Example 16 with JWSInput
use of org.keycloak.jose.jws.JWSInput in project keycloak by keycloak.
the class TestingOIDCEndpointsApplicationResource method requestAuthenticationChannel.
@POST
@Path("/request-authentication-channel")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@NoCache
public Response requestAuthenticationChannel(@Context HttpHeaders headers, AuthenticationChannelRequest request) {
String rawBearerToken = AppAuthManager.extractAuthorizationHeaderToken(headers);
AccessToken bearerToken;
try {
bearerToken = new JWSInput(rawBearerToken).readJsonContent(AccessToken.class);
} catch (JWSInputException e) {
throw new RuntimeException("Failed to parse bearer token", e);
}
// required
String authenticationChannelId = bearerToken.getId();
if (authenticationChannelId == null)
throw new BadRequestException("missing parameter : " + HttpAuthenticationChannelProvider.AUTHENTICATION_CHANNEL_ID);
String loginHint = request.getLoginHint();
if (loginHint == null)
throw new BadRequestException("missing parameter : " + CibaGrantType.LOGIN_HINT);
if (request.getConsentRequired() == null)
throw new BadRequestException("missing parameter : " + CibaGrantType.IS_CONSENT_REQUIRED);
String scope = request.getScope();
if (scope == null)
throw new BadRequestException("missing parameter : " + OAuth2Constants.SCOPE);
// optional
// for testing purpose
String bindingMessage = request.getBindingMessage();
if (bindingMessage != null && bindingMessage.equals("GODOWN"))
throw new BadRequestException("intentional error : GODOWN");
// only one CIBA flow without binding_message can be accepted per test method by this test mechanism.
if (bindingMessage == null)
bindingMessage = ChannelRequestDummyKey;
authenticationChannelRequests.put(bindingMessage, new TestAuthenticationChannelRequest(request, rawBearerToken));
return Response.status(Status.CREATED).build();
}
Also used :
AccessToken(org.keycloak.representations.AccessToken)
JWSInputException(org.keycloak.jose.jws.JWSInputException)
BadRequestException(javax.ws.rs.BadRequestException)
JWSInput(org.keycloak.jose.jws.JWSInput)
TestAuthenticationChannelRequest(org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest)
Path(javax.ws.rs.Path)
POST(javax.ws.rs.POST)
Consumes(javax.ws.rs.Consumes)
Produces(javax.ws.rs.Produces)
NoCache(org.jboss.resteasy.annotations.cache.NoCache)
Example 17 with JWSInput
use of org.keycloak.jose.jws.JWSInput in project keycloak by keycloak.
the class KeyPairVerifier method verify.
public static void verify(String privateKeyPem, String publicKeyPem) throws VerificationException {
PrivateKey privateKey;
try {
privateKey = PemUtils.decodePrivateKey(privateKeyPem);
} catch (Exception e) {
throw new VerificationException("Failed to decode private key");
}
PublicKey publicKey;
try {
publicKey = PemUtils.decodePublicKey(publicKeyPem);
} catch (Exception e) {
throw new VerificationException("Failed to decode public key");
}
try {
String jws = new JWSBuilder().content("content".getBytes()).rsa256(privateKey);
if (!RSAProvider.verify(new JWSInput(jws), publicKey)) {
throw new VerificationException("Keys don't match");
}
} catch (Exception e) {
throw new VerificationException("Keys don't match");
}
}
Also used :
PrivateKey(java.security.PrivateKey)
PublicKey(java.security.PublicKey)
VerificationException(org.keycloak.common.VerificationException)
JWSInput(org.keycloak.jose.jws.JWSInput)
VerificationException(org.keycloak.common.VerificationException)
JWSBuilder(org.keycloak.jose.jws.JWSBuilder)
Example 18 with JWSInput
use of org.keycloak.jose.jws.JWSInput in project keycloak by keycloak.
the class TokenEndpoint method permissionGrant.
public Response permissionGrant() {
event.detail(Details.AUTH_METHOD, "oauth_credentials");
String accessTokenString = null;
String authorizationHeader = headers.getRequestHeaders().getFirst(HttpHeaders.AUTHORIZATION);
if (authorizationHeader != null && authorizationHeader.toLowerCase().startsWith("bearer")) {
accessTokenString = new AppAuthManager().extractAuthorizationHeaderToken(headers);
}
// public clients don't have secret and should be able to obtain a RPT by providing an access token previously issued by the server
if (accessTokenString != null) {
AccessToken accessToken = Tokens.getAccessToken(session);
if (accessToken == null) {
try {
// In case the access token is invalid because it's expired or the user is disabled, identify the client
// from the access token anyway in order to set correct CORS headers.
AccessToken invalidToken = new JWSInput(accessTokenString).readJsonContent(AccessToken.class);
ClientModel client = realm.getClientByClientId(invalidToken.getIssuedFor());
cors.allowedOrigins(session, client);
event.client(client);
} catch (JWSInputException ignore) {
}
event.error(Errors.INVALID_TOKEN);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "Invalid bearer token", Status.UNAUTHORIZED);
}
ClientModel client = realm.getClientByClientId(accessToken.getIssuedFor());
session.getContext().setClient(client);
cors.allowedOrigins(session, client);
event.client(client);
}
String claimToken = null;
// claim_token is optional, if provided we just grab it from the request
if (formParams.containsKey("claim_token")) {
claimToken = formParams.get("claim_token").get(0);
}
String claimTokenFormat = formParams.getFirst("claim_token_format");
if (claimToken != null && claimTokenFormat == null) {
claimTokenFormat = AuthorizationTokenService.CLAIM_TOKEN_FORMAT_ID_TOKEN;
}
String subjectToken = formParams.getFirst("subject_token");
if (accessTokenString == null) {
// in case no bearer token is provided, we force client authentication
checkClient();
// if a claim token is provided, we check if the format is a OpenID Connect IDToken and assume the token represents the identity asking for permissions
if (AuthorizationTokenService.CLAIM_TOKEN_FORMAT_ID_TOKEN.equalsIgnoreCase(claimTokenFormat)) {
accessTokenString = claimToken;
} else if (subjectToken != null) {
accessTokenString = subjectToken;
} else {
// Clients need to authenticate in order to obtain a RPT from the server.
// In order to support cases where the client is obtaining permissions on its on behalf, we issue a temporary access token
accessTokenString = AccessTokenResponse.class.cast(clientCredentialsGrant().getEntity()).getToken();
}
}
AuthorizationTokenService.KeycloakAuthorizationRequest authorizationRequest = new AuthorizationTokenService.KeycloakAuthorizationRequest(session.getProvider(AuthorizationProvider.class), tokenManager, event, this.request, cors, clientConnection);
authorizationRequest.setTicket(formParams.getFirst("ticket"));
authorizationRequest.setClaimToken(claimToken);
authorizationRequest.setClaimTokenFormat(claimTokenFormat);
authorizationRequest.setPct(formParams.getFirst("pct"));
String rpt = formParams.getFirst("rpt");
if (rpt != null) {
AccessToken accessToken = session.tokens().decode(rpt, AccessToken.class);
if (accessToken == null) {
event.error(Errors.INVALID_REQUEST);
throw new CorsErrorResponseException(cors, "invalid_rpt", "RPT signature is invalid", Status.FORBIDDEN);
}
authorizationRequest.setRpt(accessToken);
}
authorizationRequest.setScope(formParams.getFirst("scope"));
String audienceParam = formParams.getFirst("audience");
authorizationRequest.setAudience(audienceParam);
authorizationRequest.setSubjectToken(accessTokenString);
event.detail(Details.AUDIENCE, audienceParam);
String submitRequest = formParams.getFirst("submit_request");
authorizationRequest.setSubmitRequest(submitRequest == null ? true : Boolean.valueOf(submitRequest));
// permissions have a format like RESOURCE#SCOPE1,SCOPE2
List<String> permissions = formParams.get("permission");
if (permissions != null) {
event.detail(Details.PERMISSION, String.join("|", permissions));
for (String permission : permissions) {
String[] parts = permission.split("#");
String resource = parts[0];
if (parts.length == 1) {
authorizationRequest.addPermission(resource);
} else {
String[] scopes = parts[1].split(",");
authorizationRequest.addPermission(parts[0], scopes);
}
}
}
Metadata metadata = new Metadata();
String responseIncludeResourceName = formParams.getFirst("response_include_resource_name");
if (responseIncludeResourceName != null) {
metadata.setIncludeResourceName(Boolean.parseBoolean(responseIncludeResourceName));
}
String responsePermissionsLimit = formParams.getFirst("response_permissions_limit");
if (responsePermissionsLimit != null) {
metadata.setLimit(Integer.parseInt(responsePermissionsLimit));
}
metadata.setResponseMode(formParams.getFirst("response_mode"));
authorizationRequest.setMetadata(metadata);
Response authorizationResponse = AuthorizationTokenService.instance().authorize(authorizationRequest);
event.success();
return authorizationResponse;
}
Also used :
AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider)
Metadata(org.keycloak.representations.idm.authorization.AuthorizationRequest.Metadata)
JWSInputException(org.keycloak.jose.jws.JWSInputException)
JWSInput(org.keycloak.jose.jws.JWSInput)
AccessTokenResponse(org.keycloak.representations.AccessTokenResponse)
Response(javax.ws.rs.core.Response)
HttpResponse(org.jboss.resteasy.spi.HttpResponse)
ClientModel(org.keycloak.models.ClientModel)
AuthorizationTokenService(org.keycloak.authorization.authorization.AuthorizationTokenService)
AccessToken(org.keycloak.representations.AccessToken)
CorsErrorResponseException(org.keycloak.services.CorsErrorResponseException)
AccessTokenResponse(org.keycloak.representations.AccessTokenResponse)
AppAuthManager(org.keycloak.services.managers.AppAuthManager)
Example 19 with JWSInput
use of org.keycloak.jose.jws.JWSInput in project keycloak by keycloak.
the class DefaultTokenExchangeProvider method tokenExchange.
protected Response tokenExchange() {
UserModel tokenUser = null;
UserSessionModel tokenSession = null;
AccessToken token = null;
String subjectToken = formParams.getFirst(OAuth2Constants.SUBJECT_TOKEN);
if (subjectToken != null) {
String subjectTokenType = formParams.getFirst(OAuth2Constants.SUBJECT_TOKEN_TYPE);
String realmIssuerUrl = Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName());
String subjectIssuer = formParams.getFirst(OAuth2Constants.SUBJECT_ISSUER);
if (subjectIssuer == null && OAuth2Constants.JWT_TOKEN_TYPE.equals(subjectTokenType)) {
try {
JWSInput jws = new JWSInput(subjectToken);
JsonWebToken jwt = jws.readJsonContent(JsonWebToken.class);
subjectIssuer = jwt.getIssuer();
} catch (JWSInputException e) {
event.detail(Details.REASON, "unable to parse jwt subject_token");
event.error(Errors.INVALID_TOKEN);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_TOKEN, "Invalid token type, must be access token", Response.Status.BAD_REQUEST);
}
}
if (subjectIssuer != null && !realmIssuerUrl.equals(subjectIssuer)) {
event.detail(OAuth2Constants.SUBJECT_ISSUER, subjectIssuer);
return exchangeExternalToken(subjectIssuer, subjectToken);
}
if (subjectTokenType != null && !subjectTokenType.equals(OAuth2Constants.ACCESS_TOKEN_TYPE)) {
event.detail(Details.REASON, "subject_token supports access tokens only");
event.error(Errors.INVALID_TOKEN);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_TOKEN, "Invalid token type, must be access token", Response.Status.BAD_REQUEST);
}
AuthenticationManager.AuthResult authResult = AuthenticationManager.verifyIdentityToken(session, realm, session.getContext().getUri(), clientConnection, true, true, null, false, subjectToken, headers);
if (authResult == null) {
event.detail(Details.REASON, "subject_token validation failure");
event.error(Errors.INVALID_TOKEN);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_TOKEN, "Invalid token", Response.Status.BAD_REQUEST);
}
tokenUser = authResult.getUser();
tokenSession = authResult.getSession();
token = authResult.getToken();
}
String requestedSubject = formParams.getFirst(OAuth2Constants.REQUESTED_SUBJECT);
if (requestedSubject != null) {
event.detail(Details.REQUESTED_SUBJECT, requestedSubject);
UserModel requestedUser = session.users().getUserByUsername(realm, requestedSubject);
if (requestedUser == null) {
requestedUser = session.users().getUserById(realm, requestedSubject);
}
if (requestedUser == null) {
// We always returned access denied to avoid username fishing
event.detail(Details.REASON, "requested_subject not found");
event.error(Errors.NOT_ALLOWED);
throw new CorsErrorResponseException(cors, OAuthErrorException.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
}
if (token != null) {
event.detail(Details.IMPERSONATOR, tokenUser.getUsername());
// for this case, the user represented by the token, must have permission to impersonate.
AdminAuth auth = new AdminAuth(realm, token, tokenUser, client);
if (!AdminPermissions.evaluator(session, realm, auth).users().canImpersonate(requestedUser)) {
event.detail(Details.REASON, "subject not allowed to impersonate");
event.error(Errors.NOT_ALLOWED);
throw new CorsErrorResponseException(cors, OAuthErrorException.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
}
} else {
// to impersonate
if (client.isPublicClient()) {
event.detail(Details.REASON, "public clients not allowed");
event.error(Errors.NOT_ALLOWED);
throw new CorsErrorResponseException(cors, OAuthErrorException.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
}
if (!AdminPermissions.management(session, realm).users().canClientImpersonate(client, requestedUser)) {
event.detail(Details.REASON, "client not allowed to impersonate");
event.error(Errors.NOT_ALLOWED);
throw new CorsErrorResponseException(cors, OAuthErrorException.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
}
}
tokenSession = session.sessions().createUserSession(realm, requestedUser, requestedUser.getUsername(), clientConnection.getRemoteAddr(), "impersonate", false, null, null);
if (tokenUser != null) {
tokenSession.setNote(IMPERSONATOR_ID.toString(), tokenUser.getId());
tokenSession.setNote(IMPERSONATOR_USERNAME.toString(), tokenUser.getUsername());
}
tokenUser = requestedUser;
}
String requestedIssuer = formParams.getFirst(OAuth2Constants.REQUESTED_ISSUER);
if (requestedIssuer == null) {
return exchangeClientToClient(tokenUser, tokenSession);
} else {
try {
return exchangeToIdentityProvider(tokenUser, tokenSession, requestedIssuer);
} finally {
if (subjectToken == null) {
// we are naked! So need to clean up user session
try {
session.sessions().removeUserSession(realm, tokenSession);
} catch (Exception ignore) {
}
}
}
}
}
Also used :
UserModel(org.keycloak.models.UserModel)
AuthenticationManager(org.keycloak.services.managers.AuthenticationManager)
AdminAuth(org.keycloak.services.resources.admin.AdminAuth)
UserSessionModel(org.keycloak.models.UserSessionModel)
AccessToken(org.keycloak.representations.AccessToken)
JWSInputException(org.keycloak.jose.jws.JWSInputException)
JWSInput(org.keycloak.jose.jws.JWSInput)
CorsErrorResponseException(org.keycloak.services.CorsErrorResponseException)
JsonWebToken(org.keycloak.representations.JsonWebToken)
OAuthErrorException(org.keycloak.OAuthErrorException)
CorsErrorResponseException(org.keycloak.services.CorsErrorResponseException)
JWSInputException(org.keycloak.jose.jws.JWSInputException)
Example 20 with JWSInput
use of org.keycloak.jose.jws.JWSInput in project keycloak by keycloak.
the class InitialAccessTokenTest method createWithES256.
@Test
public void createWithES256() throws JWSInputException, ClientRegistrationException {
try {
TokenSignatureUtil.changeRealmTokenSignatureProvider(adminClient, Algorithm.ES256);
ClientInitialAccessPresentation response = resource.create(new ClientInitialAccessCreatePresentation());
reg.auth(Auth.token(response));
String token = response.getToken();
JWSHeader header = new JWSInput(token).getHeader();
assertEquals(Algorithm.HS256, header.getAlgorithm().name());
ClientRepresentation rep = new ClientRepresentation();
ClientRepresentation created = reg.create(rep);
Assert.assertNotNull(created);
} finally {
TokenSignatureUtil.changeRealmTokenSignatureProvider(adminClient, Algorithm.RS256);
}
}
Also used :
ClientInitialAccessCreatePresentation(org.keycloak.representations.idm.ClientInitialAccessCreatePresentation)
JWSInput(org.keycloak.jose.jws.JWSInput)
ClientInitialAccessPresentation(org.keycloak.representations.idm.ClientInitialAccessPresentation)
JWSHeader(org.keycloak.jose.jws.JWSHeader)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
Test(org.junit.Test)
Aggregations
JWSInput (org.keycloak.jose.jws.JWSInput)62
AccessToken (org.keycloak.representations.AccessToken)29
OAuthClient (org.keycloak.testsuite.util.OAuthClient)20
JWSInputException (org.keycloak.jose.jws.JWSInputException)16
Test (org.junit.Test)15
JWSHeader (org.keycloak.jose.jws.JWSHeader)11
Response (javax.ws.rs.core.Response)10
RefreshToken (org.keycloak.representations.RefreshToken)10
EventRepresentation (org.keycloak.representations.idm.EventRepresentation)9
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)8
IOException (java.io.IOException)7
VerificationException (org.keycloak.common.VerificationException)7
JsonWebToken (org.keycloak.representations.JsonWebToken)7
JsonNode (com.fasterxml.jackson.databind.JsonNode)5
PublicKey (java.security.PublicKey)5
AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)5
Client (javax.ws.rs.client.Client)4
IDToken (org.keycloak.representations.IDToken)4
ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)3
List (java.util.List)3
