use of org.keycloak.common.util.KeycloakUriBuilder in project keycloak by keycloak.
the class ServletSamlSessionStore method saveRequest.
@Override
public void saveRequest() {
SavedRequest.trySaveRequest(exchange);
final ServletRequestContext sc = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
HttpSessionImpl session = sc.getCurrentServletContext().getSession(exchange, true);
KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(exchange.getRequestURI()).replaceQuery(exchange.getQueryString());
if (!exchange.isHostIncludedInRequestURI())
uriBuilder.scheme(exchange.getRequestScheme()).host(exchange.getHostAndPort());
String uri = uriBuilder.buildAsString();
session.setAttribute(SAML_REDIRECT_URI, uri);
}
use of org.keycloak.common.util.KeycloakUriBuilder in project keycloak by keycloak.
the class OAuthRequestAuthenticator method getRedirectUri.
protected String getRedirectUri(String state) {
String url = getRequestUrl();
log.debugf("callback uri: %s", url);
if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) {
int port = sslRedirectPort();
if (port < 0) {
// disabled?
return null;
}
KeycloakUriBuilder secureUrl = KeycloakUriBuilder.fromUri(url).scheme("https").port(-1);
if (port != 443)
secureUrl.port(port);
url = secureUrl.buildAsString();
}
String loginHint = getQueryParamValue("login_hint");
url = UriUtils.stripQueryParam(url, "login_hint");
String idpHint = getQueryParamValue(AdapterConstants.KC_IDP_HINT);
url = UriUtils.stripQueryParam(url, AdapterConstants.KC_IDP_HINT);
String scope = getQueryParamValue(OAuth2Constants.SCOPE);
url = UriUtils.stripQueryParam(url, OAuth2Constants.SCOPE);
String prompt = getQueryParamValue(OAuth2Constants.PROMPT);
url = UriUtils.stripQueryParam(url, OAuth2Constants.PROMPT);
String maxAge = getQueryParamValue(OAuth2Constants.MAX_AGE);
url = UriUtils.stripQueryParam(url, OAuth2Constants.MAX_AGE);
String uiLocales = getQueryParamValue(OAuth2Constants.UI_LOCALES_PARAM);
url = UriUtils.stripQueryParam(url, OAuth2Constants.UI_LOCALES_PARAM);
KeycloakUriBuilder redirectUriBuilder = deployment.getAuthUrl().clone().queryParam(OAuth2Constants.RESPONSE_TYPE, OAuth2Constants.CODE).queryParam(OAuth2Constants.CLIENT_ID, deployment.getResourceName()).queryParam(OAuth2Constants.REDIRECT_URI, rewrittenRedirectUri(url)).queryParam(OAuth2Constants.STATE, state).queryParam("login", "true");
if (loginHint != null && loginHint.length() > 0) {
redirectUriBuilder.queryParam("login_hint", loginHint);
}
if (idpHint != null && idpHint.length() > 0) {
redirectUriBuilder.queryParam(AdapterConstants.KC_IDP_HINT, idpHint);
}
if (prompt != null && prompt.length() > 0) {
redirectUriBuilder.queryParam(OAuth2Constants.PROMPT, prompt);
}
if (maxAge != null && maxAge.length() > 0) {
redirectUriBuilder.queryParam(OAuth2Constants.MAX_AGE, maxAge);
}
if (uiLocales != null && uiLocales.length() > 0) {
redirectUriBuilder.queryParam(OAuth2Constants.UI_LOCALES_PARAM, uiLocales);
}
scope = TokenUtil.attachOIDCScope(scope);
redirectUriBuilder.queryParam(OAuth2Constants.SCOPE, scope);
return redirectUriBuilder.buildAsString();
}
use of org.keycloak.common.util.KeycloakUriBuilder in project keycloak by keycloak.
the class KeycloakDeployment method resolveUrls.
/**
* URLs are loaded lazily when used. This allows adapter to be deployed prior to Keycloak server starting, and will
* also allow the adapter to retry loading config for each request until the Keycloak server is ready.
*
* In the future we may want to support reloading config at a configurable interval.
*/
protected void resolveUrls() {
if (realmInfoUrl == null) {
synchronized (this) {
if (realmInfoUrl == null) {
KeycloakUriBuilder authUrlBuilder = KeycloakUriBuilder.fromUri(authServerBaseUrl);
String discoveryUrl = authUrlBuilder.clone().path(ServiceUrlConstants.DISCOVERY_URL).build(getRealm()).toString();
try {
log.debugv("Resolving URLs from {0}", discoveryUrl);
OIDCConfigurationRepresentation config = getOidcConfiguration(discoveryUrl);
authUrl = KeycloakUriBuilder.fromUri(config.getAuthorizationEndpoint());
realmInfoUrl = config.getIssuer();
tokenUrl = config.getTokenEndpoint();
logoutUrl = KeycloakUriBuilder.fromUri(config.getLogoutEndpoint());
accountUrl = KeycloakUriBuilder.fromUri(config.getIssuer()).path("/account").build().toString();
registerNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_REGISTER_NODE_PATH).build(getRealm()).toString();
unregisterNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH).build(getRealm()).toString();
jwksUrl = config.getJwksUri();
log.infov("Loaded URLs from {0}", discoveryUrl);
} catch (Exception e) {
log.warnv(e, "Failed to load URLs from {0}", discoveryUrl);
}
}
}
}
}
use of org.keycloak.common.util.KeycloakUriBuilder in project keycloak by keycloak.
the class AdapterDeploymentContext method getBaseBuilder.
protected KeycloakUriBuilder getBaseBuilder(HttpFacade facade, String base) {
KeycloakUriBuilder builder = KeycloakUriBuilder.fromUri(base);
URI request = URI.create(facade.getRequest().getURI());
String scheme = request.getScheme();
if (deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) {
scheme = "https";
if (!request.getScheme().equals(scheme) && request.getPort() != -1) {
log.error("request scheme: " + request.getScheme() + " ssl required");
throw new RuntimeException("Can't resolve relative url from adapter config.");
}
}
builder.scheme(scheme);
builder.host(request.getHost());
if (request.getPort() != -1) {
builder.port(request.getPort());
}
return builder;
}
use of org.keycloak.common.util.KeycloakUriBuilder in project keycloak by keycloak.
the class AbstractSamlAuthenticationHandler method verifyRedirectBindingSignature.
private void verifyRedirectBindingSignature(String paramKey, KeyLocator keyLocator, String keyId) throws VerificationException {
String request = facade.getRequest().getQueryParamValue(paramKey);
String algorithm = facade.getRequest().getQueryParamValue(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY);
String signature = facade.getRequest().getQueryParamValue(GeneralConstants.SAML_SIGNATURE_REQUEST_KEY);
String decodedAlgorithm = facade.getRequest().getQueryParamValue(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY);
if (request == null) {
throw new VerificationException("SAML Request was null");
}
if (algorithm == null)
throw new VerificationException("SigAlg was null");
if (signature == null)
throw new VerificationException("Signature was null");
// Shibboleth doesn't sign the document for redirect binding.
// todo maybe a flag?
String relayState = facade.getRequest().getQueryParamValue(GeneralConstants.RELAY_STATE);
KeycloakUriBuilder builder = KeycloakUriBuilder.fromPath("/").queryParam(paramKey, request);
if (relayState != null) {
builder.queryParam(GeneralConstants.RELAY_STATE, relayState);
}
builder.queryParam(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY, algorithm);
String rawQuery = builder.build().getRawQuery();
try {
// byte[] decodedSignature = RedirectBindingUtil.urlBase64Decode(signature);
byte[] decodedSignature = Base64.decode(signature);
byte[] rawQueryBytes = rawQuery.getBytes("UTF-8");
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.getFromXmlMethod(decodedAlgorithm);
if (!validateRedirectBindingSignature(signatureAlgorithm, rawQueryBytes, decodedSignature, keyLocator, keyId)) {
throw new VerificationException("Invalid query param signature");
}
} catch (Exception e) {
throw new VerificationException(e);
}
}
Aggregations