Examples with JWK org.keycloak.jose.jwk.JWK used on opensource projects

Search in sources :

Example 1 with JWK

use of org.keycloak.jose.jwk.JWK in project keycloak by keycloak.

the class PreAuthActionsHandler method handleJwksRequest.

protected void handleJwksRequest() {
    try {
        JSONWebKeySet jwks = new JSONWebKeySet();
        ClientCredentialsProvider clientCredentialsProvider = deployment.getClientAuthenticator();
        // For now, just get signature key from JWT provider. We can add more if we support encryption etc.
        if (clientCredentialsProvider instanceof JWTClientCredentialsProvider) {
            PublicKey publicKey = ((JWTClientCredentialsProvider) clientCredentialsProvider).getPublicKey();
            JWK jwk = JWKBuilder.create().rs256(publicKey);
            jwks.setKeys(new JWK[] { jwk });
        } else {
            jwks.setKeys(new JWK[] {});
        }
        facade.getResponse().setStatus(200);
        facade.getResponse().setHeader("Content-Type", "application/json");
        JsonSerialization.writeValueToStream(facade.getResponse().getOutputStream(), jwks);
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
}
Also used : JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet) PublicKey(java.security.PublicKey) JWTClientCredentialsProvider(org.keycloak.adapters.authentication.JWTClientCredentialsProvider) ClientCredentialsProvider(org.keycloak.adapters.authentication.ClientCredentialsProvider) VerificationException(org.keycloak.common.VerificationException) JWTClientCredentialsProvider(org.keycloak.adapters.authentication.JWTClientCredentialsProvider) JWK(org.keycloak.jose.jwk.JWK)

Example 2 with JWK

use of org.keycloak.jose.jwk.JWK in project keycloak by keycloak.

the class DescriptionConverter method setPublicKey.

private static boolean setPublicKey(OIDCClientRepresentation clientOIDC, ClientRepresentation clientRep) {
    OIDCAdvancedConfigWrapper configWrapper = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep);
    if (clientOIDC.getJwks() != null) {
        if (clientOIDC.getJwksUri() != null) {
            throw new ClientRegistrationException("Illegal to use both jwks_uri and jwks");
        }
        JSONWebKeySet keySet = clientOIDC.getJwks();
        JWK publicKeyJWk = JWKSUtils.getKeyForUse(keySet, JWK.Use.SIG);
        try {
            configWrapper.setJwksString(JsonSerialization.writeValueAsPrettyString(clientOIDC.getJwks()));
        } catch (IOException e) {
            throw new ClientRegistrationException("Illegal jwks format");
        }
        configWrapper.setUseJwksString(true);
        configWrapper.setUseJwksUrl(false);
        if (publicKeyJWk == null) {
            return false;
        }
        PublicKey publicKey = JWKParser.create(publicKeyJWk).toPublicKey();
        String publicKeyPem = KeycloakModelUtils.getPemFromKey(publicKey);
        CertificateRepresentation rep = new CertificateRepresentation();
        rep.setPublicKey(publicKeyPem);
        rep.setKid(publicKeyJWk.getKeyId());
        CertificateInfoHelper.updateClientRepresentationCertificateInfo(clientRep, rep, JWTClientAuthenticator.ATTR_PREFIX);
        return true;
    } else if (clientOIDC.getJwksUri() != null) {
        configWrapper.setUseJwksUrl(true);
        configWrapper.setJwksUrl(clientOIDC.getJwksUri());
        configWrapper.setUseJwksString(false);
        return true;
    }
    return false;
}
Also used : OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper) JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet) PublicKey(java.security.PublicKey) CertificateRepresentation(org.keycloak.representations.idm.CertificateRepresentation) ClientRegistrationException(org.keycloak.services.clientregistration.ClientRegistrationException) IOException(java.io.IOException) JWK(org.keycloak.jose.jwk.JWK)

Example 3 with JWK

use of org.keycloak.jose.jwk.JWK in project keycloak by keycloak.

the class OIDCLoginProtocolService method certs.

@GET
@Path("certs")
@Produces(MediaType.APPLICATION_JSON)
@NoCache
public Response certs() {
    checkSsl();
    JWK[] jwks = session.keys().getKeysStream(realm).filter(k -> k.getStatus().isEnabled() && k.getPublicKey() != null).map(k -> {
        JWKBuilder b = JWKBuilder.create().kid(k.getKid()).algorithm(k.getAlgorithmOrDefault());
        List<X509Certificate> certificates = Optional.ofNullable(k.getCertificateChain()).filter(certs -> !certs.isEmpty()).orElseGet(() -> Collections.singletonList(k.getCertificate()));
        if (k.getType().equals(KeyType.RSA)) {
            return b.rsa(k.getPublicKey(), certificates, k.getUse());
        } else if (k.getType().equals(KeyType.EC)) {
            return b.ec(k.getPublicKey());
        }
        return null;
    }).filter(Objects::nonNull).toArray(JWK[]::new);
    JSONWebKeySet keySet = new JSONWebKeySet();
    keySet.setKeys(jwks);
    Response.ResponseBuilder responseBuilder = Response.ok(keySet).cacheControl(CacheControlUtil.getDefaultCacheControl());
    return Cors.add(request, responseBuilder).allowedOrigins("*").auth().build();
}
Also used : X509Certificate(java.security.cert.X509Certificate) JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet) PathParam(javax.ws.rs.PathParam) RealmsResource(org.keycloak.services.resources.RealmsResource) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) Logger(org.jboss.logging.Logger) Constants(org.keycloak.models.Constants) Path(javax.ws.rs.Path) TokenRevocationEndpoint(org.keycloak.protocol.oidc.endpoints.TokenRevocationEndpoint) CacheControlUtil(org.keycloak.services.util.CacheControlUtil) KeyType(org.keycloak.crypto.KeyType) Messages(org.keycloak.services.messages.Messages) ResteasyProviderFactory(org.jboss.resteasy.spi.ResteasyProviderFactory) AuthorizationEndpoint(org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint) OAuthErrorException(org.keycloak.OAuthErrorException) MediaType(javax.ws.rs.core.MediaType) QueryParam(javax.ws.rs.QueryParam) AuthenticationManager(org.keycloak.services.managers.AuthenticationManager) EventBuilder(org.keycloak.events.EventBuilder) LoginStatusIframeEndpoint(org.keycloak.protocol.oidc.endpoints.LoginStatusIframeEndpoint) ClientConnection(org.keycloak.common.ClientConnection) UriBuilder(javax.ws.rs.core.UriBuilder) Cors(org.keycloak.services.resources.Cors) TokenEndpoint(org.keycloak.protocol.oidc.endpoints.TokenEndpoint) LogoutEndpoint(org.keycloak.protocol.oidc.endpoints.LogoutEndpoint) RealmModel(org.keycloak.models.RealmModel) Context(javax.ws.rs.core.Context) JWK(org.keycloak.jose.jwk.JWK) KeycloakSession(org.keycloak.models.KeycloakSession) UserInfoEndpoint(org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint) OIDCExtProvider(org.keycloak.protocol.oidc.ext.OIDCExtProvider) HttpRequest(org.jboss.resteasy.spi.HttpRequest) ThirdPartyCookiesIframeEndpoint(org.keycloak.protocol.oidc.endpoints.ThirdPartyCookiesIframeEndpoint) OPTIONS(javax.ws.rs.OPTIONS) CorsErrorResponseException(org.keycloak.services.CorsErrorResponseException) NotFoundException(javax.ws.rs.NotFoundException) JWKBuilder(org.keycloak.jose.jwk.JWKBuilder) Objects(java.util.Objects) List(java.util.List) HttpHeaders(javax.ws.rs.core.HttpHeaders) NoCache(org.jboss.resteasy.annotations.cache.NoCache) KeyUse(org.keycloak.crypto.KeyUse) Response(javax.ws.rs.core.Response) Optional(java.util.Optional) LoginFormsProvider(org.keycloak.forms.login.LoginFormsProvider) UriInfo(javax.ws.rs.core.UriInfo) Collections(java.util.Collections) Response(javax.ws.rs.core.Response) JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet) JWKBuilder(org.keycloak.jose.jwk.JWKBuilder) X509Certificate(java.security.cert.X509Certificate) JWK(org.keycloak.jose.jwk.JWK) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) NoCache(org.jboss.resteasy.annotations.cache.NoCache)

Example 4 with JWK

use of org.keycloak.jose.jwk.JWK in project keycloak by keycloak.

the class ClientAttributeCertificateResource method getCertFromRequest.

private CertificateRepresentation getCertFromRequest(MultipartFormDataInput input) throws IOException {
    auth.clients().requireManage(client);
    CertificateRepresentation info = new CertificateRepresentation();
    Map<String, List<InputPart>> uploadForm = input.getFormDataMap();
    List<InputPart> keystoreFormatPart = uploadForm.get("keystoreFormat");
    if (keystoreFormatPart == null)
        throw new BadRequestException();
    String keystoreFormat = keystoreFormatPart.get(0).getBodyAsString();
    List<InputPart> inputParts = uploadForm.get("file");
    if (keystoreFormat.equals(CERTIFICATE_PEM)) {
        String pem = StreamUtil.readString(inputParts.get(0).getBody(InputStream.class, null));
        pem = PemUtils.removeBeginEnd(pem);
        // Validate format
        KeycloakModelUtils.getCertificate(pem);
        info.setCertificate(pem);
        return info;
    } else if (keystoreFormat.equals(PUBLIC_KEY_PEM)) {
        String pem = StreamUtil.readString(inputParts.get(0).getBody(InputStream.class, null));
        // Validate format
        KeycloakModelUtils.getPublicKey(pem);
        info.setPublicKey(pem);
        return info;
    } else if (keystoreFormat.equals(JSON_WEB_KEY_SET)) {
        InputStream stream = inputParts.get(0).getBody(InputStream.class, null);
        JSONWebKeySet keySet = JsonSerialization.readValue(stream, JSONWebKeySet.class);
        JWK publicKeyJwk = JWKSUtils.getKeyForUse(keySet, JWK.Use.SIG);
        if (publicKeyJwk == null) {
            throw new IllegalStateException("Certificate not found for use sig");
        } else {
            PublicKey publicKey = JWKParser.create(publicKeyJwk).toPublicKey();
            String publicKeyPem = KeycloakModelUtils.getPemFromKey(publicKey);
            info.setPublicKey(publicKeyPem);
            info.setKid(publicKeyJwk.getKeyId());
            return info;
        }
    }
    String keyAlias = uploadForm.get("keyAlias").get(0).getBodyAsString();
    List<InputPart> keyPasswordPart = uploadForm.get("keyPassword");
    char[] keyPassword = keyPasswordPart != null ? keyPasswordPart.get(0).getBodyAsString().toCharArray() : null;
    List<InputPart> storePasswordPart = uploadForm.get("storePassword");
    char[] storePassword = storePasswordPart != null ? storePasswordPart.get(0).getBodyAsString().toCharArray() : null;
    PrivateKey privateKey = null;
    X509Certificate certificate = null;
    try {
        KeyStore keyStore = null;
        if (keystoreFormat.equals("JKS"))
            keyStore = KeyStore.getInstance("JKS");
        else
            keyStore = KeyStore.getInstance(keystoreFormat, "BC");
        keyStore.load(inputParts.get(0).getBody(InputStream.class, null), storePassword);
        try {
            privateKey = (PrivateKey) keyStore.getKey(keyAlias, keyPassword);
        } catch (Exception e) {
        // ignore
        }
        certificate = (X509Certificate) keyStore.getCertificate(keyAlias);
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
    if (privateKey != null) {
        String privateKeyPem = KeycloakModelUtils.getPemFromKey(privateKey);
        info.setPrivateKey(privateKeyPem);
    }
    if (certificate != null) {
        String certPem = KeycloakModelUtils.getPemFromCertificate(certificate);
        info.setCertificate(certPem);
    }
    return info;
}
Also used : PrivateKey(java.security.PrivateKey) JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet) CertificateRepresentation(org.keycloak.representations.idm.CertificateRepresentation) InputStream(java.io.InputStream) PublicKey(java.security.PublicKey) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) ErrorResponseException(org.keycloak.services.ErrorResponseException) BadRequestException(javax.ws.rs.BadRequestException) NotAcceptableException(javax.ws.rs.NotAcceptableException) IOException(java.io.IOException) NotFoundException(javax.ws.rs.NotFoundException) InputPart(org.jboss.resteasy.plugins.providers.multipart.InputPart) BadRequestException(javax.ws.rs.BadRequestException) List(java.util.List) JWK(org.keycloak.jose.jwk.JWK)

Example 5 with JWK

use of org.keycloak.jose.jwk.JWK in project keycloak by keycloak.

the class TestingOIDCEndpointsApplicationResource method getJwks.

@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/get-jwks")
@NoCache
public JSONWebKeySet getJwks() {
    JSONWebKeySet keySet = new JSONWebKeySet();
    KeyPair keyPair = clientData.getKeyPair();
    String keyAlgorithm = clientData.getKeyAlgorithm();
    String keyType = clientData.getKeyType();
    KeyUse keyUse = clientData.getKeyUse();
    if (keyPair == null) {
        keySet.setKeys(new JWK[] {});
    } else if (KeyType.RSA.equals(keyType)) {
        keySet.setKeys(new JWK[] { JWKBuilder.create().algorithm(keyAlgorithm).rsa(keyPair.getPublic(), keyUse) });
    } else if (KeyType.EC.equals(keyType)) {
        keySet.setKeys(new JWK[] { JWKBuilder.create().algorithm(keyAlgorithm).ec(keyPair.getPublic()) });
    } else {
        keySet.setKeys(new JWK[] {});
    }
    return keySet;
}
Also used : KeyPair(java.security.KeyPair) JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet) KeyUse(org.keycloak.crypto.KeyUse) JWK(org.keycloak.jose.jwk.JWK) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) NoCache(org.jboss.resteasy.annotations.cache.NoCache)

Aggregations

JWK (org.keycloak.jose.jwk.JWK)6 JSONWebKeySet (org.keycloak.jose.jwk.JSONWebKeySet)5 PublicKey (java.security.PublicKey)4 IOException (java.io.IOException)2 X509Certificate (java.security.cert.X509Certificate)2 List (java.util.List)2 GET (javax.ws.rs.GET)2 NotFoundException (javax.ws.rs.NotFoundException)2 Path (javax.ws.rs.Path)2 Produces (javax.ws.rs.Produces)2 NoCache (org.jboss.resteasy.annotations.cache.NoCache)2 KeyUse (org.keycloak.crypto.KeyUse)2 CertificateRepresentation (org.keycloak.representations.idm.CertificateRepresentation)2 InputStream (java.io.InputStream)1 KeyPair (java.security.KeyPair)1 KeyStore (java.security.KeyStore)1 PrivateKey (java.security.PrivateKey)1 Collections (java.util.Collections)1 Objects (java.util.Objects)1 Optional (java.util.Optional)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial