From e86bf1f0b231e112e11aa75e4ba2c2189e1fb60d Mon Sep 17 00:00:00 2001 From: Jon Koops Date: Tue, 19 Sep 2023 11:49:40 +0200 Subject: [PATCH] Remove `P3P` header from authentication flow Closes #23348 --- .../protocol/oidc/endpoints/IframeUtil.java | 2 -- .../managers/AuthenticationManager.java | 2 -- .../org/keycloak/services/util/P3PHelper.java | 35 ------------------- .../oauth/LoginStatusIframeEndpointTest.java | 3 -- 4 files changed, 42 deletions(-) delete mode 100644 services/src/main/java/org/keycloak/services/util/P3PHelper.java diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/IframeUtil.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/IframeUtil.java index 93755270f99..e38fc94cc47 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/IframeUtil.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/IframeUtil.java @@ -21,7 +21,6 @@ import org.keycloak.common.Version; import org.keycloak.headers.SecurityHeadersProvider; import org.keycloak.models.KeycloakSession; import org.keycloak.services.util.CacheControlUtil; -import org.keycloak.services.util.P3PHelper; import jakarta.ws.rs.core.CacheControl; import jakarta.ws.rs.core.Response; @@ -41,7 +40,6 @@ public class IframeUtil { InputStream resource = IframeUtil.class.getResourceAsStream(fileName); if (resource != null) { - P3PHelper.addP3PHeader(session); session.getProvider(SecurityHeadersProvider.class).options().allowAnyFrameAncestor(); return Response.ok(resource).cacheControl(cacheControl).build(); } else { diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java index 126da54103a..91a7569c986 100755 --- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java @@ -84,7 +84,6 @@ import org.keycloak.services.resources.LoginActionsService; import org.keycloak.services.resources.RealmsResource; import org.keycloak.services.util.AuthorizationContextUtil; import org.keycloak.services.util.CookieHelper; -import org.keycloak.services.util.P3PHelper; import org.keycloak.sessions.AuthenticationSessionModel; import org.keycloak.sessions.CommonClientSessionModel; import org.keycloak.sessions.RootAuthenticationSessionModel; @@ -800,7 +799,6 @@ public class AuthenticationManager { // Max age should be set to the max lifespan of the session as it's used to invalidate old-sessions on re-login int sessionCookieMaxAge = session.isRememberMe() && realm.getSsoSessionMaxLifespanRememberMe() > 0 ? realm.getSsoSessionMaxLifespanRememberMe() : realm.getSsoSessionMaxLifespan(); CookieHelper.addCookie(KEYCLOAK_SESSION_COOKIE, sessionCookieValue, cookiePath, null, null, sessionCookieMaxAge, secureOnly, false, SameSiteAttributeValue.NONE, keycloakSession); - P3PHelper.addP3PHeader(keycloakSession); } public static void createRememberMeCookie(String username, UriInfo uriInfo, KeycloakSession session) { diff --git a/services/src/main/java/org/keycloak/services/util/P3PHelper.java b/services/src/main/java/org/keycloak/services/util/P3PHelper.java deleted file mode 100644 index 9a978d52232..00000000000 --- a/services/src/main/java/org/keycloak/services/util/P3PHelper.java +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.services.util; - -import org.keycloak.http.HttpResponse; -import org.keycloak.models.KeycloakSession; - -/** - * IE requires P3P header to allow loading cookies from iframes when domain differs from main page (see KEYCLOAK-2828 for more details) - * - * @author Stian Thorgersen - */ -public class P3PHelper { - - public static void addP3PHeader(KeycloakSession session) { - HttpResponse response = session.getContext().getHttpResponse(); - response.setHeader("P3P", "CP=\"This is not a P3P policy!\""); - } - -} diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/LoginStatusIframeEndpointTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/LoginStatusIframeEndpointTest.java index 82cb2942b8b..86298bee50c 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/LoginStatusIframeEndpointTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/LoginStatusIframeEndpointTest.java @@ -88,8 +88,6 @@ public class LoginStatusIframeEndpointTest extends AbstractKeycloakTest { response = client.execute(post); - assertEquals("CP=\"This is not a P3P policy!\"", response.getFirstHeader("P3P").getValue()); - Header setIdentityCookieHeader = null; Header setSessionCookieHeader = null; for (Header h : response.getAllHeaders()) { @@ -123,7 +121,6 @@ public class LoginStatusIframeEndpointTest extends AbstractKeycloakTest { response = client.execute(get); assertEquals(200, response.getStatusLine().getStatusCode()); - assertEquals("CP=\"This is not a P3P policy!\"", response.getFirstHeader("P3P").getValue()); assertNull(response.getFirstHeader(BrowserSecurityHeaders.X_FRAME_OPTIONS.getHeaderName())); assertEquals("frame-src 'self'; object-src 'none';", response.getFirstHeader(BrowserSecurityHeaders.CONTENT_SECURITY_POLICY.getHeaderName()).getValue()); assertEquals("none", response.getFirstHeader(BrowserSecurityHeaders.X_ROBOTS_TAG.getHeaderName()).getValue());