Example 1 with JWKPublicKeyLocator
use of org.keycloak.adapters.rotation.JWKPublicKeyLocator in project keycloak by keycloak.
the class AdapterActionsFilter method doFilter.
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest servletReq = (HttpServletRequest) request;
HttpServletResponse servletResp = (HttpServletResponse) response;
// Accept timeOffset as argument to enforce timeouts
String timeOffsetParam = request.getParameter(TIME_OFFSET_PARAM);
String resetDeploymentParam = request.getParameter(RESET_DEPLOYMENT_PARAM);
if (timeOffsetParam != null && !timeOffsetParam.isEmpty()) {
int timeOffset = Integer.parseInt(timeOffsetParam);
log.infof("Time offset updated to %d for application %s", timeOffset, servletReq.getRequestURI());
Time.setOffset(timeOffset);
writeResponse(servletResp, "Offset set successfully");
} else if (resetDeploymentParam != null && !resetDeploymentParam.isEmpty()) {
AdapterDeploymentContext deploymentContext = (AdapterDeploymentContext) request.getServletContext().getAttribute(AdapterDeploymentContext.class.getName());
Field field = Reflections.findDeclaredField(AdapterDeploymentContext.class, "deployment");
Reflections.setAccessible(field);
KeycloakDeployment deployment = (KeycloakDeployment) Reflections.getFieldValue(field, deploymentContext);
Time.setOffset(0);
deployment.setNotBefore(0);
if (deployment.getPublicKeyLocator() instanceof JWKPublicKeyLocator) {
deployment.setPublicKeyLocator(new JWKPublicKeyLocator());
}
log.infof("Restarted PublicKeyLocator, notBefore and timeOffset for application %s", servletReq.getRequestURI());
writeResponse(servletResp, "Restarted PublicKeyLocator, notBefore and timeOffset successfully");
} else {
// Continue request
chain.doFilter(request, response);
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
Field(java.lang.reflect.Field)
AdapterDeploymentContext(org.keycloak.adapters.AdapterDeploymentContext)
KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
JWKPublicKeyLocator(org.keycloak.adapters.rotation.JWKPublicKeyLocator)
Example 2 with JWKPublicKeyLocator
use of org.keycloak.adapters.rotation.JWKPublicKeyLocator in project keycloak by keycloak.
the class KeycloakDeploymentBuilder method internalBuild.
protected KeycloakDeployment internalBuild(final AdapterConfig adapterConfig) {
if (adapterConfig.getRealm() == null)
throw new RuntimeException("Must set 'realm' in config");
deployment.setRealm(adapterConfig.getRealm());
String resource = adapterConfig.getResource();
if (resource == null)
throw new RuntimeException("Must set 'resource' in config");
deployment.setResourceName(resource);
String realmKeyPem = adapterConfig.getRealmKey();
if (realmKeyPem != null) {
PublicKey realmKey;
try {
realmKey = PemUtils.decodePublicKey(realmKeyPem);
HardcodedPublicKeyLocator pkLocator = new HardcodedPublicKeyLocator(realmKey);
deployment.setPublicKeyLocator(pkLocator);
} catch (Exception e) {
throw new RuntimeException(e);
}
} else {
JWKPublicKeyLocator pkLocator = new JWKPublicKeyLocator();
deployment.setPublicKeyLocator(pkLocator);
}
if (adapterConfig.getSslRequired() != null) {
deployment.setSslRequired(SslRequired.valueOf(adapterConfig.getSslRequired().toUpperCase()));
} else {
deployment.setSslRequired(SslRequired.EXTERNAL);
}
if (adapterConfig.getConfidentialPort() != -1) {
deployment.setConfidentialPort(adapterConfig.getConfidentialPort());
}
if (adapterConfig.getTokenStore() != null) {
deployment.setTokenStore(TokenStore.valueOf(adapterConfig.getTokenStore().toUpperCase()));
} else {
deployment.setTokenStore(TokenStore.SESSION);
}
if (adapterConfig.getTokenCookiePath() != null) {
deployment.setAdapterStateCookiePath(adapterConfig.getTokenCookiePath());
}
if (adapterConfig.getPrincipalAttribute() != null)
deployment.setPrincipalAttribute(adapterConfig.getPrincipalAttribute());
deployment.setResourceCredentials(adapterConfig.getCredentials());
deployment.setClientAuthenticator(ClientCredentialsProviderUtils.bootstrapClientAuthenticator(deployment));
deployment.setPublicClient(adapterConfig.isPublicClient());
deployment.setUseResourceRoleMappings(adapterConfig.isUseResourceRoleMappings());
deployment.setExposeToken(adapterConfig.isExposeToken());
if (adapterConfig.isCors()) {
deployment.setCors(true);
deployment.setCorsMaxAge(adapterConfig.getCorsMaxAge());
deployment.setCorsAllowedHeaders(adapterConfig.getCorsAllowedHeaders());
deployment.setCorsAllowedMethods(adapterConfig.getCorsAllowedMethods());
deployment.setCorsExposedHeaders(adapterConfig.getCorsExposedHeaders());
}
// https://tools.ietf.org/html/rfc7636
if (adapterConfig.isPkce()) {
deployment.setPkce(true);
}
deployment.setBearerOnly(adapterConfig.isBearerOnly());
deployment.setAutodetectBearerOnly(adapterConfig.isAutodetectBearerOnly());
deployment.setEnableBasicAuth(adapterConfig.isEnableBasicAuth());
deployment.setAlwaysRefreshToken(adapterConfig.isAlwaysRefreshToken());
deployment.setRegisterNodeAtStartup(adapterConfig.isRegisterNodeAtStartup());
deployment.setRegisterNodePeriod(adapterConfig.getRegisterNodePeriod());
deployment.setTokenMinimumTimeToLive(adapterConfig.getTokenMinimumTimeToLive());
deployment.setMinTimeBetweenJwksRequests(adapterConfig.getMinTimeBetweenJwksRequests());
deployment.setPublicKeyCacheTtl(adapterConfig.getPublicKeyCacheTtl());
deployment.setIgnoreOAuthQueryParameter(adapterConfig.isIgnoreOAuthQueryParameter());
deployment.setRewriteRedirectRules(adapterConfig.getRedirectRewriteRules());
deployment.setVerifyTokenAudience(adapterConfig.isVerifyTokenAudience());
if (realmKeyPem == null && adapterConfig.isBearerOnly() && adapterConfig.getAuthServerUrl() == null) {
throw new IllegalArgumentException("For bearer auth, you must set the realm-public-key or auth-server-url");
}
if (adapterConfig.getAuthServerUrl() == null && (!deployment.isBearerOnly() || realmKeyPem == null)) {
throw new RuntimeException("You must specify auth-server-url");
}
deployment.setClient(createHttpClientProducer(adapterConfig));
deployment.setAuthServerBaseUrl(adapterConfig);
if (adapterConfig.getTurnOffChangeSessionIdOnLogin() != null) {
deployment.setTurnOffChangeSessionIdOnLogin(adapterConfig.getTurnOffChangeSessionIdOnLogin());
}
final PolicyEnforcerConfig policyEnforcerConfig = adapterConfig.getPolicyEnforcerConfig();
if (policyEnforcerConfig != null) {
deployment.setPolicyEnforcer(new Callable<PolicyEnforcer>() {
PolicyEnforcer policyEnforcer;
@Override
public PolicyEnforcer call() {
if (policyEnforcer == null) {
synchronized (deployment) {
if (policyEnforcer == null) {
policyEnforcer = new PolicyEnforcer(deployment, adapterConfig);
}
}
}
return policyEnforcer;
}
});
}
return deployment;
}
Also used :
HardcodedPublicKeyLocator(org.keycloak.adapters.rotation.HardcodedPublicKeyLocator)
PublicKey(java.security.PublicKey)
JWKPublicKeyLocator(org.keycloak.adapters.rotation.JWKPublicKeyLocator)
PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer)
IOException(java.io.IOException)
PolicyEnforcerConfig(org.keycloak.representations.adapters.config.PolicyEnforcerConfig)
Aggregations
JWKPublicKeyLocator (org.keycloak.adapters.rotation.JWKPublicKeyLocator)2
IOException (java.io.IOException)1
Field (java.lang.reflect.Field)1
PublicKey (java.security.PublicKey)1
HttpServletRequest (javax.servlet.http.HttpServletRequest)1
HttpServletResponse (javax.servlet.http.HttpServletResponse)1
AdapterDeploymentContext (org.keycloak.adapters.AdapterDeploymentContext)1
KeycloakDeployment (org.keycloak.adapters.KeycloakDeployment)1
PolicyEnforcer (org.keycloak.adapters.authorization.PolicyEnforcer)1
HardcodedPublicKeyLocator (org.keycloak.adapters.rotation.HardcodedPublicKeyLocator)1
PolicyEnforcerConfig (org.keycloak.representations.adapters.config.PolicyEnforcerConfig)1
