseURI;
         this.baseQueryURI = baseQueryURI;
         this.currentURI = currentURI;
-        this.stateChecker = stateChecker;
     }
 
     public String getApplicationsUrl() {
@@ -73,15 +71,15 @@ public String getSessionsUrl() {
     }
 
     public String getSessionsLogoutUrl() {
-        return Urls.accountSessionsLogoutPage(baseQueryURI, realm, stateChecker).toString();
+        return Urls.accountSessionsLogoutPage(baseQueryURI, realm).toString();
     }
 
     public String getRevokeClientUrl() {
         return Urls.accountRevokeClientPage(baseQueryURI, realm).toString();
     }
 
     public String getTotpRemoveUrl() {
-        return Urls.accountTotpRemove(baseQueryURI, realm, stateChecker).toString();
+        return Urls.accountTotpRemove(baseQueryURI, realm).toString();
     }
 
     public String getLogoutUrl() {

services/src/main/java/org/keycloak/services/Urls.java

@@ -126,9 +126,8 @@ public static URI accountTotpPage(URI baseUri, String realmName) {
         return accountBase(baseUri).path(AccountFormService.class, "totpPage").build(realmName);
     }
 
-    public static URI accountTotpRemove(URI baseUri, String realmName, String stateChecker) {
+    public static URI accountTotpRemove(URI baseUri, String realmName) {
         return accountBase(baseUri).path(AccountFormService.class, "processTotpRemove")
-                .queryParam("stateChecker", stateChecker)
                 .build(realmName);
     }
 
@@ -140,9 +139,8 @@ public static URI accountSessionsPage(URI baseUri, String realmName) {
         return accountBase(baseUri).path(AccountFormService.class, "sessionsPage").build(realmName);
     }
 
-    public static URI accountSessionsLogoutPage(URI baseUri, String realmName, String stateChecker) {
+    public static URI accountSessionsLogoutPage(URI baseUri, String realmName) {
         return accountBase(baseUri).path(AccountFormService.class, "processSessionsLogout")
-                .queryParam("stateChecker", stateChecker)
                 .build(realmName);
     }
 

services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java

@@ -572,6 +572,11 @@ public static String getRealmCookiePath(RealmModel realm, UriInfo uriInfo) {
         return uri.getRawPath();
     }
 
+    public static String getAccountCookiePath(RealmModel realm, UriInfo uriInfo) {
+        URI uri = RealmsResource.accountUrl(uriInfo.getBaseUriBuilder()).build(realm.getName());
+        return uri.getRawPath();
+    }
+
     public static void expireCookie(RealmModel realm, String cookieName, String path, boolean httpOnly, ClientConnection connection) {
         logger.debugv("Expiring cookie: {0} path: {1}", cookieName, path);
         boolean secureOnly = realm.getSslRequired().isRequired(connection);;

services/src/main/java/org/keycloak/services/resources/AbstractSecuredLocalService.java

@@ -24,14 +24,12 @@
 import org.keycloak.common.ClientConnection;
 import org.keycloak.common.util.Base64Url;
 import org.keycloak.common.util.KeycloakUriBuilder;
-import org.keycloak.common.util.UriUtils;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
 import org.keycloak.services.ForbiddenException;
-import org.keycloak.services.managers.AppAuthManager;
 import org.keycloak.services.managers.Auth;
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.util.CookieHelper;
@@ -130,14 +128,20 @@ public Response loginRedirect(@QueryParam("code") String code,
     }
 
     protected void updateCsrfChecks() {
-        Cookie cookie = headers.getCookies().get(KEYCLOAK_STATE_CHECKER);
-        if (cookie != null) {
-            stateChecker = cookie.getValue();
-        } else {
+        stateChecker = getStateChecker();
+        if (stateChecker == null) {
             stateChecker = Base64Url.encode(KeycloakModelUtils.generateSecret());
-            String cookiePath = AuthenticationManager.getRealmCookiePath(realm, uriInfo);
+
+            StringBuilder sb = new StringBuilder();
+            sb.append(auth.getSession().getId());
+            sb.append("/");
+            sb.append(stateChecker);
+
+            String sessionCookieValue = sb.toString();
+
+            String cookiePath = AuthenticationManager.getAccountCookiePath(realm, uriInfo);
             boolean secureOnly = realm.getSslRequired().isRequired(clientConnection);
-            CookieHelper.addCookie(KEYCLOAK_STATE_CHECKER, stateChecker, cookiePath, null, null, -1, secureOnly, true);
+            CookieHelper.addCookie(KEYCLOAK_STATE_CHECKER, sessionCookieValue, cookiePath, null, null, -1, secureOnly, true);
         }
     }
 
@@ -149,25 +153,27 @@ protected void updateCsrfChecks() {
      * @param formData
      */
     protected void csrfCheck(final MultivaluedMap<String, String> formData) {
-        if (!auth.isCookieAuthenticated()) return;
         String stateChecker = formData.getFirst("stateChecker");
-        if (!this.stateChecker.equals(stateChecker)) {
+        if (stateChecker == null || !stateChecker.equals(getStateChecker())) {
             throw new ForbiddenException();
         }
-
     }
 
-    /**
-     * Check to see if form post has sessionId hidden field and match it against the session id.
-     *
-     */
-    protected void csrfCheck(String stateChecker) {
-        if (!auth.isCookieAuthenticated()) return;
-        if (auth.getSession() == null) return;
-        if (!this.stateChecker.equals(stateChecker)) {
-            throw new ForbiddenException();
+    protected String getStateChecker() {
+        Cookie cookie = headers.getCookies().get(KEYCLOAK_STATE_CHECKER);
+        if (cookie != null) {
+            stateChecker = cookie.getValue();
+            String[] s = stateChecker.split("/");
+            if (s.length == 2) {
+                String sessionId = s[0];
+                String stateChecker = s[1];
+
+                if (auth.getSession().getId().equals(sessionId)) {
+                    return stateChecker;
+                }
+            }
         }
-
+        return null;
     }
 
     protected abstract URI getBaseRedirectUri();

services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java

@@ -44,6 +44,7 @@
 import org.keycloak.models.UserSessionModel;
 import org.keycloak.models.utils.CredentialValidation;
 import org.keycloak.models.utils.FormMessage;
+import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.protocol.oidc.utils.RedirectUtils;
 import org.keycloak.services.ForbiddenException;
 import org.keycloak.services.ServicesLogger;
@@ -343,15 +344,15 @@ public Response processAccountUpdate(final MultivaluedMap<String, String> formDa
     }
 
     @Path("totp-remove")
-    @GET
-    public Response processTotpRemove(@QueryParam("stateChecker") String stateChecker) {
+    @POST
+    public Response processTotpRemove(final MultivaluedMap<String, String> formData) {
         if (auth == null) {
             return login("totp");
         }
 
         auth.require(AccountRoles.MANAGE_ACCOUNT);
 
-        csrfCheck(stateChecker);
+        csrfCheck(formData);
 
         UserModel user = auth.getUser();
         session.userCredentialManager().disableCredentialType(realm, user, CredentialModel.OTP);
@@ -364,14 +365,14 @@ public Response processTotpRemove(@QueryParam("stateChecker") String stateChecke
 
 
     @Path("sessions-logout")
-    @GET
-    public Response processSessionsLogout(@QueryParam("stateChecker") String stateChecker) {
+    @POST
+    public Response processSessionsLogout(final MultivaluedMap<String, String> formData) {
         if (auth == null) {
             return login("sessions");
         }
 
         auth.require(AccountRoles.MANAGE_ACCOUNT);
-        csrfCheck(stateChecker);
+        csrfCheck(formData);
 
         UserModel user = auth.getUser();
 
@@ -588,19 +589,21 @@ public Response processPasswordUpdate(final MultivaluedMap<String, String> formD
         return account.setPasswordSet(true).setSuccess(Messages.ACCOUNT_PASSWORD_UPDATED).createResponse(AccountPages.PASSWORD);
     }
 
-    @Path("federated-identity-update")
-    @GET
-    public Response processFederatedIdentityUpdate(@QueryParam("action") String action,
-                                                   @QueryParam("provider_id") String providerId,
-                                                   @QueryParam("stateChecker") String stateChecker) {
+    @Path("identity")
+    @POST
+    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+    public Response processFederatedIdentityUpdate(final MultivaluedMap<String, String> formData) {
         if (auth == null) {
             return login("identity");
         }
 
         auth.require(AccountRoles.MANAGE_ACCOUNT);
-        csrfCheck(stateChecker);
+        csrfCheck(formData);
         UserModel user = auth.getUser();
 
+        String action = formData.getFirst("action");
+        String providerId = formData.getFirst("providerId");
+
         if (Validation.isEmpty(providerId)) {
             setReferrerOnPage();
             return account.setError(Messages.MISSING_IDENTITY_PROVIDER).createResponse(AccountPages.FEDERATED_IDENTITY);

testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/AccountFederatedIdentityPage.java

@@ -22,6 +22,9 @@
 import org.openqa.selenium.WebElement;
 import org.openqa.selenium.support.FindBy;
 
+import java.util.LinkedList;
+import java.util.List;
+
 /**
  * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
  */
@@ -50,26 +53,72 @@ public String getPath() {
     public boolean isCurrent() {
         return driver.getTitle().contains("Account Management") && driver.getPageSource().contains("Federated Identities");
     }
-
-    public WebElement findAddProviderButton(String alias) {
-        return driver.findElement(By.id("add-" + alias));
+
+    public List<FederatedIdentity> getIdentities() {
+        List<FederatedIdentity> identities = new LinkedList<>();
+        WebElement identitiesElement = driver.findElement(By.id("federated-identities"));
+        for (WebElement i : identitiesElement.findElements(By.className("row"))) {
+
+            String providerId = i.findElement(By.tagName("label")).getText();
+            String subject = i.findElement(By.tagName("input")).getAttribute("value");
+            WebElement button = i.findElement(By.tagName("button"));
+
+            identities.add(new FederatedIdentity(providerId, subject, button));
+        }
+        return identities;
     }
-    
-    public WebElement findRemoveProviderButton(String alias) {
-        return driver.findElement(By.id("remove-" + alias));
+
+    public WebElement findAddProvider(String providerId) {
+        return driver.findElement(By.id("add-link-" + providerId));
     }
 
-    public void clickAddProvider(String alias) {
-        WebElement addButton = findAddProviderButton(alias);
-        addButton.click();
+    public void clickAddProvider(String providerId) {
+        findAddProvider(providerId).click();
     }
 
-    public void clickRemoveProvider(String alias) {
-        WebElement addButton = findRemoveProviderButton(alias);
-        addButton.click();
+    public void clickRemoveProvider(String providerId) {
+        driver.findElement(By.id("remove-link-" + providerId)).click();
     }
 
     public String getError() {
         return errorMessage.getText();
     }
+
+    public static class FederatedIdentity {
+
+        private String providerId;
+        private String subject;
+        private WebElement action;
+
+        public FederatedIdentity(String providerId, String subject, WebElement action) {
+            this.providerId = providerId;
+            this.subject = subject;
+            this.action = action;
+        }
+
+        public String getProvider() {
+            return providerId;
+        }
+
+        public void setProviderId(String providerId) {
+            this.providerId = providerId;
+        }
+
+        public String getSubject() {
+            return subject;
+        }
+
+        public void setSubject(String subject) {
+            this.subject = subject;
+        }
+
+        public WebElement getAction() {
+            return action;
+        }
+
+        public void setAction(WebElement action) {
+            this.action = action;
+        }
+    }
+
 }