From 77a991fba1994a0ac8dfba7fdb60d41e7bd60104 Mon Sep 17 00:00:00 2001
From: p53 <pavol.ipoth@protonmail.com>
Date: Thu, 4 Apr 2024 22:26:46 +0200
Subject: [PATCH] Uma, idpsession check, noredirects config check (#442)

---
 e2e/e2e_uma_test.go           | 3 ---
 pkg/apperrors/apperrors.go    | 2 +-
 pkg/keycloak/config/config.go | 2 +-
 3 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/e2e/e2e_uma_test.go b/e2e/e2e_uma_test.go
index b9ae58fe..72338438 100644
--- a/e2e/e2e_uma_test.go
+++ b/e2e/e2e_uma_test.go
@@ -40,7 +40,6 @@ var _ = Describe("UMA Code Flow authorization", func() {
 			"--skip-access-token-issuer-check=true",
 			"--openid-provider-retry-count=30",
 			"--secure-cookie=false",
-			"--enable-idp-session-check=false",
 		}
 
 		osArgs = append(osArgs, proxyArgs...)
@@ -137,7 +136,6 @@ var _ = Describe("UMA Code Flow authorization with method scope", func() {
 			"--secure-cookie=false",
 			"--verbose=true",
 			"--enable-logging=true",
-			"--enable-idp-session-check=false",
 		}
 
 		osArgs = append(osArgs, proxyArgs...)
@@ -377,7 +375,6 @@ var _ = Describe("UMA Code Flow, NOPROXY authorization with method scope", func(
 			"--secure-cookie=false",
 			"--verbose=true",
 			"--enable-logging=true",
-			"--enable-idp-session-check=false",
 		}
 
 		osArgs = append(osArgs, proxyArgs...)
diff --git a/pkg/apperrors/apperrors.go b/pkg/apperrors/apperrors.go
index 17544653..72817543 100644
--- a/pkg/apperrors/apperrors.go
+++ b/pkg/apperrors/apperrors.go
@@ -140,7 +140,7 @@ var (
 		"only one type of external authz can be enabled at once",
 	)
 	ErrMissingClientCredsWithUMA        = errors.New("enable uma requires client credentials")
-	ErrEnableUmaIdpSessionCheckConflict = errors.New("you cannot have enable uma together with enable idp session check")
+	ErrEnableUmaIdpSessionCheckConflict = errors.New("you cannot have enable uma together with enable idp session check and noredirects")
 	ErrTooManyDefaultDenyOpts           = errors.New(
 		"only one of enable-default-deny/enable-default-deny-strict can be true",
 	)
diff --git a/pkg/keycloak/config/config.go b/pkg/keycloak/config/config.go
index e7198d96..e7f5c71a 100644
--- a/pkg/keycloak/config/config.go
+++ b/pkg/keycloak/config/config.go
@@ -888,7 +888,7 @@ func (r *Config) isExternalAuthzValid() error {
 		if r.ClientID == "" || r.ClientSecret == "" {
 			return apperrors.ErrMissingClientCredsWithUMA
 		}
-		if r.EnableIDPSessionCheck {
+		if r.EnableIDPSessionCheck && r.NoRedirects {
 			return apperrors.ErrEnableUmaIdpSessionCheckConflict
 		}
 	} else if r.EnableOpa {