Fix account console for usage with secure-session client-policy (#37447)

Fixes #37447 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com> (cherry picked from commit a4654167328842a4a5659468e2659c8478101b59) Co-authored-by: mposolda <mposolda@gmail.com>
2026-01-10 15:32:05 -03:30 · 2025-03-27 00:26:36 +01:00 · 2025-03-27 00:26:36 +01:00 · 917bc694ed
commit 917bc694ed
parent 6007dc959b
3 changed files with 35 additions and 7 deletions
--- a/services/src/main/java/org/keycloak/services/resources/account/AccountConsole.java
+++ b/services/src/main/java/org/keycloak/services/resources/account/AccountConsole.java
@ -266,6 +266,9 @@ public class AccountConsole implements AccountResourceProvider {
        UriBuilder uriBuilder = UriBuilder.fromUri(OIDCLoginProtocolService.authUrl(session.getContext().getUri()).build(realm.getName()).toString())
                .queryParam(OAuth2Constants.CLIENT_ID, Constants.ACCOUNT_CONSOLE_CLIENT_ID)
                .queryParam(OAuth2Constants.REDIRECT_URI, targetUri)
+                // dummy state param to make it usable with secure-session client policy.
+                // Once bootstrapped the account-console frontend will send the actual state with the authorize request.
+                .queryParam(OAuth2Constants.STATE, UUID.randomUUID().toString())
                .queryParam(OAuth2Constants.RESPONSE_TYPE, OAuth2Constants.CODE)
                .queryParam(OAuth2Constants.CODE_CHALLENGE, pkceChallenge)
                .queryParam(OAuth2Constants.CODE_CHALLENGE_METHOD, OAuth2Constants.PKCE_METHOD_S256);
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/TermsAndConditionsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/TermsAndConditionsTest.java
@ -186,14 +186,8 @@ public class TermsAndConditionsTest extends AbstractChangeImportedUserPasswordsT
            assertNull("expected null for terms acceptance user attribute " + TermsAndConditions.USER_ATTRIBUTE,
                    attributes.get(TermsAndConditions.USER_ATTRIBUTE));
        }
-        assertThat(DroneUtils.getCurrentDriver().getTitle(), equalTo("Account Management"));
-        Assert.assertTrue(DroneUtils.getCurrentDriver().getPageSource().contains("You need to accept the Terms and Conditions to continue"));
-        Assert.assertFalse(DroneUtils.getCurrentDriver().getPageSource().contains("An unexpected error occurred"));
-
-        WebElement tryAgainButton = DroneUtils.getCurrentDriver().findElement(By.tagName("button"));
-        assertThat(tryAgainButton.getText(), equalTo("Try again"));
-        UIUtils.click(tryAgainButton);

+        // Redirect error to account-console, which starts authentication again
        loginPage.assertCurrent();
    }

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesExecutorTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesExecutorTest.java
@ -102,6 +102,7 @@ import org.keycloak.testsuite.admin.ApiUtil;
 import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
 import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
 import org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource;
+import org.keycloak.testsuite.pages.AppPage;
 import org.keycloak.testsuite.pages.ErrorPage;
 import org.keycloak.testsuite.pages.LogoutConfirmPage;
 import org.keycloak.testsuite.pages.OAuth2DeviceVerificationPage;
@ -135,6 +136,9 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest {
    @Page
    protected OAuthGrantPage grantPage;

+    @Page
+    protected AppPage appPage;
+
    @Page
    protected ErrorPage errorPage;

@ -917,6 +921,33 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest {
        successfulLoginAndLogout(clientBetaId, clientBetaSecret, "somenonce", "somestate");
    }

+    // GH issue 37447
+    @Test
+    public void testSecureSessionEnforceExecutorWithAccountConsole() throws Exception {
+        // register profiles
+        String json = (new ClientProfilesBuilder()).addProfile(
+                (new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forste Profilen")
+                        .addExecutor(SecureSessionEnforceExecutorFactory.PROVIDER_ID, null)
+                        .toRepresentation()
+        ).toString();
+        updateProfiles(json);
+
+        // register policies
+        json = (new ClientPoliciesBuilder()).addPolicy(
+                (new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forste Politikken", Boolean.TRUE)
+                        .addCondition(AnyClientConditionFactory.PROVIDER_ID,
+                                createAnyClientConditionConfig())
+                        .addProfile(PROFILE_NAME)
+                        .toRepresentation()
+        ).toString();
+        updatePolicies(json);
+
+        // Test account-console is loaded successfully when "secure-session-enforce" executor is present
+        appPage.open();
+        appPage.openAccount();
+        loginPage.assertCurrent();
+    }
+
    @Test
    public void testSecureSigningAlgorithmEnforceExecutor() throws Exception {
        // register profiles