Search in sources :

Example 1 with KeycloakUriBuilder

use of org.keycloak.common.util.KeycloakUriBuilder in project keycloak by keycloak.

the class ServletSamlSessionStore method saveRequest.

@Override
public void saveRequest() {
    SavedRequest.trySaveRequest(exchange);
    final ServletRequestContext sc = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
    HttpSessionImpl session = sc.getCurrentServletContext().getSession(exchange, true);
    KeycloakUriBuilder uriBuilder = KeycloakUriBuilder.fromUri(exchange.getRequestURI()).replaceQuery(exchange.getQueryString());
    if (!exchange.isHostIncludedInRequestURI())
        uriBuilder.scheme(exchange.getRequestScheme()).host(exchange.getHostAndPort());
    String uri = uriBuilder.buildAsString();
    session.setAttribute(SAML_REDIRECT_URI, uri);
}
Also used : HttpSessionImpl(io.undertow.servlet.spec.HttpSessionImpl) KeycloakUriBuilder(org.keycloak.common.util.KeycloakUriBuilder) ServletRequestContext(io.undertow.servlet.handlers.ServletRequestContext)

Example 2 with KeycloakUriBuilder

use of org.keycloak.common.util.KeycloakUriBuilder in project keycloak by keycloak.

the class OAuthRequestAuthenticator method getRedirectUri.

protected String getRedirectUri(String state) {
    String url = getRequestUrl();
    log.debugf("callback uri: %s", url);
    if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) {
        int port = sslRedirectPort();
        if (port < 0) {
            // disabled?
            return null;
        }
        KeycloakUriBuilder secureUrl = KeycloakUriBuilder.fromUri(url).scheme("https").port(-1);
        if (port != 443)
            secureUrl.port(port);
        url = secureUrl.buildAsString();
    }
    String loginHint = getQueryParamValue("login_hint");
    url = UriUtils.stripQueryParam(url, "login_hint");
    String idpHint = getQueryParamValue(AdapterConstants.KC_IDP_HINT);
    url = UriUtils.stripQueryParam(url, AdapterConstants.KC_IDP_HINT);
    String scope = getQueryParamValue(OAuth2Constants.SCOPE);
    url = UriUtils.stripQueryParam(url, OAuth2Constants.SCOPE);
    String prompt = getQueryParamValue(OAuth2Constants.PROMPT);
    url = UriUtils.stripQueryParam(url, OAuth2Constants.PROMPT);
    String maxAge = getQueryParamValue(OAuth2Constants.MAX_AGE);
    url = UriUtils.stripQueryParam(url, OAuth2Constants.MAX_AGE);
    String uiLocales = getQueryParamValue(OAuth2Constants.UI_LOCALES_PARAM);
    url = UriUtils.stripQueryParam(url, OAuth2Constants.UI_LOCALES_PARAM);
    KeycloakUriBuilder redirectUriBuilder = deployment.getAuthUrl().clone().queryParam(OAuth2Constants.RESPONSE_TYPE, OAuth2Constants.CODE).queryParam(OAuth2Constants.CLIENT_ID, deployment.getResourceName()).queryParam(OAuth2Constants.REDIRECT_URI, rewrittenRedirectUri(url)).queryParam(OAuth2Constants.STATE, state).queryParam("login", "true");
    if (loginHint != null && loginHint.length() > 0) {
        redirectUriBuilder.queryParam("login_hint", loginHint);
    }
    if (idpHint != null && idpHint.length() > 0) {
        redirectUriBuilder.queryParam(AdapterConstants.KC_IDP_HINT, idpHint);
    }
    if (prompt != null && prompt.length() > 0) {
        redirectUriBuilder.queryParam(OAuth2Constants.PROMPT, prompt);
    }
    if (maxAge != null && maxAge.length() > 0) {
        redirectUriBuilder.queryParam(OAuth2Constants.MAX_AGE, maxAge);
    }
    if (uiLocales != null && uiLocales.length() > 0) {
        redirectUriBuilder.queryParam(OAuth2Constants.UI_LOCALES_PARAM, uiLocales);
    }
    scope = TokenUtil.attachOIDCScope(scope);
    redirectUriBuilder.queryParam(OAuth2Constants.SCOPE, scope);
    return redirectUriBuilder.buildAsString();
}
Also used : KeycloakUriBuilder(org.keycloak.common.util.KeycloakUriBuilder)

Example 3 with KeycloakUriBuilder

use of org.keycloak.common.util.KeycloakUriBuilder in project keycloak by keycloak.

the class KeycloakDeployment method resolveUrls.

/**
 * URLs are loaded lazily when used. This allows adapter to be deployed prior to Keycloak server starting, and will
 * also allow the adapter to retry loading config for each request until the Keycloak server is ready.
 *
 * In the future we may want to support reloading config at a configurable interval.
 */
protected void resolveUrls() {
    if (realmInfoUrl == null) {
        synchronized (this) {
            if (realmInfoUrl == null) {
                KeycloakUriBuilder authUrlBuilder = KeycloakUriBuilder.fromUri(authServerBaseUrl);
                String discoveryUrl = authUrlBuilder.clone().path(ServiceUrlConstants.DISCOVERY_URL).build(getRealm()).toString();
                try {
                    log.debugv("Resolving URLs from {0}", discoveryUrl);
                    OIDCConfigurationRepresentation config = getOidcConfiguration(discoveryUrl);
                    authUrl = KeycloakUriBuilder.fromUri(config.getAuthorizationEndpoint());
                    realmInfoUrl = config.getIssuer();
                    tokenUrl = config.getTokenEndpoint();
                    logoutUrl = KeycloakUriBuilder.fromUri(config.getLogoutEndpoint());
                    accountUrl = KeycloakUriBuilder.fromUri(config.getIssuer()).path("/account").build().toString();
                    registerNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_REGISTER_NODE_PATH).build(getRealm()).toString();
                    unregisterNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH).build(getRealm()).toString();
                    jwksUrl = config.getJwksUri();
                    log.infov("Loaded URLs from {0}", discoveryUrl);
                } catch (Exception e) {
                    log.warnv(e, "Failed to load URLs from {0}", discoveryUrl);
                }
            }
        }
    }
}
Also used : KeycloakUriBuilder(org.keycloak.common.util.KeycloakUriBuilder) OIDCConfigurationRepresentation(org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation)

Example 4 with KeycloakUriBuilder

use of org.keycloak.common.util.KeycloakUriBuilder in project keycloak by keycloak.

the class AdapterDeploymentContext method getBaseBuilder.

protected KeycloakUriBuilder getBaseBuilder(HttpFacade facade, String base) {
    KeycloakUriBuilder builder = KeycloakUriBuilder.fromUri(base);
    URI request = URI.create(facade.getRequest().getURI());
    String scheme = request.getScheme();
    if (deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) {
        scheme = "https";
        if (!request.getScheme().equals(scheme) && request.getPort() != -1) {
            log.error("request scheme: " + request.getScheme() + " ssl required");
            throw new RuntimeException("Can't resolve relative url from adapter config.");
        }
    }
    builder.scheme(scheme);
    builder.host(request.getHost());
    if (request.getPort() != -1) {
        builder.port(request.getPort());
    }
    return builder;
}
Also used : KeycloakUriBuilder(org.keycloak.common.util.KeycloakUriBuilder) URI(java.net.URI)

Example 5 with KeycloakUriBuilder

use of org.keycloak.common.util.KeycloakUriBuilder in project keycloak by keycloak.

the class AbstractSamlAuthenticationHandler method verifyRedirectBindingSignature.

private void verifyRedirectBindingSignature(String paramKey, KeyLocator keyLocator, String keyId) throws VerificationException {
    String request = facade.getRequest().getQueryParamValue(paramKey);
    String algorithm = facade.getRequest().getQueryParamValue(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY);
    String signature = facade.getRequest().getQueryParamValue(GeneralConstants.SAML_SIGNATURE_REQUEST_KEY);
    String decodedAlgorithm = facade.getRequest().getQueryParamValue(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY);
    if (request == null) {
        throw new VerificationException("SAML Request was null");
    }
    if (algorithm == null)
        throw new VerificationException("SigAlg was null");
    if (signature == null)
        throw new VerificationException("Signature was null");
    // Shibboleth doesn't sign the document for redirect binding.
    // todo maybe a flag?
    String relayState = facade.getRequest().getQueryParamValue(GeneralConstants.RELAY_STATE);
    KeycloakUriBuilder builder = KeycloakUriBuilder.fromPath("/").queryParam(paramKey, request);
    if (relayState != null) {
        builder.queryParam(GeneralConstants.RELAY_STATE, relayState);
    }
    builder.queryParam(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY, algorithm);
    String rawQuery = builder.build().getRawQuery();
    try {
        // byte[] decodedSignature = RedirectBindingUtil.urlBase64Decode(signature);
        byte[] decodedSignature = Base64.decode(signature);
        byte[] rawQueryBytes = rawQuery.getBytes("UTF-8");
        SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.getFromXmlMethod(decodedAlgorithm);
        if (!validateRedirectBindingSignature(signatureAlgorithm, rawQueryBytes, decodedSignature, keyLocator, keyId)) {
            throw new VerificationException("Invalid query param signature");
        }
    } catch (Exception e) {
        throw new VerificationException(e);
    }
}
Also used : KeycloakUriBuilder(org.keycloak.common.util.KeycloakUriBuilder) VerificationException(org.keycloak.common.VerificationException) SignatureAlgorithm(org.keycloak.saml.SignatureAlgorithm) VerificationException(org.keycloak.common.VerificationException) SignatureException(java.security.SignatureException) KeyManagementException(java.security.KeyManagementException) InvalidKeyException(java.security.InvalidKeyException) ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException) IOException(java.io.IOException)

Aggregations

KeycloakUriBuilder (org.keycloak.common.util.KeycloakUriBuilder)11 URI (java.net.URI)3 LinkedList (java.util.LinkedList)3 InvalidKeyException (java.security.InvalidKeyException)2 SignatureException (java.security.SignatureException)2 ArrayList (java.util.ArrayList)2 List (java.util.List)2 ProcessingException (org.keycloak.saml.common.exceptions.ProcessingException)2 ServletRequestContext (io.undertow.servlet.handlers.ServletRequestContext)1 HttpSessionImpl (io.undertow.servlet.spec.HttpSessionImpl)1 IOException (java.io.IOException)1 KeyManagementException (java.security.KeyManagementException)1 Signature (java.security.Signature)1 VerificationException (org.keycloak.common.VerificationException)1 OIDCConfigurationRepresentation (org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation)1 SignatureAlgorithm (org.keycloak.saml.SignatureAlgorithm)1 ConfigurationException (org.keycloak.saml.common.exceptions.ConfigurationException)1 SAML2Signature (org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature)1 AbstractResourceService (org.keycloak.services.resources.account.resources.AbstractResourceService)1