Example 36 with ClientModel
use of org.keycloak.models.ClientModel in project keycloak by keycloak.
the class UserSessionLimitsAuthenticator method authenticate.
@Override
public void authenticate(AuthenticationFlowContext context) {
AuthenticatorConfigModel authenticatorConfig = context.getAuthenticatorConfig();
Map<String, String> config = authenticatorConfig.getConfig();
// Get the configuration for this authenticator
behavior = config.get(UserSessionLimitsAuthenticatorFactory.BEHAVIOR);
int userRealmLimit = getIntConfigProperty(UserSessionLimitsAuthenticatorFactory.USER_REALM_LIMIT, config);
int userClientLimit = getIntConfigProperty(UserSessionLimitsAuthenticatorFactory.USER_CLIENT_LIMIT, config);
if (context.getRealm() != null && context.getUser() != null) {
// Get the session count in this realm for this specific user
List<UserSessionModel> userSessionsForRealm = session.sessions().getUserSessionsStream(context.getRealm(), context.getUser()).collect(Collectors.toList());
int userSessionCountForRealm = userSessionsForRealm.size();
// Get the session count related to the current client for this user
ClientModel currentClient = context.getAuthenticationSession().getClient();
logger.debugf("session-limiter's current keycloak clientId: %s", currentClient.getClientId());
List<UserSessionModel> userSessionsForClient = getUserSessionsForClientIfEnabled(userSessionsForRealm, currentClient, userClientLimit);
int userSessionCountForClient = userSessionsForClient.size();
logger.debugf("session-limiter's configured realm session limit: %s", userRealmLimit);
logger.debugf("session-limiter's configured client session limit: %s", userClientLimit);
logger.debugf("session-limiter's count of total user sessions for the entire realm (could be apps other than web apps): %s", userSessionCountForRealm);
logger.debugf("session-limiter's count of total user sessions for this keycloak client: %s", userSessionCountForClient);
// First check if the user has too many sessions in this realm
if (exceedsLimit(userSessionCountForRealm, userRealmLimit)) {
logger.infof("Too many session in this realm for the current user. Session count: %s", userSessionCountForRealm);
String eventDetails = String.format(realmEventDetailsTemplate, context.getRealm().getName(), userRealmLimit, userSessionCountForRealm, context.getUser().getId());
handleLimitExceeded(context, userSessionsForRealm, eventDetails);
} else // otherwise if the user is still allowed to create a new session in the realm, check if this applies for this specific client as well.
if (exceedsLimit(userSessionCountForClient, userClientLimit)) {
logger.infof("Too many sessions related to the current client for this user. Session count: %s", userSessionCountForRealm);
String eventDetails = String.format(clientEventDetailsTemplate, context.getRealm().getName(), userClientLimit, userSessionCountForClient, context.getUser().getId());
handleLimitExceeded(context, userSessionsForClient, eventDetails);
} else {
context.success();
}
} else {
context.success();
}
}
Also used :
ClientModel(org.keycloak.models.ClientModel)
UserSessionModel(org.keycloak.models.UserSessionModel)
AuthenticatorConfigModel(org.keycloak.models.AuthenticatorConfigModel)
Example 37 with ClientModel
use of org.keycloak.models.ClientModel in project keycloak by keycloak.
the class X509ClientAuthenticator method authenticateClient.
@Override
public void authenticateClient(ClientAuthenticationFlowContext context) {
X509ClientCertificateLookup provider = context.getSession().getProvider(X509ClientCertificateLookup.class);
if (provider == null) {
logger.errorv("\"{0}\" Spi is not available, did you forget to update the configuration?", X509ClientCertificateLookup.class);
return;
}
X509Certificate[] certs = null;
ClientModel client = null;
try {
certs = provider.getCertificateChain(context.getHttpRequest());
String client_id = null;
MediaType mediaType = context.getHttpRequest().getHttpHeaders().getMediaType();
boolean hasFormData = mediaType != null && mediaType.isCompatible(MediaType.APPLICATION_FORM_URLENCODED_TYPE);
MultivaluedMap<String, String> formData = hasFormData ? context.getHttpRequest().getDecodedFormParameters() : null;
MultivaluedMap<String, String> queryParams = context.getSession().getContext().getUri().getQueryParameters();
if (formData != null) {
client_id = formData.getFirst(OAuth2Constants.CLIENT_ID);
}
if (client_id == null && queryParams != null) {
client_id = queryParams.getFirst(OAuth2Constants.CLIENT_ID);
}
if (client_id == null) {
client_id = context.getSession().getAttribute("client_id", String.class);
}
if (client_id == null) {
Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Missing client_id parameter");
context.challenge(challengeResponse);
return;
}
client = context.getRealm().getClientByClientId(client_id);
if (client == null) {
context.failure(AuthenticationFlowError.CLIENT_NOT_FOUND, null);
return;
}
context.getEvent().client(client_id);
context.setClient(client);
if (!client.isEnabled()) {
context.failure(AuthenticationFlowError.CLIENT_DISABLED, null);
return;
}
} catch (GeneralSecurityException e) {
logger.errorf("[X509ClientCertificateAuthenticator:authenticate] Exception: %s", e.getMessage());
context.attempted();
return;
}
if (certs == null || certs.length == 0) {
// No x509 client cert, fall through and
// continue processing the rest of the authentication flow
logger.debug("[X509ClientCertificateAuthenticator:authenticate] x509 client certificate is not available for mutual SSL.");
context.attempted();
return;
}
OIDCAdvancedConfigWrapper clientCfg = OIDCAdvancedConfigWrapper.fromClientModel(client);
String subjectDNRegexp = client.getAttribute(ATTR_SUBJECT_DN);
if (subjectDNRegexp == null || subjectDNRegexp.length() == 0) {
logger.errorf("[X509ClientCertificateAuthenticator:authenticate] " + ATTR_SUBJECT_DN + " is null or empty");
context.attempted();
return;
}
Optional<String> matchedCertificate;
if (clientCfg.getAllowRegexPatternComparison()) {
Pattern subjectDNPattern = Pattern.compile(subjectDNRegexp);
matchedCertificate = Arrays.stream(certs).map(certificate -> certificate.getSubjectDN().getName()).filter(subjectdn -> subjectDNPattern.matcher(subjectdn).matches()).findFirst();
} else {
// OIDC/OAuth2 does not use regex comparison as it expects exact DN given in the format according to RFC4514. See RFC8705 for the details.
// We allow custom OIDs attributes to be "expanded" or not expanded in the given Subject DN
X500Principal expectedDNPrincipal = new X500Principal(subjectDNRegexp, CUSTOM_OIDS_REVERSED);
matchedCertificate = Arrays.stream(certs).filter(certificate -> expectedDNPrincipal.getName(X500Principal.RFC2253, CUSTOM_OIDS).equals(certificate.getSubjectX500Principal().getName(X500Principal.RFC2253, CUSTOM_OIDS))).map(certificate -> certificate.getSubjectDN().getName()).findFirst();
}
if (!matchedCertificate.isPresent()) {
// We do quite expensive operation here, so better check the logging level beforehand.
if (logger.isDebugEnabled()) {
logger.debug("[X509ClientCertificateAuthenticator:authenticate] Couldn't match any certificate for expected Subject DN '" + subjectDNRegexp + "' with allow regex pattern '" + clientCfg.getAllowRegexPatternComparison() + "'.");
logger.debug("[X509ClientCertificateAuthenticator:authenticate] Available SubjectDNs: " + Arrays.stream(certs).map(cert -> cert.getSubjectDN().getName()).collect(Collectors.toList()));
}
context.attempted();
return;
} else {
logger.debug("[X509ClientCertificateAuthenticator:authenticate] Matched " + matchedCertificate.get() + " certificate.");
}
context.success();
}
Also used :
ClientModel(org.keycloak.models.ClientModel)
X509Certificate(java.security.cert.X509Certificate)
Arrays(java.util.Arrays)
X500Principal(javax.security.auth.x500.X500Principal)
ProviderConfigProperty(org.keycloak.provider.ProviderConfigProperty)
HashMap(java.util.HashMap)
ServicesLogger(org.keycloak.services.ServicesLogger)
ClientAuthenticationFlowContext(org.keycloak.authentication.ClientAuthenticationFlowContext)
Function(java.util.function.Function)
HashSet(java.util.HashSet)
MediaType(javax.ws.rs.core.MediaType)
GeneralSecurityException(java.security.GeneralSecurityException)
AuthenticationExecutionModel(org.keycloak.models.AuthenticationExecutionModel)
OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper)
Map(java.util.Map)
AuthenticationFlowError(org.keycloak.authentication.AuthenticationFlowError)
Set(java.util.Set)
Collectors(java.util.stream.Collectors)
X509ClientCertificateLookup(org.keycloak.services.x509.X509ClientCertificateLookup)
MultivaluedMap(javax.ws.rs.core.MultivaluedMap)
List(java.util.List)
Response(javax.ws.rs.core.Response)
OIDCLoginProtocol(org.keycloak.protocol.oidc.OIDCLoginProtocol)
Optional(java.util.Optional)
Pattern(java.util.regex.Pattern)
Collections(java.util.Collections)
OAuth2Constants(org.keycloak.OAuth2Constants)
Pattern(java.util.regex.Pattern)
OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper)
GeneralSecurityException(java.security.GeneralSecurityException)
X509ClientCertificateLookup(org.keycloak.services.x509.X509ClientCertificateLookup)
X509Certificate(java.security.cert.X509Certificate)
Response(javax.ws.rs.core.Response)
ClientModel(org.keycloak.models.ClientModel)
MediaType(javax.ws.rs.core.MediaType)
X500Principal(javax.security.auth.x500.X500Principal)
Example 38 with ClientModel
use of org.keycloak.models.ClientModel in project keycloak by keycloak.
the class ClientIdAndSecretAuthenticator method authenticateClient.
@Override
public void authenticateClient(ClientAuthenticationFlowContext context) {
String client_id = null;
String clientSecret = null;
String authorizationHeader = context.getHttpRequest().getHttpHeaders().getRequestHeaders().getFirst(HttpHeaders.AUTHORIZATION);
MediaType mediaType = context.getHttpRequest().getHttpHeaders().getMediaType();
boolean hasFormData = mediaType != null && mediaType.isCompatible(MediaType.APPLICATION_FORM_URLENCODED_TYPE);
MultivaluedMap<String, String> formData = hasFormData ? context.getHttpRequest().getDecodedFormParameters() : null;
if (authorizationHeader != null) {
String[] usernameSecret = BasicAuthHelper.parseHeader(authorizationHeader);
if (usernameSecret != null) {
client_id = usernameSecret[0];
clientSecret = usernameSecret[1];
} else {
// Don't send 401 if client_id parameter was sent in request. For example IE may automatically send "Authorization: Negotiate" in XHR requests even for public clients
if (formData != null && !formData.containsKey(OAuth2Constants.CLIENT_ID)) {
Response challengeResponse = Response.status(Response.Status.UNAUTHORIZED).header(HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"" + context.getRealm().getName() + "\"").build();
context.challenge(challengeResponse);
return;
}
}
}
if (formData != null) {
// so we can also support clients overriding flows and using challenges (e.g: basic) to authenticate their users
if (formData.containsKey(OAuth2Constants.CLIENT_ID)) {
client_id = formData.getFirst(OAuth2Constants.CLIENT_ID);
}
if (formData.containsKey(OAuth2Constants.CLIENT_SECRET)) {
clientSecret = formData.getFirst(OAuth2Constants.CLIENT_SECRET);
}
}
if (client_id == null) {
client_id = context.getSession().getAttribute("client_id", String.class);
}
if (client_id == null) {
Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Missing client_id parameter");
context.challenge(challengeResponse);
return;
}
context.getEvent().client(client_id);
ClientModel client = context.getSession().clients().getClientByClientId(context.getRealm(), client_id);
if (client == null) {
context.failure(AuthenticationFlowError.CLIENT_NOT_FOUND, null);
return;
}
context.setClient(client);
if (!client.isEnabled()) {
context.failure(AuthenticationFlowError.CLIENT_DISABLED, null);
return;
}
// Skip client_secret validation for public client
if (client.isPublicClient()) {
context.success();
return;
}
if (clientSecret == null) {
Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "unauthorized_client", "Client secret not provided in request");
context.challenge(challengeResponse);
return;
}
if (client.getSecret() == null) {
Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "unauthorized_client", "Invalid client secret");
context.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, challengeResponse);
return;
}
if (!client.validateSecret(clientSecret)) {
Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "unauthorized_client", "Invalid client secret");
context.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, challengeResponse);
return;
}
context.success();
}
Also used :
Response(javax.ws.rs.core.Response)
ClientModel(org.keycloak.models.ClientModel)
MediaType(javax.ws.rs.core.MediaType)
Example 39 with ClientModel
use of org.keycloak.models.ClientModel in project keycloak by keycloak.
the class SamlProtocol method authenticated.
@Override
public Response authenticated(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx) {
AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession();
ClientModel client = clientSession.getClient();
SamlClient samlClient = new SamlClient(client);
String requestID = authSession.getClientNote(SAML_REQUEST_ID);
String relayState = authSession.getClientNote(GeneralConstants.RELAY_STATE);
String redirectUri = authSession.getRedirectUri();
String responseIssuer = getResponseIssuer(realm);
String nameIdFormat = getNameIdFormat(samlClient, authSession);
int assertionLifespan = samlClient.getAssertionLifespan();
SAML2LoginResponseBuilder builder = new SAML2LoginResponseBuilder();
builder.requestID(requestID).destination(redirectUri).issuer(responseIssuer).assertionExpiration(assertionLifespan <= 0 ? realm.getAccessCodeLifespan() : assertionLifespan).subjectExpiration(assertionLifespan <= 0 ? realm.getAccessTokenLifespan() : assertionLifespan).sessionExpiration(realm.getSsoSessionMaxLifespan()).requestIssuer(clientSession.getClient().getClientId()).authMethod(JBossSAMLURIConstants.AC_UNSPECIFIED.get());
String sessionIndex = SamlSessionUtils.getSessionIndex(clientSession);
builder.sessionIndex(sessionIndex);
if (!samlClient.includeAuthnStatement()) {
builder.disableAuthnStatement(true);
}
builder.includeOneTimeUseCondition(samlClient.includeOneTimeUseCondition());
List<ProtocolMapperProcessor<SAMLAttributeStatementMapper>> attributeStatementMappers = new LinkedList<>();
List<ProtocolMapperProcessor<SAMLLoginResponseMapper>> loginResponseMappers = new LinkedList<>();
AtomicReference<ProtocolMapperProcessor<SAMLRoleListMapper>> roleListMapper = new AtomicReference<>(null);
List<ProtocolMapperProcessor<SAMLNameIdMapper>> samlNameIdMappers = new LinkedList<>();
ProtocolMapperUtils.getSortedProtocolMappers(session, clientSessionCtx).forEach(entry -> {
ProtocolMapperModel mapping = entry.getKey();
ProtocolMapper mapper = entry.getValue();
if (mapper instanceof SAMLAttributeStatementMapper) {
attributeStatementMappers.add(new ProtocolMapperProcessor<>((SAMLAttributeStatementMapper) mapper, mapping));
}
if (mapper instanceof SAMLLoginResponseMapper) {
loginResponseMappers.add(new ProtocolMapperProcessor<>((SAMLLoginResponseMapper) mapper, mapping));
}
if (mapper instanceof SAMLRoleListMapper) {
roleListMapper.set(new ProtocolMapperProcessor<>((SAMLRoleListMapper) mapper, mapping));
}
if (mapper instanceof SAMLNameIdMapper) {
samlNameIdMappers.add(new ProtocolMapperProcessor<>((SAMLNameIdMapper) mapper, mapping));
}
});
Document samlDocument = null;
ResponseType samlModel = null;
KeyManager keyManager = session.keys();
KeyManager.ActiveRsaKey keys = keyManager.getActiveRsaKey(realm);
boolean postBinding = isPostBinding(authSession);
String keyName = samlClient.getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
String nameId = getSAMLNameId(samlNameIdMappers, nameIdFormat, session, userSession, clientSession);
if (nameId == null) {
return samlErrorMessage(null, samlClient, isPostBinding(authSession), redirectUri, JBossSAMLURIConstants.STATUS_INVALID_NAMEIDPOLICY, relayState);
}
builder.nameIdentifier(nameIdFormat, nameId);
// save NAME_ID and format in clientSession as they may be persistent or
// transient or email and not username
// we'll need to send this back on a logout
clientSession.setNote(SAML_NAME_ID, nameId);
clientSession.setNote(SAML_NAME_ID_FORMAT, nameIdFormat);
try {
if ((!postBinding) && samlClient.requiresRealmSignature() && samlClient.addExtensionsElementWithKeyInfo()) {
builder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
}
samlModel = builder.buildModel();
final AttributeStatementType attributeStatement = populateAttributeStatements(attributeStatementMappers, session, userSession, clientSession);
populateRoles(roleListMapper.get(), session, userSession, clientSessionCtx, attributeStatement);
// SAML Spec 2.7.3 AttributeStatement must contain one or more Attribute or EncryptedAttribute
if (attributeStatement.getAttributes().size() > 0) {
AssertionType assertion = samlModel.getAssertions().get(0).getAssertion();
assertion.addStatement(attributeStatement);
}
samlModel = transformLoginResponse(loginResponseMappers, samlModel, session, userSession, clientSessionCtx);
} catch (Exception e) {
logger.error("failed", e);
return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE);
}
JaxrsSAML2BindingBuilder bindingBuilder = new JaxrsSAML2BindingBuilder(session);
bindingBuilder.relayState(relayState);
if ("true".equals(clientSession.getNote(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.get()))) {
try {
return buildArtifactAuthenticatedResponse(clientSession, redirectUri, samlModel, bindingBuilder);
} catch (Exception e) {
logger.error("failed", e);
return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE);
}
}
if (samlClient.requiresRealmSignature() || samlClient.requiresAssertionSignature()) {
String canonicalization = samlClient.getCanonicalizationMethod();
if (canonicalization != null) {
bindingBuilder.canonicalizationMethod(canonicalization);
}
bindingBuilder.signatureAlgorithm(samlClient.getSignatureAlgorithm()).signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate());
if (samlClient.requiresRealmSignature())
bindingBuilder.signDocument();
if (samlClient.requiresAssertionSignature())
bindingBuilder.signAssertions();
}
if (samlClient.requiresEncryption()) {
PublicKey publicKey = null;
try {
publicKey = SamlProtocolUtils.getEncryptionKey(client);
} catch (Exception e) {
logger.error("failed", e);
return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE);
}
bindingBuilder.encrypt(publicKey);
}
try {
samlDocument = builder.buildDocument(samlModel);
return buildAuthenticatedResponse(clientSession, redirectUri, samlDocument, bindingBuilder);
} catch (Exception e) {
logger.error("failed", e);
return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE);
}
}
Also used :
ProtocolMapper(org.keycloak.protocol.ProtocolMapper)
SAMLNameIdMapper(org.keycloak.protocol.saml.mappers.SAMLNameIdMapper)
Document(org.w3c.dom.Document)
KeycloakKeySamlExtensionGenerator(org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator)
SAMLAttributeStatementMapper(org.keycloak.protocol.saml.mappers.SAMLAttributeStatementMapper)
SAMLLoginResponseMapper(org.keycloak.protocol.saml.mappers.SAMLLoginResponseMapper)
SAML2LoginResponseBuilder(org.keycloak.saml.SAML2LoginResponseBuilder)
KeyManager(org.keycloak.models.KeyManager)
SAMLRoleListMapper(org.keycloak.protocol.saml.mappers.SAMLRoleListMapper)
PublicKey(java.security.PublicKey)
AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType)
AuthenticatedClientSessionModel(org.keycloak.models.AuthenticatedClientSessionModel)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)
LinkedList(java.util.LinkedList)
ParsingException(org.keycloak.saml.common.exceptions.ParsingException)
ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException)
ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException)
IOException(java.io.IOException)
ProtocolMapperModel(org.keycloak.models.ProtocolMapperModel)
ArtifactResponseType(org.keycloak.dom.saml.v2.protocol.ArtifactResponseType)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
StatusResponseType(org.keycloak.dom.saml.v2.protocol.StatusResponseType)
ClientModel(org.keycloak.models.ClientModel)
Example 40 with ClientModel
use of org.keycloak.models.ClientModel in project keycloak by keycloak.
the class SamlProtocol method frontchannelLogout.
@Override
public Response frontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
ClientModel client = clientSession.getClient();
SamlClient samlClient = new SamlClient(client);
try {
boolean postBinding = isLogoutPostBindingForClient(clientSession);
String bindingUri = getLogoutServiceUrl(session, client, postBinding ? SAML_POST_BINDING : SAML_REDIRECT_BINDING, false);
if (bindingUri == null) {
logger.warnf("Failed to logout client %s, skipping this client. Please configure the logout service url in the admin console for your client applications.", client.getClientId());
return null;
}
NodeGenerator[] extensions = new NodeGenerator[] {};
if (!postBinding) {
if (samlClient.requiresRealmSignature() && samlClient.addExtensionsElementWithKeyInfo()) {
KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
String keyName = samlClient.getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
extensions = new NodeGenerator[] { new KeycloakKeySamlExtensionGenerator(keyName) };
}
}
LogoutRequestType logoutRequest = createLogoutRequest(bindingUri, clientSession, client, extensions);
JaxrsSAML2BindingBuilder binding = createBindingBuilder(samlClient, "true".equals(clientSession.getNote(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.get())));
// If this session uses artifact binding, send an artifact instead of the LogoutRequest
if ("true".equals(clientSession.getNote(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.get())) && useArtifactForLogout(client)) {
clientSession.setAction(CommonClientSessionModel.Action.LOGGING_OUT.name());
return buildArtifactAuthenticatedResponse(clientSession, bindingUri, logoutRequest, binding);
}
Document samlDocument = SAML2Request.convert(logoutRequest);
if (postBinding) {
// This is POST binding, hence KeyID is included in dsig:KeyInfo/dsig:KeyName, no need to add <samlp:Extensions> element
return binding.postBinding(samlDocument).request(bindingUri);
} else {
logger.debug("frontchannel redirect binding");
return binding.redirectBinding(samlDocument).request(bindingUri);
}
} catch (ConfigurationException | ProcessingException | IOException | ParsingException e) {
throw new RuntimeException(e);
}
}
Also used :
LogoutRequestType(org.keycloak.dom.saml.v2.protocol.LogoutRequestType)
IOException(java.io.IOException)
KeycloakKeySamlExtensionGenerator(org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator)
Document(org.w3c.dom.Document)
ClientModel(org.keycloak.models.ClientModel)
ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException)
ParsingException(org.keycloak.saml.common.exceptions.ParsingException)
KeyManager(org.keycloak.models.KeyManager)
NodeGenerator(org.keycloak.saml.SamlProtocolExtensionsAwareBuilder.NodeGenerator)
ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException)
Aggregations
ClientModel (org.keycloak.models.ClientModel)344
RealmModel (org.keycloak.models.RealmModel)148
UserModel (org.keycloak.models.UserModel)88
RoleModel (org.keycloak.models.RoleModel)74
KeycloakSession (org.keycloak.models.KeycloakSession)67
Test (org.junit.Test)64
UserSessionModel (org.keycloak.models.UserSessionModel)41
ResourceServer (org.keycloak.authorization.model.ResourceServer)39
Policy (org.keycloak.authorization.model.Policy)38
HashMap (java.util.HashMap)37
AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)36
AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)34
ModelTest (org.keycloak.testsuite.arquillian.annotation.ModelTest)34
List (java.util.List)32
Map (java.util.Map)32
Path (javax.ws.rs.Path)29
LinkedList (java.util.LinkedList)28
ClientScopeModel (org.keycloak.models.ClientScopeModel)28
ArrayList (java.util.ArrayList)27
AuthenticatedClientSessionModel (org.keycloak.models.AuthenticatedClientSessionModel)27
