[OID4VCI-FAPI2] Pass fapi2-security-profile-final-par-ensure-reused-request-uri-prior-to-auth-completion-succeeds#50126
Open
tdiesler wants to merge 1 commit into
Open
[OID4VCI-FAPI2] Pass fapi2-security-profile-final-par-ensure-reused-request-uri-prior-to-auth-completion-succeeds#50126tdiesler wants to merge 1 commit into
tdiesler wants to merge 1 commit into
Conversation
…equest-uri-prior-to-auth-completion-succeeds closes keycloak#48072 Signed-off-by: Thomas Diesler <tdiesler@proton.me>
Contributor
There was a problem hiding this comment.
Pull request overview
Adjusts Keycloak’s PAR (request_uri) handling to align with FAPI2 Security Profile guidance that one-time use of request_uri should be enforced at authorization completion (not merely on visiting the authorization endpoint), enabling conformance test fapi2-security-profile-final-par-ensure-reused-request-uri-prior-to-auth-completion-succeeds.
Changes:
- Stop consuming/removing PAR request objects when first parsing
request_uriat the authorization endpoint; defer removal until authentication/authorization completes. - Persist the
request_uriin the authentication session so it can be consumed later. - Add a new
Details.REQUEST_URIconstant for reuse as an auth-note key.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| services/src/main/java/org/keycloak/protocol/oidc/par/endpoints/request/AuthzEndpointParParser.java | Switches PAR request retrieval from “remove on read” to “get on read”; adjusts removal API. |
| services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java | Stores request_uri as an auth note for later post-auth consumption. |
| services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java | Removes PAR request object at authentication completion (authorization-time). |
| server-spi-private/src/main/java/org/keycloak/events/Details.java | Adds REQUEST_URI constant. |
Comment on lines
+1253
to
+1257
| Response response = AuthenticationManager.finishedRequiredActions(session, authenticationSession, userSession, connection, request, uriInfo, event); | ||
|
|
||
| // Authorization servers that enforce one-time use of request_uri values do so at the point of authorization, | ||
| // not at the point of visiting the authorization endpoint | ||
| String requestUri = authenticationSession.getAuthNote(Details.REQUEST_URI); |
Comment on lines
+116
to
119
| public static void removeRequestObject(KeycloakSession session, String requestUri) { | ||
| String key = getRequestObjectKey(requestUri); | ||
| return session.singleUseObjects().remove(CACHE_KEY_PREFIX + key); | ||
| session.singleUseObjects().remove(CACHE_KEY_PREFIX + key); | ||
| } |
Comment on lines
401
to
406
| this.event.event(EventType.LOGIN); | ||
| authenticationSession.setAuthNote(Details.AUTH_TYPE, CODE_AUTH_TYPE); | ||
| authenticationSession.setAuthNote(Details.REQUEST_URI, requestUriParam); | ||
|
|
||
| RequestUriType requestUriType = Optional.ofNullable(requestUriParam) | ||
| .map(AuthorizationEndpointRequestParserProcessor::getRequestUriType) |
Comment on lines
1248
to
+1250
| if (nextRequiredAction != null) { | ||
| return AuthenticationManager.redirectToRequiredActions(session, realm, authenticationSession, uriInfo, nextRequiredAction); | ||
| Response response = AuthenticationManager.redirectToRequiredActions(session, realm, authenticationSession, uriInfo, nextRequiredAction); | ||
| return response; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes #48072