use of org.keycloak.jose.jwk.JSONWebKeySet in project keycloak by keycloak.
the class PreAuthActionsHandler method handleJwksRequest.
protected void handleJwksRequest() {
try {
JSONWebKeySet jwks = new JSONWebKeySet();
ClientCredentialsProvider clientCredentialsProvider = deployment.getClientAuthenticator();
// For now, just get signature key from JWT provider. We can add more if we support encryption etc.
if (clientCredentialsProvider instanceof JWTClientCredentialsProvider) {
PublicKey publicKey = ((JWTClientCredentialsProvider) clientCredentialsProvider).getPublicKey();
JWK jwk = JWKBuilder.create().rs256(publicKey);
jwks.setKeys(new JWK[] { jwk });
} else {
jwks.setKeys(new JWK[] {});
}
facade.getResponse().setStatus(200);
facade.getResponse().setHeader("Content-Type", "application/json");
JsonSerialization.writeValueToStream(facade.getResponse().getOutputStream(), jwks);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
use of org.keycloak.jose.jwk.JSONWebKeySet in project keycloak by keycloak.
the class JWKPublicKeyLocator method sendRequest.
private void sendRequest(KeycloakDeployment deployment) {
if (log.isTraceEnabled()) {
log.trace("Going to send request to retrieve new set of realm public keys for client " + deployment.getResourceName());
}
HttpGet getMethod = new HttpGet(deployment.getJwksUrl());
try {
JSONWebKeySet jwks = HttpAdapterUtils.sendJsonHttpRequest(deployment, getMethod, JSONWebKeySet.class);
Map<String, PublicKey> publicKeys = JWKSUtils.getKeysForUse(jwks, JWK.Use.SIG);
if (log.isDebugEnabled()) {
log.debug("Realm public keys successfully retrieved for client " + deployment.getResourceName() + ". New kids: " + publicKeys.keySet().toString());
}
// Update current keys
currentKeys.clear();
currentKeys.putAll(publicKeys);
} catch (HttpClientAdapterException e) {
log.error("Error when sending request to retrieve realm keys", e);
}
}
use of org.keycloak.jose.jwk.JSONWebKeySet in project keycloak by keycloak.
the class TLSTest method testSSLAlwaysRequired.
@Test
public void testSSLAlwaysRequired() throws Exception {
// Switch realm SSLRequired to Always
RealmRepresentation realmRep = testRealm().toRepresentation();
String origSslRequired = realmRep.getSslRequired();
realmRep.setSslRequired(SslRequired.ALL.toString());
testRealm().update(realmRep);
// Try access "WellKnown" endpoint unsecured. It should fail
oauth.baseUrl(AUTH_SERVER_ROOT_WITHOUT_TLS);
OIDCConfigurationRepresentation config = oauth.doWellKnownRequest("test");
Assert.assertNull(config.getAuthorizationEndpoint());
Assert.assertEquals("HTTPS required", config.getOtherClaims().get("error_description"));
// Try access "JWKS URL" unsecured. It should fail
try {
JSONWebKeySet keySet = oauth.doCertsRequest("test");
Assert.fail("This should not be successful");
} catch (Exception e) {
// Expected
}
// Revert SSLRequired
realmRep.setSslRequired(origSslRequired);
testRealm().update(realmRep);
}
use of org.keycloak.jose.jwk.JSONWebKeySet in project keycloak by keycloak.
the class DescriptionConverter method setPublicKey.
private static boolean setPublicKey(OIDCClientRepresentation clientOIDC, ClientRepresentation clientRep) {
OIDCAdvancedConfigWrapper configWrapper = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep);
if (clientOIDC.getJwks() != null) {
if (clientOIDC.getJwksUri() != null) {
throw new ClientRegistrationException("Illegal to use both jwks_uri and jwks");
}
JSONWebKeySet keySet = clientOIDC.getJwks();
JWK publicKeyJWk = JWKSUtils.getKeyForUse(keySet, JWK.Use.SIG);
try {
configWrapper.setJwksString(JsonSerialization.writeValueAsPrettyString(clientOIDC.getJwks()));
} catch (IOException e) {
throw new ClientRegistrationException("Illegal jwks format");
}
configWrapper.setUseJwksString(true);
configWrapper.setUseJwksUrl(false);
if (publicKeyJWk == null) {
return false;
}
PublicKey publicKey = JWKParser.create(publicKeyJWk).toPublicKey();
String publicKeyPem = KeycloakModelUtils.getPemFromKey(publicKey);
CertificateRepresentation rep = new CertificateRepresentation();
rep.setPublicKey(publicKeyPem);
rep.setKid(publicKeyJWk.getKeyId());
CertificateInfoHelper.updateClientRepresentationCertificateInfo(clientRep, rep, JWTClientAuthenticator.ATTR_PREFIX);
return true;
} else if (clientOIDC.getJwksUri() != null) {
configWrapper.setUseJwksUrl(true);
configWrapper.setJwksUrl(clientOIDC.getJwksUri());
configWrapper.setUseJwksString(false);
return true;
}
return false;
}
use of org.keycloak.jose.jwk.JSONWebKeySet in project keycloak by keycloak.
the class OIDCWellKnownProviderTest method certs.
@Test
public void certs() throws IOException {
TokenSignatureUtil.registerKeyProvider(Algorithm.ES256, adminClient, testContext);
OIDCConfigurationRepresentation representation = SimpleHttp.doGet(getAuthServerRoot().toString() + "realms/test/.well-known/openid-configuration", client).asJson(OIDCConfigurationRepresentation.class);
String jwksUri = representation.getJwksUri();
JSONWebKeySet jsonWebKeySet = SimpleHttp.doGet(jwksUri, client).asJson(JSONWebKeySet.class);
assertEquals(2, jsonWebKeySet.getKeys().length);
}
Aggregations