Examples with JSONWebKeySet org.keycloak.jose.jwk.JSONWebKeySet used on opensource projects

Example 1 with JSONWebKeySet

use of org.keycloak.jose.jwk.JSONWebKeySet in project keycloak by keycloak.

the class PreAuthActionsHandler method handleJwksRequest.

protected void handleJwksRequest() {
    try {
        JSONWebKeySet jwks = new JSONWebKeySet();
        ClientCredentialsProvider clientCredentialsProvider = deployment.getClientAuthenticator();
        // For now, just get signature key from JWT provider. We can add more if we support encryption etc.
        if (clientCredentialsProvider instanceof JWTClientCredentialsProvider) {
            PublicKey publicKey = ((JWTClientCredentialsProvider) clientCredentialsProvider).getPublicKey();
            JWK jwk = JWKBuilder.create().rs256(publicKey);
            jwks.setKeys(new JWK[] { jwk });
        } else {
            jwks.setKeys(new JWK[] {});
        }
        facade.getResponse().setStatus(200);
        facade.getResponse().setHeader("Content-Type", "application/json");
        JsonSerialization.writeValueToStream(facade.getResponse().getOutputStream(), jwks);
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
}

Example 2 with JSONWebKeySet

use of org.keycloak.jose.jwk.JSONWebKeySet in project keycloak by keycloak.

the class JWKPublicKeyLocator method sendRequest.

private void sendRequest(KeycloakDeployment deployment) {
    if (log.isTraceEnabled()) {
        log.trace("Going to send request to retrieve new set of realm public keys for client " + deployment.getResourceName());
    }
    HttpGet getMethod = new HttpGet(deployment.getJwksUrl());
    try {
        JSONWebKeySet jwks = HttpAdapterUtils.sendJsonHttpRequest(deployment, getMethod, JSONWebKeySet.class);
        Map<String, PublicKey> publicKeys = JWKSUtils.getKeysForUse(jwks, JWK.Use.SIG);
        if (log.isDebugEnabled()) {
            log.debug("Realm public keys successfully retrieved for client " + deployment.getResourceName() + ". New kids: " + publicKeys.keySet().toString());
        }
        // Update current keys
        currentKeys.clear();
        currentKeys.putAll(publicKeys);
    } catch (HttpClientAdapterException e) {
        log.error("Error when sending request to retrieve realm keys", e);
    }
}

Example 3 with JSONWebKeySet

use of org.keycloak.jose.jwk.JSONWebKeySet in project keycloak by keycloak.

the class TLSTest method testSSLAlwaysRequired.

@Test
public void testSSLAlwaysRequired() throws Exception {
    // Switch realm SSLRequired to Always
    RealmRepresentation realmRep = testRealm().toRepresentation();
    String origSslRequired = realmRep.getSslRequired();
    realmRep.setSslRequired(SslRequired.ALL.toString());
    testRealm().update(realmRep);
    // Try access "WellKnown" endpoint unsecured. It should fail
    oauth.baseUrl(AUTH_SERVER_ROOT_WITHOUT_TLS);
    OIDCConfigurationRepresentation config = oauth.doWellKnownRequest("test");
    Assert.assertNull(config.getAuthorizationEndpoint());
    Assert.assertEquals("HTTPS required", config.getOtherClaims().get("error_description"));
    // Try access "JWKS URL" unsecured. It should fail
    try {
        JSONWebKeySet keySet = oauth.doCertsRequest("test");
        Assert.fail("This should not be successful");
    } catch (Exception e) {
    // Expected
    }
    // Revert SSLRequired
    realmRep.setSslRequired(origSslRequired);
    testRealm().update(realmRep);
}

Example 4 with JSONWebKeySet

use of org.keycloak.jose.jwk.JSONWebKeySet in project keycloak by keycloak.

the class DescriptionConverter method setPublicKey.

private static boolean setPublicKey(OIDCClientRepresentation clientOIDC, ClientRepresentation clientRep) {
    OIDCAdvancedConfigWrapper configWrapper = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep);
    if (clientOIDC.getJwks() != null) {
        if (clientOIDC.getJwksUri() != null) {
            throw new ClientRegistrationException("Illegal to use both jwks_uri and jwks");
        }
        JSONWebKeySet keySet = clientOIDC.getJwks();
        JWK publicKeyJWk = JWKSUtils.getKeyForUse(keySet, JWK.Use.SIG);
        try {
            configWrapper.setJwksString(JsonSerialization.writeValueAsPrettyString(clientOIDC.getJwks()));
        } catch (IOException e) {
            throw new ClientRegistrationException("Illegal jwks format");
        }
        configWrapper.setUseJwksString(true);
        configWrapper.setUseJwksUrl(false);
        if (publicKeyJWk == null) {
            return false;
        }
        PublicKey publicKey = JWKParser.create(publicKeyJWk).toPublicKey();
        String publicKeyPem = KeycloakModelUtils.getPemFromKey(publicKey);
        CertificateRepresentation rep = new CertificateRepresentation();
        rep.setPublicKey(publicKeyPem);
        rep.setKid(publicKeyJWk.getKeyId());
        CertificateInfoHelper.updateClientRepresentationCertificateInfo(clientRep, rep, JWTClientAuthenticator.ATTR_PREFIX);
        return true;
    } else if (clientOIDC.getJwksUri() != null) {
        configWrapper.setUseJwksUrl(true);
        configWrapper.setJwksUrl(clientOIDC.getJwksUri());
        configWrapper.setUseJwksString(false);
        return true;
    }
    return false;
}

Example 5 with JSONWebKeySet

use of org.keycloak.jose.jwk.JSONWebKeySet in project keycloak by keycloak.

the class OIDCWellKnownProviderTest method certs.

@Test
public void certs() throws IOException {
    TokenSignatureUtil.registerKeyProvider(Algorithm.ES256, adminClient, testContext);
    OIDCConfigurationRepresentation representation = SimpleHttp.doGet(getAuthServerRoot().toString() + "realms/test/.well-known/openid-configuration", client).asJson(OIDCConfigurationRepresentation.class);
    String jwksUri = representation.getJwksUri();
    JSONWebKeySet jsonWebKeySet = SimpleHttp.doGet(jwksUri, client).asJson(JSONWebKeySet.class);
    assertEquals(2, jsonWebKeySet.getKeys().length);
}