modules/keycloak-protocol-cas

			@@ -95,7 +95,7 @@
			throw new CASValidationException(CASErrorCode.INVALID_TICKET_SPEC, "Malformed service ticket", Response.Status.BAD_REQUEST);
			}

			Boolean isreuse = ticket.startsWith(CASLoginProtocol.PROXY_GRANTING_TICKET_PREFIX);
			boolean isReuse = ticket.startsWith(CASLoginProtocol.PROXY_GRANTING_TICKET_PREFIX);

			String[] parsed = DOT.split(ticket.substring(prefix.length()), 3);
			if (parsed.length != 3) {
			@@ -103,20 +103,12 @@
			throw new CASValidationException(CASErrorCode.INVALID_TICKET_SPEC, "Invalid format of the code", Response.Status.BAD_REQUEST);
			}

			String codeUUID = parsed[0];
			String userSessionId = parsed[1];
			String clientUUID = parsed[2];

			event.detail(Details.CODE_ID, userSessionId);
			event.session(userSessionId);

			// Parse UUID
			String codeUUID;
			try {
			codeUUID = parsed[0];
			} catch (IllegalArgumentException re) {
			event.error(Errors.INVALID_CODE);
			throw new CASValidationException(CASErrorCode.INVALID_TICKET_SPEC, "Invalid format of the UUID in the code", Response.Status.BAD_REQUEST);
			}

			// Retrieve UserSession
			UserSessionModel userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, userSessionId, clientUUID);
			@@ -125,28 +117,31 @@
			userSession = session.sessions().getUserSession(realm, userSessionId);
			if (userSession == null) {
			event.error(Errors.USER_SESSION_NOT_FOUND);
			throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User session not found", Response.Status.BAD_REQUEST);
			throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
			}
			}

			clientSession = userSession.getAuthenticatedClientSessionByClient(clientUUID);
			if (clientSession == null) {
			event.error(Errors.INVALID_CODE);
			throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
			}

			SingleUseObjectProvider codeStore = session.singleUseObjects();
			Map<String, String> codeDataSerialized = isreuse? codeStore.get(prefix + codeUUID) : codeStore.remove(prefix + codeUUID);
			Map<String, String> codeDataSerialized = isReuse ? codeStore.get(prefix + codeUUID) : codeStore.remove(prefix + codeUUID);

			// Either code not available
			if (codeDataSerialized == null) {
			throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code already used", Response.Status.BAD_REQUEST);
			event.error(Errors.INVALID_CODE);
			throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
			}

			OAuth2Code codeData = OAuth2Code.deserializeCode(codeDataSerialized);

			String persistedUserSessionId = codeData.getUserSessionId();
			if (!userSessionId.equals(persistedUserSessionId)) {
			throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code "+codeUUID+"' is bound to a different session", Response.Status.BAD_REQUEST);
			event.error(Errors.INVALID_CODE);
			throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST);
			}

			// Finally doublecheck if code is not expired
			@@ -181,7 +176,7 @@
			} else {
			if (!client.getClientId().equals(clientSession.getClient().getClientId())) {
			event.error(Errors.INVALID_CODE);
			throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Auth error", Response.Status.BAD_REQUEST);
			throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Invalid service", Response.Status.BAD_REQUEST);
			}
			}

			@@ -213,7 +208,7 @@
			this.pgtIou = pgtIou;
			} catch (Exception e) {
			event.error(Errors.INVALID_REQUEST);
			throw new CASValidationException(CASErrorCode.PROXY_CALLBACK_ERROR, "Proxy callback return with error", Response.Status.BAD_REQUEST);
			throw new CASValidationException(CASErrorCode.PROXY_CALLBACK_ERROR, "Proxy callback returned an error", Response.Status.BAD_REQUEST);
			}
			}