Search in sources :

Example 1 with JSONWebKeySet

use of org.keycloak.jose.jwk.JSONWebKeySet in project keycloak by keycloak.

the class PreAuthActionsHandler method handleJwksRequest.

protected void handleJwksRequest() {
    try {
        JSONWebKeySet jwks = new JSONWebKeySet();
        ClientCredentialsProvider clientCredentialsProvider = deployment.getClientAuthenticator();
        // For now, just get signature key from JWT provider. We can add more if we support encryption etc.
        if (clientCredentialsProvider instanceof JWTClientCredentialsProvider) {
            PublicKey publicKey = ((JWTClientCredentialsProvider) clientCredentialsProvider).getPublicKey();
            JWK jwk = JWKBuilder.create().rs256(publicKey);
            jwks.setKeys(new JWK[] { jwk });
        } else {
            jwks.setKeys(new JWK[] {});
        }
        facade.getResponse().setStatus(200);
        facade.getResponse().setHeader("Content-Type", "application/json");
        JsonSerialization.writeValueToStream(facade.getResponse().getOutputStream(), jwks);
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
}
Also used : JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet) PublicKey(java.security.PublicKey) JWTClientCredentialsProvider(org.keycloak.adapters.authentication.JWTClientCredentialsProvider) ClientCredentialsProvider(org.keycloak.adapters.authentication.ClientCredentialsProvider) VerificationException(org.keycloak.common.VerificationException) JWTClientCredentialsProvider(org.keycloak.adapters.authentication.JWTClientCredentialsProvider) JWK(org.keycloak.jose.jwk.JWK)

Example 2 with JSONWebKeySet

use of org.keycloak.jose.jwk.JSONWebKeySet in project keycloak by keycloak.

the class JWKPublicKeyLocator method sendRequest.

private void sendRequest(KeycloakDeployment deployment) {
    if (log.isTraceEnabled()) {
        log.trace("Going to send request to retrieve new set of realm public keys for client " + deployment.getResourceName());
    }
    HttpGet getMethod = new HttpGet(deployment.getJwksUrl());
    try {
        JSONWebKeySet jwks = HttpAdapterUtils.sendJsonHttpRequest(deployment, getMethod, JSONWebKeySet.class);
        Map<String, PublicKey> publicKeys = JWKSUtils.getKeysForUse(jwks, JWK.Use.SIG);
        if (log.isDebugEnabled()) {
            log.debug("Realm public keys successfully retrieved for client " + deployment.getResourceName() + ". New kids: " + publicKeys.keySet().toString());
        }
        // Update current keys
        currentKeys.clear();
        currentKeys.putAll(publicKeys);
    } catch (HttpClientAdapterException e) {
        log.error("Error when sending request to retrieve realm keys", e);
    }
}
Also used : JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet) PublicKey(java.security.PublicKey) HttpGet(org.apache.http.client.methods.HttpGet) HttpClientAdapterException(org.keycloak.adapters.HttpClientAdapterException)

Example 3 with JSONWebKeySet

use of org.keycloak.jose.jwk.JSONWebKeySet in project keycloak by keycloak.

the class TLSTest method testSSLAlwaysRequired.

@Test
public void testSSLAlwaysRequired() throws Exception {
    // Switch realm SSLRequired to Always
    RealmRepresentation realmRep = testRealm().toRepresentation();
    String origSslRequired = realmRep.getSslRequired();
    realmRep.setSslRequired(SslRequired.ALL.toString());
    testRealm().update(realmRep);
    // Try access "WellKnown" endpoint unsecured. It should fail
    oauth.baseUrl(AUTH_SERVER_ROOT_WITHOUT_TLS);
    OIDCConfigurationRepresentation config = oauth.doWellKnownRequest("test");
    Assert.assertNull(config.getAuthorizationEndpoint());
    Assert.assertEquals("HTTPS required", config.getOtherClaims().get("error_description"));
    // Try access "JWKS URL" unsecured. It should fail
    try {
        JSONWebKeySet keySet = oauth.doCertsRequest("test");
        Assert.fail("This should not be successful");
    } catch (Exception e) {
    // Expected
    }
    // Revert SSLRequired
    realmRep.setSslRequired(origSslRequired);
    testRealm().update(realmRep);
}
Also used : JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) OIDCConfigurationRepresentation(org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation) Test(org.junit.Test) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)

Example 4 with JSONWebKeySet

use of org.keycloak.jose.jwk.JSONWebKeySet in project keycloak by keycloak.

the class DescriptionConverter method setPublicKey.

private static boolean setPublicKey(OIDCClientRepresentation clientOIDC, ClientRepresentation clientRep) {
    OIDCAdvancedConfigWrapper configWrapper = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep);
    if (clientOIDC.getJwks() != null) {
        if (clientOIDC.getJwksUri() != null) {
            throw new ClientRegistrationException("Illegal to use both jwks_uri and jwks");
        }
        JSONWebKeySet keySet = clientOIDC.getJwks();
        JWK publicKeyJWk = JWKSUtils.getKeyForUse(keySet, JWK.Use.SIG);
        try {
            configWrapper.setJwksString(JsonSerialization.writeValueAsPrettyString(clientOIDC.getJwks()));
        } catch (IOException e) {
            throw new ClientRegistrationException("Illegal jwks format");
        }
        configWrapper.setUseJwksString(true);
        configWrapper.setUseJwksUrl(false);
        if (publicKeyJWk == null) {
            return false;
        }
        PublicKey publicKey = JWKParser.create(publicKeyJWk).toPublicKey();
        String publicKeyPem = KeycloakModelUtils.getPemFromKey(publicKey);
        CertificateRepresentation rep = new CertificateRepresentation();
        rep.setPublicKey(publicKeyPem);
        rep.setKid(publicKeyJWk.getKeyId());
        CertificateInfoHelper.updateClientRepresentationCertificateInfo(clientRep, rep, JWTClientAuthenticator.ATTR_PREFIX);
        return true;
    } else if (clientOIDC.getJwksUri() != null) {
        configWrapper.setUseJwksUrl(true);
        configWrapper.setJwksUrl(clientOIDC.getJwksUri());
        configWrapper.setUseJwksString(false);
        return true;
    }
    return false;
}
Also used : OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper) JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet) PublicKey(java.security.PublicKey) CertificateRepresentation(org.keycloak.representations.idm.CertificateRepresentation) ClientRegistrationException(org.keycloak.services.clientregistration.ClientRegistrationException) IOException(java.io.IOException) JWK(org.keycloak.jose.jwk.JWK)

Example 5 with JSONWebKeySet

use of org.keycloak.jose.jwk.JSONWebKeySet in project keycloak by keycloak.

the class OIDCWellKnownProviderTest method certs.

@Test
public void certs() throws IOException {
    TokenSignatureUtil.registerKeyProvider(Algorithm.ES256, adminClient, testContext);
    OIDCConfigurationRepresentation representation = SimpleHttp.doGet(getAuthServerRoot().toString() + "realms/test/.well-known/openid-configuration", client).asJson(OIDCConfigurationRepresentation.class);
    String jwksUri = representation.getJwksUri();
    JSONWebKeySet jsonWebKeySet = SimpleHttp.doGet(jwksUri, client).asJson(JSONWebKeySet.class);
    assertEquals(2, jsonWebKeySet.getKeys().length);
}
Also used : JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet) OIDCConfigurationRepresentation(org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) AbstractAdminTest(org.keycloak.testsuite.admin.AbstractAdminTest) BrowserFlowTest(org.keycloak.testsuite.forms.BrowserFlowTest) Test(org.junit.Test) LevelOfAssuranceFlowTest(org.keycloak.testsuite.forms.LevelOfAssuranceFlowTest)

Aggregations

JSONWebKeySet (org.keycloak.jose.jwk.JSONWebKeySet)18 PublicKey (java.security.PublicKey)7 Test (org.junit.Test)5 JWK (org.keycloak.jose.jwk.JWK)5 OIDCConfigurationRepresentation (org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation)4 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)4 KeyWrapper (org.keycloak.crypto.KeyWrapper)3 CertificateRepresentation (org.keycloak.representations.idm.CertificateRepresentation)3 TestOIDCEndpointsApplicationResource (org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource)3 IOException (java.io.IOException)2 KeyPair (java.security.KeyPair)2 X509Certificate (java.security.cert.X509Certificate)2 List (java.util.List)2 GET (javax.ws.rs.GET)2 NotFoundException (javax.ws.rs.NotFoundException)2 Path (javax.ws.rs.Path)2 Produces (javax.ws.rs.Produces)2 CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)2 NoCache (org.jboss.resteasy.annotations.cache.NoCache)2 OIDCAdvancedConfigWrapper (org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper)2