Search in sources :

Example 1 with JWKPublicKeyLocator

use of org.keycloak.adapters.rotation.JWKPublicKeyLocator in project keycloak by keycloak.

the class AdapterActionsFilter method doFilter.

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest servletReq = (HttpServletRequest) request;
    HttpServletResponse servletResp = (HttpServletResponse) response;
    // Accept timeOffset as argument to enforce timeouts
    String timeOffsetParam = request.getParameter(TIME_OFFSET_PARAM);
    String resetDeploymentParam = request.getParameter(RESET_DEPLOYMENT_PARAM);
    if (timeOffsetParam != null && !timeOffsetParam.isEmpty()) {
        int timeOffset = Integer.parseInt(timeOffsetParam);
        log.infof("Time offset updated to %d for application %s", timeOffset, servletReq.getRequestURI());
        Time.setOffset(timeOffset);
        writeResponse(servletResp, "Offset set successfully");
    } else if (resetDeploymentParam != null && !resetDeploymentParam.isEmpty()) {
        AdapterDeploymentContext deploymentContext = (AdapterDeploymentContext) request.getServletContext().getAttribute(AdapterDeploymentContext.class.getName());
        Field field = Reflections.findDeclaredField(AdapterDeploymentContext.class, "deployment");
        Reflections.setAccessible(field);
        KeycloakDeployment deployment = (KeycloakDeployment) Reflections.getFieldValue(field, deploymentContext);
        Time.setOffset(0);
        deployment.setNotBefore(0);
        if (deployment.getPublicKeyLocator() instanceof JWKPublicKeyLocator) {
            deployment.setPublicKeyLocator(new JWKPublicKeyLocator());
        }
        log.infof("Restarted PublicKeyLocator, notBefore and timeOffset for application %s", servletReq.getRequestURI());
        writeResponse(servletResp, "Restarted PublicKeyLocator, notBefore and timeOffset successfully");
    } else {
        // Continue request
        chain.doFilter(request, response);
    }
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) Field(java.lang.reflect.Field) AdapterDeploymentContext(org.keycloak.adapters.AdapterDeploymentContext) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) HttpServletResponse(javax.servlet.http.HttpServletResponse) JWKPublicKeyLocator(org.keycloak.adapters.rotation.JWKPublicKeyLocator)

Example 2 with JWKPublicKeyLocator

use of org.keycloak.adapters.rotation.JWKPublicKeyLocator in project keycloak by keycloak.

the class KeycloakDeploymentBuilder method internalBuild.

protected KeycloakDeployment internalBuild(final AdapterConfig adapterConfig) {
    if (adapterConfig.getRealm() == null)
        throw new RuntimeException("Must set 'realm' in config");
    deployment.setRealm(adapterConfig.getRealm());
    String resource = adapterConfig.getResource();
    if (resource == null)
        throw new RuntimeException("Must set 'resource' in config");
    deployment.setResourceName(resource);
    String realmKeyPem = adapterConfig.getRealmKey();
    if (realmKeyPem != null) {
        PublicKey realmKey;
        try {
            realmKey = PemUtils.decodePublicKey(realmKeyPem);
            HardcodedPublicKeyLocator pkLocator = new HardcodedPublicKeyLocator(realmKey);
            deployment.setPublicKeyLocator(pkLocator);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    } else {
        JWKPublicKeyLocator pkLocator = new JWKPublicKeyLocator();
        deployment.setPublicKeyLocator(pkLocator);
    }
    if (adapterConfig.getSslRequired() != null) {
        deployment.setSslRequired(SslRequired.valueOf(adapterConfig.getSslRequired().toUpperCase()));
    } else {
        deployment.setSslRequired(SslRequired.EXTERNAL);
    }
    if (adapterConfig.getConfidentialPort() != -1) {
        deployment.setConfidentialPort(adapterConfig.getConfidentialPort());
    }
    if (adapterConfig.getTokenStore() != null) {
        deployment.setTokenStore(TokenStore.valueOf(adapterConfig.getTokenStore().toUpperCase()));
    } else {
        deployment.setTokenStore(TokenStore.SESSION);
    }
    if (adapterConfig.getTokenCookiePath() != null) {
        deployment.setAdapterStateCookiePath(adapterConfig.getTokenCookiePath());
    }
    if (adapterConfig.getPrincipalAttribute() != null)
        deployment.setPrincipalAttribute(adapterConfig.getPrincipalAttribute());
    deployment.setResourceCredentials(adapterConfig.getCredentials());
    deployment.setClientAuthenticator(ClientCredentialsProviderUtils.bootstrapClientAuthenticator(deployment));
    deployment.setPublicClient(adapterConfig.isPublicClient());
    deployment.setUseResourceRoleMappings(adapterConfig.isUseResourceRoleMappings());
    deployment.setExposeToken(adapterConfig.isExposeToken());
    if (adapterConfig.isCors()) {
        deployment.setCors(true);
        deployment.setCorsMaxAge(adapterConfig.getCorsMaxAge());
        deployment.setCorsAllowedHeaders(adapterConfig.getCorsAllowedHeaders());
        deployment.setCorsAllowedMethods(adapterConfig.getCorsAllowedMethods());
        deployment.setCorsExposedHeaders(adapterConfig.getCorsExposedHeaders());
    }
    // https://tools.ietf.org/html/rfc7636
    if (adapterConfig.isPkce()) {
        deployment.setPkce(true);
    }
    deployment.setBearerOnly(adapterConfig.isBearerOnly());
    deployment.setAutodetectBearerOnly(adapterConfig.isAutodetectBearerOnly());
    deployment.setEnableBasicAuth(adapterConfig.isEnableBasicAuth());
    deployment.setAlwaysRefreshToken(adapterConfig.isAlwaysRefreshToken());
    deployment.setRegisterNodeAtStartup(adapterConfig.isRegisterNodeAtStartup());
    deployment.setRegisterNodePeriod(adapterConfig.getRegisterNodePeriod());
    deployment.setTokenMinimumTimeToLive(adapterConfig.getTokenMinimumTimeToLive());
    deployment.setMinTimeBetweenJwksRequests(adapterConfig.getMinTimeBetweenJwksRequests());
    deployment.setPublicKeyCacheTtl(adapterConfig.getPublicKeyCacheTtl());
    deployment.setIgnoreOAuthQueryParameter(adapterConfig.isIgnoreOAuthQueryParameter());
    deployment.setRewriteRedirectRules(adapterConfig.getRedirectRewriteRules());
    deployment.setVerifyTokenAudience(adapterConfig.isVerifyTokenAudience());
    if (realmKeyPem == null && adapterConfig.isBearerOnly() && adapterConfig.getAuthServerUrl() == null) {
        throw new IllegalArgumentException("For bearer auth, you must set the realm-public-key or auth-server-url");
    }
    if (adapterConfig.getAuthServerUrl() == null && (!deployment.isBearerOnly() || realmKeyPem == null)) {
        throw new RuntimeException("You must specify auth-server-url");
    }
    deployment.setClient(createHttpClientProducer(adapterConfig));
    deployment.setAuthServerBaseUrl(adapterConfig);
    if (adapterConfig.getTurnOffChangeSessionIdOnLogin() != null) {
        deployment.setTurnOffChangeSessionIdOnLogin(adapterConfig.getTurnOffChangeSessionIdOnLogin());
    }
    final PolicyEnforcerConfig policyEnforcerConfig = adapterConfig.getPolicyEnforcerConfig();
    if (policyEnforcerConfig != null) {
        deployment.setPolicyEnforcer(new Callable<PolicyEnforcer>() {

            PolicyEnforcer policyEnforcer;

            @Override
            public PolicyEnforcer call() {
                if (policyEnforcer == null) {
                    synchronized (deployment) {
                        if (policyEnforcer == null) {
                            policyEnforcer = new PolicyEnforcer(deployment, adapterConfig);
                        }
                    }
                }
                return policyEnforcer;
            }
        });
    }
    return deployment;
}
Also used : HardcodedPublicKeyLocator(org.keycloak.adapters.rotation.HardcodedPublicKeyLocator) PublicKey(java.security.PublicKey) JWKPublicKeyLocator(org.keycloak.adapters.rotation.JWKPublicKeyLocator) PolicyEnforcer(org.keycloak.adapters.authorization.PolicyEnforcer) IOException(java.io.IOException) PolicyEnforcerConfig(org.keycloak.representations.adapters.config.PolicyEnforcerConfig)

Aggregations

JWKPublicKeyLocator (org.keycloak.adapters.rotation.JWKPublicKeyLocator)2 IOException (java.io.IOException)1 Field (java.lang.reflect.Field)1 PublicKey (java.security.PublicKey)1 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1 AdapterDeploymentContext (org.keycloak.adapters.AdapterDeploymentContext)1 KeycloakDeployment (org.keycloak.adapters.KeycloakDeployment)1 PolicyEnforcer (org.keycloak.adapters.authorization.PolicyEnforcer)1 HardcodedPublicKeyLocator (org.keycloak.adapters.rotation.HardcodedPublicKeyLocator)1 PolicyEnforcerConfig (org.keycloak.representations.adapters.config.PolicyEnforcerConfig)1