KEYCLOAK-12329 Fix linking accounts in the new Account Console

tnorimat · Dec 3, 2019 · 072cd9f · 072cd9f
1 parent 73d1a26
commit 072cd9f
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 4 deletions.
diff --git a/services/src/main/java/org/keycloak/services/resources/account/LinkedAccountsResource.java b/services/src/main/java/org/keycloak/services/resources/account/LinkedAccountsResource.java
@@ -61,6 +61,8 @@
 import org.keycloak.services.resources.Cors;
 import org.keycloak.services.validation.Validation;
 
+import static org.keycloak.models.Constants.ACCOUNT_CONSOLE_CLIENT_ID;
+
 /**
  * API for linking/unlinking social login accounts
  *
@@ -175,14 +177,16 @@ public Response buildLinkedAccountURI(@PathParam("providerId") String providerId
         try {
             String nonce = UUID.randomUUID().toString();
             MessageDigest md = MessageDigest.getInstance("SHA-256");
-            String input = nonce + auth.getSession().getId() +  client.getClientId() + providerId;
+            String input = nonce + auth.getSession().getId() +  ACCOUNT_CONSOLE_CLIENT_ID + providerId;
             byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8));
             String hash = Base64Url.encode(check);
             URI linkUri = Urls.identityProviderLinkRequest(this.session.getContext().getUri().getBaseUri(), providerId, realm.getName());
             linkUri = UriBuilder.fromUri(linkUri)
                     .queryParam("nonce", nonce)
                     .queryParam("hash", hash)
-                    .queryParam("client_id", client.getClientId())
+                    // need to use "account-console" client because IdentityBrokerService authenticates user using cookies
+                    // the regular "account" client is used only for REST calls therefore cookies authentication cannot be used
+                    .queryParam("client_id", ACCOUNT_CONSOLE_CLIENT_ID)
                     .queryParam("redirect_uri", redirectUri)
                     .build();
 

diff --git a/...ests/base/src/test/java/org/keycloak/testsuite/account/LinkedAccountsRestServiceTest.java b/...ests/base/src/test/java/org/keycloak/testsuite/account/LinkedAccountsRestServiceTest.java
@@ -42,7 +42,12 @@
 import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.testsuite.util.IdentityProviderBuilder;
 
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.keycloak.models.Constants.ACCOUNT_CONSOLE_CLIENT_ID;
+
 import org.junit.FixMethodOrder;
 import org.junit.runners.MethodSorters;
 import org.keycloak.representations.account.AccountLinkUriRepresentation;
@@ -162,7 +167,7 @@ public void testBuildLinkedAccountUri() throws IOException {
                     assertEquals(rep.getHash(), nvp.getValue());
                     break;
                 }
-                case "client_id" : assertEquals("account", nvp.getValue()); break;
+                case "client_id" : assertEquals(ACCOUNT_CONSOLE_CLIENT_ID, nvp.getValue()); break;
                 case "redirect_uri" : assertEquals("phonyUri", nvp.getValue());
             }
         }