Skip to content

move phishing check#48495

Merged
vmuzikar merged 2 commits intokeycloak:mainfrom
edewit:phishing-check
May 5, 2026
Merged

move phishing check#48495
vmuzikar merged 2 commits intokeycloak:mainfrom
edewit:phishing-check

Conversation

@edewit
Copy link
Copy Markdown
Contributor

@edewit edewit commented Apr 27, 2026

fixes: #48010
Signed-off-by: Erik Jan de Wit erikjan.dewit@gmail.com

@edewit edewit requested review from a team as code owners April 27, 2026 09:38
@vmuzikar
Copy link
Copy Markdown
Contributor

vmuzikar commented Apr 27, 2026

Spotless is failing.

@mabartos
Copy link
Copy Markdown
Member

mabartos commented Apr 27, 2026

@edewit JFYI - you should rebase this PR as there's no NewClientService anymore.

@shawkins
Copy link
Copy Markdown
Contributor

shawkins commented Apr 27, 2026

@edewit JFYI - you should rebase this PR as there's no NewClientService anymore.

I think it still exists unfortunately - it just needs to now be deleted.

@mabartos
Copy link
Copy Markdown
Member

mabartos commented Apr 27, 2026
edited
Loading

Oops.. it supposed to be done here:

I thought it was already done. Ok

@vmuzikar
Copy link
Copy Markdown
Contributor

vmuzikar commented Apr 27, 2026

I thought it was already done.

Me too... I was even pointing that out there in some comment but then I missed it somehow. :D

@keycloak-github-bot keycloak-github-bot Bot mentioned this pull request Apr 28, 2026
Closed
@vmuzikar
Copy link
Copy Markdown
Contributor

vmuzikar commented Apr 28, 2026

@edewit Tests seem to be failing.

shawkins
shawkins reviewed Apr 29, 2026
View reviewed changes
Comment thread rest/admin-v2/services/src/main/java/org/keycloak/rest/admin/api/client/DefaultClientApi.java Outdated
@GET
@Override
public BaseClientRepresentation getClient() {
enforceAntiPhishingIfClientMissing();
Copy link
Copy Markdown
Contributor

@shawkins shawkins Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The intent of the issue was to move the check in DefaultClientsApi prior to creating DefaultClientApi - that aligns with admin api v1. We should not worry yet about the case of hitting a 403 on a PUT that performs a create as we'll eventually have direction from #47804 to address that.

This was just to be a simplification over currently having the permission check in the service layer. If / when we want to promote more general usage of the service layer and we have resolution on #47804 we could move the phishing check back.

shawkins
shawkins reviewed Apr 29, 2026
View reviewed changes
Comment thread rest/admin-v2/services/src/main/java/org/keycloak/rest/admin/api/client/DefaultClientsApi.java Outdated
@Path("{id}")
@Override
public ClientApi client(@PathParam("id") String clientId) {
if (!HttpMethod.PUT.equals(session.getContext().getHttpRequest().getHttpMethod())) {
Copy link
Copy Markdown
Contributor

@shawkins shawkins Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No check for PUT is needed.

@edewit edewit force-pushed the phishing-check branch from f95a687 to 9c32453 Compare May 4, 2026 13:38
@edewit edewit force-pushed the phishing-check branch 3 times, most recently from 3fa4711 to bf7fdf1 Compare May 5, 2026 06:27
@vmuzikar vmuzikar requested a review from shawkins May 5, 2026 11:03
shawkins
shawkins approved these changes May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@shawkins shawkins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We no longer need the changes to DefaultClientApi, but that's not a blocker.

vmuzikar
vmuzikar reviewed May 5, 2026
View reviewed changes
Comment thread rest/admin-v2/services/src/main/java/org/keycloak/rest/admin/api/client/DefaultClientsApi.java
@Path("{id}")
@Override
public ClientApi client(@PathParam("id") String clientId) {
enforceAntiPhishingIfClientMissing(clientId);
Copy link
Copy Markdown
Contributor

@vmuzikar vmuzikar May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This enforces the check also for PUT which would mean PUT can't create without list permissions, right? That's not correct, AFAICT.

Copy link
Copy Markdown
Contributor

@shawkins shawkins May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See #48495 (comment)

Copy link
Copy Markdown
Contributor

@vmuzikar vmuzikar May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, it will get resolved later by #47804. It's not ideal but I agree we don't need to create workarounds for that, especially when v1 has the same issue.

LGTM then.

@vmuzikar vmuzikar enabled auto-merge (squash) May 5, 2026 11:22
edewit and others added 2 commits May 5, 2026 13:23
@edewit @vmuzikar
move phishing check
972678d 
fixes: keycloak#48010
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
@shawkins @vmuzikar
Apply suggestion from @shawkins
8d722b5 
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
@vmuzikar vmuzikar merged commit bebdaee into keycloak:main May 5, 2026
85 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shawkins shawkins shawkins approved these changes

@vmuzikar vmuzikar vmuzikar approved these changes

Assignees

No one assigned

Labels

flaky-test team/cloud-native

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Move the phishing check to the REST layer

4 participants

@edewit @vmuzikar @mabartos @shawkins