Prevent frontend endpoint redirect to admin endpoint (keycloak#38464)

vmuzikar · web-flow · commit 2a0ce464719c · 2025-03-28T18:44:43.000+01:00
Closes keycloak#38463 Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java b/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
@@ -27,6 +27,7 @@
 import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakUriInfo;
 import org.keycloak.models.RealmModel;
 import org.keycloak.protocol.oidc.TokenManager;
 import org.keycloak.representations.AccessToken;
@@ -93,14 +94,18 @@ public static UriBuilder adminBaseUrl(UriBuilder base) {
     @GET
     @Operation(hidden = true)
     public Response masterRealmAdminConsoleRedirect() {
+        String requestUrl = session.getContext().getUri().getRequestUri().toString();
+        KeycloakUriInfo adminUriInfo = session.getContext().getUri(UrlType.ADMIN);
+        String adminUrl = adminUriInfo.getBaseUri().toString();
+        String localAdminUrl = session.getContext().getUri(UrlType.LOCAL_ADMIN).getBaseUri().toString();
 
-        if (!isAdminConsoleEnabled()) {
+        if (!isAdminConsoleEnabled() || (!requestUrl.startsWith(adminUrl) && !requestUrl.startsWith(localAdminUrl))) {
             return Response.status(Response.Status.NOT_FOUND).build();
         }
 
         RealmModel master = new RealmManager(session).getKeycloakAdminstrationRealm();
         return Response.status(302).location(
-                session.getContext().getUri(UrlType.ADMIN).getBaseUriBuilder().path(AdminRoot.class).path(AdminRoot.class, "getAdminConsole").path("/").build(master.getName())
+                adminUriInfo.getBaseUriBuilder().path(AdminRoot.class).path(AdminRoot.class, "getAdminConsole").path("/").build(master.getName())
         ).build();
     }
 
diff --git a/test-framework/core/src/main/java/org/keycloak/testframework/annotations/InjectHttpClient.java b/test-framework/core/src/main/java/org/keycloak/testframework/annotations/InjectHttpClient.java
@@ -8,5 +8,5 @@
 @Retention(RetentionPolicy.RUNTIME)
 @Target(ElementType.FIELD)
 public @interface InjectHttpClient {
-
+    boolean followRedirects() default true;
 }
diff --git a/test-framework/core/src/main/java/org/keycloak/testframework/http/HttpClientSupplier.java b/test-framework/core/src/main/java/org/keycloak/testframework/http/HttpClientSupplier.java
@@ -5,7 +5,6 @@
 import org.apache.http.impl.client.HttpClientBuilder;
 import org.keycloak.testframework.annotations.InjectHttpClient;
 import org.keycloak.testframework.injection.InstanceContext;
-import org.keycloak.testframework.injection.LifeCycle;
 import org.keycloak.testframework.injection.RequestedInstance;
 import org.keycloak.testframework.injection.Supplier;
 
@@ -15,7 +14,13 @@ public class HttpClientSupplier implements Supplier<HttpClient, InjectHttpClient
 
     @Override
     public HttpClient getValue(InstanceContext<HttpClient, InjectHttpClient> instanceContext) {
-        return HttpClientBuilder.create().build();
+        HttpClientBuilder builder = HttpClientBuilder.create();
+
+        if (!instanceContext.getAnnotation().followRedirects()) {
+            builder.disableRedirectHandling();
+        }
+
+        return builder.build();
     }
 
     @Override
@@ -27,11 +32,6 @@ public void close(InstanceContext<HttpClient, InjectHttpClient> instanceContext)
         }
     }
 
-    @Override
-    public LifeCycle getDefaultLifecycle() {
-        return LifeCycle.GLOBAL;
-    }
-
     @Override
     public boolean compatible(InstanceContext<HttpClient, InjectHttpClient> a, RequestedInstance<HttpClient, InjectHttpClient> b) {
         return true;
diff --git a/tests/base/src/test/java/org/keycloak/tests/admin/AdminRootTest.java b/tests/base/src/test/java/org/keycloak/tests/admin/AdminRootTest.java
@@ -0,0 +1,84 @@
+/*
+ * Copyright 2025 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.tests.admin;
+
+import org.apache.http.HttpResponse;
+import org.apache.http.client.HttpClient;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.util.EntityUtils;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+import org.keycloak.testframework.annotations.InjectHttpClient;
+import org.keycloak.testframework.annotations.KeycloakIntegrationTest;
+import org.keycloak.testframework.server.KeycloakServerConfig;
+import org.keycloak.testframework.server.KeycloakServerConfigBuilder;
+
+import java.util.Arrays;
+import java.util.Map;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.not;
+import static org.hamcrest.Matchers.startsWith;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+
+/**
+ * @author Vaclav Muzikar <vmuzikar@redhat.com>
+ */
+@KeycloakIntegrationTest(config = AdminRootTest.AdminUrlConfig.class)
+public class AdminRootTest {
+    // This might not be robust enough. If something made KC on a different port, this would fail.
+    private static final String HOSTNAME = "http://127.0.0.1.nip.io:8080";
+    private static final String HOSTNAME_ADMIN = "http://admin.127.0.0.1.nip.io:8080";
+    private static final String HOSTNAME_LOCAL_ADMIN = "http://localhost:8080";
+
+    @InjectHttpClient(followRedirects = false)
+    private HttpClient client;
+
+    @ParameterizedTest
+    @ValueSource(strings = {HOSTNAME_ADMIN, HOSTNAME_LOCAL_ADMIN})
+    public void testRedirect(String hostname) throws Exception {
+        HttpResponse response = client.execute(new HttpGet(hostname + "/admin"));
+
+        assertEquals(302, response.getStatusLine().getStatusCode());
+        assertThat(response.getFirstHeader("Location").getValue(), startsWith(HOSTNAME_ADMIN + "/admin/master/console"));
+    }
+
+    @Test
+    public void testNoRedirectWithFrontendUrl() throws Exception {
+        HttpResponse response = client.execute(new HttpGet(HOSTNAME + "/admin"));
+
+        assertEquals(404, response.getStatusLine().getStatusCode());
+
+        // Check for leaks of hostname-admin in headers and body
+        assertFalse(Arrays.stream(response.getAllHeaders()).anyMatch(header -> header.getValue().contains(HOSTNAME_ADMIN)));
+        assertThat(EntityUtils.toString(response.getEntity()), not(containsString(HOSTNAME_ADMIN))); // just in case of a JS redirect
+    }
+
+    public static class AdminUrlConfig implements KeycloakServerConfig {
+        @Override
+        public KeycloakServerConfigBuilder configure(KeycloakServerConfigBuilder config) {
+            return config.options(Map.of(
+                    "hostname", HOSTNAME,
+                    "hostname-admin", HOSTNAME_ADMIN
+            ));
+        }
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -8,5 +8,5 @@`
`8`	`8`	`@Retention(RetentionPolicy.RUNTIME)`
`9`	`9`	`@Target(ElementType.FIELD)`
`10`	`10`	`public @interface InjectHttpClient {`
`11`		`-`
	`11`	`+ boolean followRedirects() default true;`
`12`	`12`	`}`