CIMD - Performance: Eliminate double URI parsing in ClientIdUriSchemeCondition.applyPolicy()

tnorimat · tnorimat · commit 236bd35ce0bb · 2026-03-02T16:03:57.000+09:00
closes keycloak#46703 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
diff --git a/services/src/main/java/org/keycloak/protocol/oauth2/cimd/clientpolicy/condition/ClientIdUriSchemeCondition.java b/services/src/main/java/org/keycloak/protocol/oauth2/cimd/clientpolicy/condition/ClientIdUriSchemeCondition.java
@@ -72,47 +72,38 @@ public ClientPolicyVote applyPolicy(ClientPolicyContext context) throws ClientPo
         switch (context.getEvent()) {
             case PRE_AUTHORIZATION_REQUEST:
                 PreAuthorizationRequestContext paContext = (PreAuthorizationRequestContext) context;
-                String clientId = ((PreAuthorizationRequestContext) context).getRequestParameters().getFirst(OAuth2Constants.CLIENT_ID);
-                if (isUriSchemeMatched(clientId) && isTrustedDomainMatched(clientId)) return ClientPolicyVote.YES;
+                String clientId = paContext.getRequestParameters().getFirst(OAuth2Constants.CLIENT_ID);
+                if (clientId == null || configuration.getClientIdUriSchemes() == null || configuration.getClientIdUriSchemes().isEmpty()) {
+                    return ClientPolicyVote.NO;
+                }
+                final URI uri;
+                try {
+                    uri = new URI(clientId);
+                } catch (URISyntaxException e) {
+                    logger.debugv("not URL: clientId = {0}", clientId);
+                    return ClientPolicyVote.NO;
+                }
+                if (isUriSchemeMatched(uri) && isTrustedDomainMatched(uri)) return ClientPolicyVote.YES;
+
                 return ClientPolicyVote.NO;
             default:
                 return ClientPolicyVote.ABSTAIN;
         }
     }
 
-    private boolean isUriSchemeMatched(String clientId) {
-        if (clientId == null || configuration.getClientIdUriSchemes() == null || configuration.getClientIdUriSchemes().isEmpty()) {
-            return false;
-        }
-
-        final URI uri;
-        try {
-            uri = new URI(clientId);
-        } catch (URISyntaxException e) {
-            logger.debugv("not URL: clientId = {0}", clientId);
-            return false;
-        }
-
+    private boolean isUriSchemeMatched(URI uri) {
         return configuration.getClientIdUriSchemes().stream().anyMatch(i->i.equals(uri.getScheme()));
     }
 
-    private boolean isTrustedDomainMatched(String clientId) {
+    private boolean isTrustedDomainMatched(URI uri) {
         List<String> trustedDomains = convertContentFilledList(configuration.getTrustedDomains());
-        if (trustedDomains == null || trustedDomains.isEmpty()) {
+        if (trustedDomains.isEmpty()) {
             logger.debug("trusted domain list is vacant.");
             return false;
         }
 
-        final URI uri;
-        try {
-            uri = new URI(clientId);
-        } catch (URISyntaxException e) {
-            logger.warnv("Malformed URL: {0}", clientId);
-            return false;
-        }
-
         if (uri.getHost() == null) {
-            logger.warnv("not trusted domain: host = {0}", uri.getHost());
+            logger.warn("not trusted domain: host = null");
             return false;
         }
 
@@ -124,6 +115,7 @@ private boolean isTrustedDomainMatched(String clientId) {
         return true;
     }
 
+    // return a list with non-null, non-blank, and distinct values. If the input list is null, return an empty list.
     private List<String> convertContentFilledList(List<String> list) {
         if (list == null) {
             return Collections.emptyList();
