Search in sources :

Example 1 with Algorithm

use of org.keycloak.jose.jws.Algorithm in project keycloak by keycloak.

the class CibaClientValidation method validate.

public void validate() {
    ClientModel client = context.getObjectToValidate();
    // Check only ping mode and poll mode allowed
    CibaConfig cibaConfig = client.getRealm().getCibaPolicy();
    String cibaMode = cibaConfig.getBackchannelTokenDeliveryMode(client);
    if (!CibaConfig.CIBA_SUPPORTED_MODES.contains(cibaMode)) {
        context.addError("cibaBackchannelTokenDeliveryMode", "Unsupported requested CIBA Backchannel Token Delivery Mode", "invalidCibaBackchannelTokenDeliveryMode");
    }
    // Check clientNotificationEndpoint URL configured for ping mode
    if (CibaConfig.CIBA_PING_MODE.equals(cibaMode)) {
        if (cibaConfig.getBackchannelClientNotificationEndpoint(client) == null) {
            context.addError("cibaBackchannelClientNotificationEndpoint", "CIBA Backchannel Client Notification Endpoint must be set for the CIBA ping mode", "missingCibaBackchannelClientNotificationEndpoint");
        }
    }
    // Validate clientNotificationEndpoint URL itself
    try {
        checkUrl(client.getRealm().getSslRequired(), cibaConfig.getBackchannelClientNotificationEndpoint(client), "backchannel_client_notification_endpoint");
    } catch (RuntimeException re) {
        context.addError("cibaBackchannelClientNotificationEndpoint", re.getMessage(), "invalidBackchannelClientNotificationEndpoint");
    }
    Algorithm alg = cibaConfig.getBackchannelAuthRequestSigningAlg(client);
    if (alg != null && !isSupportedBackchannelAuthenticationRequestSigningAlg(context.getSession(), alg.name())) {
        context.addError("cibaBackchannelAuthRequestSigningAlg", "Unsupported requested CIBA Backchannel Authentication Request Signing Algorithm", "invalidCibaBackchannelAuthRequestSigningAlg");
    }
}
Also used : ClientModel(org.keycloak.models.ClientModel) CibaConfig(org.keycloak.models.CibaConfig) Algorithm(org.keycloak.jose.jws.Algorithm)

Example 2 with Algorithm

use of org.keycloak.jose.jws.Algorithm in project keycloak by keycloak.

the class DescriptionConverter method toInternal.

public static ClientRepresentation toInternal(KeycloakSession session, OIDCClientRepresentation clientOIDC) throws ClientRegistrationException {
    ClientRepresentation client = new ClientRepresentation();
    client.setClientId(clientOIDC.getClientId());
    client.setName(clientOIDC.getClientName());
    client.setRedirectUris(clientOIDC.getRedirectUris());
    client.setBaseUrl(clientOIDC.getClientUri());
    client.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    String scopeParam = clientOIDC.getScope();
    if (scopeParam != null)
        client.setOptionalClientScopes(new ArrayList<>(Arrays.asList(scopeParam.split(" "))));
    List<String> oidcResponseTypes = clientOIDC.getResponseTypes();
    if (oidcResponseTypes == null || oidcResponseTypes.isEmpty()) {
        oidcResponseTypes = Collections.singletonList(OIDCResponseType.CODE);
    }
    List<String> oidcGrantTypes = clientOIDC.getGrantTypes();
    try {
        OIDCResponseType responseType = OIDCResponseType.parse(oidcResponseTypes);
        client.setStandardFlowEnabled(responseType.hasResponseType(OIDCResponseType.CODE));
        client.setImplicitFlowEnabled(responseType.isImplicitOrHybridFlow());
        if (oidcGrantTypes != null) {
            client.setDirectAccessGrantsEnabled(oidcGrantTypes.contains(OAuth2Constants.PASSWORD));
            client.setServiceAccountsEnabled(oidcGrantTypes.contains(OAuth2Constants.CLIENT_CREDENTIALS));
            setOidcCibaGrantEnabled(client, oidcGrantTypes.contains(OAuth2Constants.CIBA_GRANT_TYPE));
        }
    } catch (IllegalArgumentException iae) {
        throw new ClientRegistrationException(iae.getMessage(), iae);
    }
    String authMethod = clientOIDC.getTokenEndpointAuthMethod();
    client.setPublicClient(Boolean.FALSE);
    if ("none".equals(authMethod)) {
        client.setClientAuthenticatorType("none");
        client.setPublicClient(Boolean.TRUE);
    } else {
        ClientAuthenticatorFactory clientAuthFactory;
        if (authMethod == null) {
            clientAuthFactory = (ClientAuthenticatorFactory) session.getKeycloakSessionFactory().getProviderFactory(ClientAuthenticator.class, KeycloakModelUtils.getDefaultClientAuthenticatorType());
        } else {
            clientAuthFactory = AuthorizeClientUtil.findClientAuthenticatorForOIDCAuthMethod(session, authMethod);
        }
        if (clientAuthFactory == null) {
            throw new ClientRegistrationException("Not found clientAuthenticator for requested token_endpoint_auth_method");
        }
        client.setClientAuthenticatorType(clientAuthFactory.getId());
    }
    boolean publicKeySet = setPublicKey(clientOIDC, client);
    if (authMethod != null && authMethod.equals(OIDCLoginProtocol.PRIVATE_KEY_JWT) && !publicKeySet) {
        throw new ClientRegistrationException("Didn't find key of supported keyType for use " + JWK.Use.SIG.asString());
    }
    OIDCAdvancedConfigWrapper configWrapper = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
    if (clientOIDC.getUserinfoSignedResponseAlg() != null) {
        Algorithm algorithm = Enum.valueOf(Algorithm.class, clientOIDC.getUserinfoSignedResponseAlg());
        configWrapper.setUserInfoSignedResponseAlg(algorithm);
    }
    if (clientOIDC.getRequestObjectSigningAlg() != null) {
        Algorithm algorithm = Enum.valueOf(Algorithm.class, clientOIDC.getRequestObjectSigningAlg());
        configWrapper.setRequestObjectSignatureAlg(algorithm);
    }
    // KEYCLOAK-6771 Certificate Bound Token
    // https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-6.5
    Boolean tlsClientCertificateBoundAccessTokens = clientOIDC.getTlsClientCertificateBoundAccessTokens();
    if (tlsClientCertificateBoundAccessTokens != null) {
        if (tlsClientCertificateBoundAccessTokens.booleanValue())
            configWrapper.setUseMtlsHoKToken(true);
        else
            configWrapper.setUseMtlsHoKToken(false);
    }
    if (clientOIDC.getTlsClientAuthSubjectDn() != null) {
        configWrapper.setTlsClientAuthSubjectDn(clientOIDC.getTlsClientAuthSubjectDn());
        // According to specification, attribute tls_client_auth_subject_dn has subject DN in the exact expected format. There is no reason for support regex comparisons
        configWrapper.setAllowRegexPatternComparison(false);
    }
    if (clientOIDC.getIdTokenSignedResponseAlg() != null) {
        configWrapper.setIdTokenSignedResponseAlg(clientOIDC.getIdTokenSignedResponseAlg());
    }
    if (clientOIDC.getIdTokenEncryptedResponseAlg() != null) {
        configWrapper.setIdTokenEncryptedResponseAlg(clientOIDC.getIdTokenEncryptedResponseAlg());
    }
    if (clientOIDC.getIdTokenEncryptedResponseEnc() != null) {
        configWrapper.setIdTokenEncryptedResponseEnc(clientOIDC.getIdTokenEncryptedResponseEnc());
    }
    configWrapper.setAuthorizationSignedResponseAlg(clientOIDC.getAuthorizationSignedResponseAlg());
    configWrapper.setAuthorizationEncryptedResponseAlg(clientOIDC.getAuthorizationEncryptedResponseAlg());
    configWrapper.setAuthorizationEncryptedResponseEnc(clientOIDC.getAuthorizationEncryptedResponseEnc());
    if (clientOIDC.getRequestUris() != null) {
        configWrapper.setRequestUris(clientOIDC.getRequestUris());
    }
    configWrapper.setTokenEndpointAuthSigningAlg(clientOIDC.getTokenEndpointAuthSigningAlg());
    configWrapper.setBackchannelLogoutUrl(clientOIDC.getBackchannelLogoutUri());
    if (clientOIDC.getBackchannelLogoutSessionRequired() == null) {
        configWrapper.setBackchannelLogoutSessionRequired(true);
    } else {
        configWrapper.setBackchannelLogoutSessionRequired(clientOIDC.getBackchannelLogoutSessionRequired());
    }
    if (clientOIDC.getBackchannelLogoutRevokeOfflineTokens() == null) {
        configWrapper.setBackchannelLogoutRevokeOfflineTokens(false);
    } else {
        configWrapper.setBackchannelLogoutRevokeOfflineTokens(clientOIDC.getBackchannelLogoutRevokeOfflineTokens());
    }
    if (clientOIDC.getLogoUri() != null) {
        configWrapper.setLogoUri(clientOIDC.getLogoUri());
    }
    if (clientOIDC.getPolicyUri() != null) {
        configWrapper.setPolicyUri(clientOIDC.getPolicyUri());
    }
    if (clientOIDC.getTosUri() != null) {
        configWrapper.setTosUri(clientOIDC.getTosUri());
    }
    // CIBA
    String backchannelTokenDeliveryMode = clientOIDC.getBackchannelTokenDeliveryMode();
    if (backchannelTokenDeliveryMode != null) {
        Map<String, String> attr = Optional.ofNullable(client.getAttributes()).orElse(new HashMap<>());
        attr.put(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE_PER_CLIENT, backchannelTokenDeliveryMode);
        client.setAttributes(attr);
    }
    String backchannelClientNotificationEndpoint = clientOIDC.getBackchannelClientNotificationEndpoint();
    if (backchannelClientNotificationEndpoint != null) {
        Map<String, String> attr = Optional.ofNullable(client.getAttributes()).orElse(new HashMap<>());
        attr.put(CibaConfig.CIBA_BACKCHANNEL_CLIENT_NOTIFICATION_ENDPOINT, backchannelClientNotificationEndpoint);
        client.setAttributes(attr);
    }
    String backchannelAuthenticationRequestSigningAlg = clientOIDC.getBackchannelAuthenticationRequestSigningAlg();
    if (backchannelAuthenticationRequestSigningAlg != null) {
        Map<String, String> attr = Optional.ofNullable(client.getAttributes()).orElse(new HashMap<>());
        attr.put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, backchannelAuthenticationRequestSigningAlg);
        client.setAttributes(attr);
    }
    // PAR
    Boolean requirePushedAuthorizationRequests = clientOIDC.getRequirePushedAuthorizationRequests();
    if (requirePushedAuthorizationRequests != null) {
        Map<String, String> attr = Optional.ofNullable(client.getAttributes()).orElse(new HashMap<>());
        attr.put(ParConfig.REQUIRE_PUSHED_AUTHORIZATION_REQUESTS, requirePushedAuthorizationRequests.toString());
        client.setAttributes(attr);
    }
    configWrapper.setFrontChannelLogoutUrl(Optional.ofNullable(clientOIDC.getFrontChannelLogoutUri()).orElse(null));
    if (clientOIDC.getDefaultAcrValues() != null) {
        configWrapper.setAttributeMultivalued(Constants.DEFAULT_ACR_VALUES, clientOIDC.getDefaultAcrValues());
    }
    return client;
}
Also used : OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper) ArrayList(java.util.ArrayList) OIDCResponseType(org.keycloak.protocol.oidc.utils.OIDCResponseType) Algorithm(org.keycloak.jose.jws.Algorithm) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientAuthenticatorFactory(org.keycloak.authentication.ClientAuthenticatorFactory) ClientRegistrationException(org.keycloak.services.clientregistration.ClientRegistrationException)

Aggregations

Algorithm (org.keycloak.jose.jws.Algorithm)2 ArrayList (java.util.ArrayList)1 ClientAuthenticatorFactory (org.keycloak.authentication.ClientAuthenticatorFactory)1 CibaConfig (org.keycloak.models.CibaConfig)1 ClientModel (org.keycloak.models.ClientModel)1 OIDCAdvancedConfigWrapper (org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper)1 OIDCResponseType (org.keycloak.protocol.oidc.utils.OIDCResponseType)1 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)1 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)1 ClientRegistrationException (org.keycloak.services.clientregistration.ClientRegistrationException)1