Strip 'iss' query param from the redirect URL for Keycloak auth flow (#…

…3859) (cherry picked from commit a27c8f0) (cherry picked from commit 68cf3a3)
3scale · Aug 28, 2024 · 5749f2d · 5749f2d
1 parent 240ab50
commit 5749f2d
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 7 deletions.
diff --git a/app/lib/three_scale/oauth2/keycloak_client.rb b/app/lib/three_scale/oauth2/keycloak_client.rb
@@ -51,7 +51,7 @@ def scopes
 
       class RedirectUri
 
-        NOT_ALLOWED_PARAMS = %w[code].freeze
+        NOT_ALLOWED_PARAMS = %w[code iss].freeze
 
         def self.call(request)
           new(request).call

diff --git a/app/lib/three_scale/oauth2/redhat_customer_portal_client.rb b/app/lib/three_scale/oauth2/redhat_customer_portal_client.rb
@@ -66,7 +66,7 @@ def access_token_error_data
 
       class RedirectUri < ThreeScale::OAuth2::ClientBase::CallbackUrl
 
-        PARAMS_NOT_ALLOWED = %i[code action controller].freeze
+        PARAMS_NOT_ALLOWED = %i[code action controller iss].freeze
 
         def self.call(client, request)
           new(client, request).call

diff --git a/test/unit/three_scale/oauth2/keycloak_client_test.rb b/test/unit/three_scale/oauth2/keycloak_client_test.rb
@@ -25,13 +25,14 @@ class ThreeScale::OAuth2::KeycloakClientTest < ActiveSupport::TestCase
   end
 
   test '#authenticate_options' do
+    query_string = 'foo=bar&code=123456&iss=http%3A%2F%2Fkeycloak.example.com%2Frealms%2Ftest'
     env = {
       'HTTP_HOST' => 'example.net',
-      'QUERY_STRING' => 'foo=bar&code=123456',
+      'QUERY_STRING' => query_string,
       'PATH_INFO' => '/path'
     }
     request = ActionDispatch::TestRequest.create env
-    request.request_uri = 'http://example.net/path?foo=bar&code=123456'
+    request.request_uri = "http://example.net/path?#{query_string}"
 
     options = @oauth2.authenticate_options(request)
 

diff --git a/test/unit/three_scale/oauth2/redhat_customer_portal_client_test.rb b/test/unit/three_scale/oauth2/redhat_customer_portal_client_test.rb
@@ -4,6 +4,7 @@
 
 class ThreeScale::OAuth2::RedhatCustomerPortalClientTest < ActiveSupport::TestCase
   setup do
+    @master_account = FactoryBot.create(:master_account)
     @authentication_provider = FactoryBot.build_stubbed(:authentication_provider)
     @authentication = ThreeScale::OAuth2::Client.build_authentication(@authentication_provider)
     @oauth2 = ThreeScale::OAuth2::RedhatCustomerPortalClient.new(@authentication)
@@ -25,9 +26,19 @@ class ThreeScale::OAuth2::RedhatCustomerPortalClientTest < ActiveSupport::TestCa
   end
 
   test '#authenticate_options' do
-    request = ActionDispatch::TestRequest.create
-    ThreeScale::OAuth2::RedhatCustomerPortalClient::RedirectUri.expects(:call).with(@oauth2, request)
-    @oauth2.authenticate_options(request)
+    domain = 'example.net'
+    query_string = 'session_state=foobar&code=123456&iss=http%3A%2F%2Fkeycloak.example.com%2Frealms%2Ftest'
+    env = {
+      'HTTP_HOST' => domain,
+      'QUERY_STRING' => query_string,
+      'PATH_INFO' => '/path'
+    }
+    request = ActionDispatch::TestRequest.create env
+    request.request_uri = "http://example.net/path?#{query_string}"
+
+    options = @oauth2.authenticate_options(request)
+
+    assert_equal({ redirect_uri: "http://#{@master_account.self_domain}/auth/#{@authentication_provider.system_name}/callback?self_domain=#{domain}&session_state=foobar" }, options)
   end
 
   test '#user_data' do