Search in sources :

Example 1 with OAuth2DeviceTokenStoreProvider

use of org.keycloak.models.OAuth2DeviceTokenStoreProvider in project keycloak by keycloak.

the class DeviceEndpoint method handleDeviceRequest.

/**
 * Handles device authorization requests.
 *
 * @return the device authorization response.
 */
@Path("")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_JSON)
public Response handleDeviceRequest() {
    cors = Cors.add(request).auth().allowedMethods("POST").auth().exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS);
    logger.trace("Processing @POST request");
    event.event(EventType.OAUTH2_DEVICE_AUTH);
    checkSsl();
    checkRealm();
    ClientModel client = authenticateClient();
    AuthorizationEndpointRequest request = AuthorizationEndpointRequestParserProcessor.parseRequest(event, session, client, httpRequest.getDecodedFormParameters());
    if (!TokenUtil.isOIDCRequest(request.getScope())) {
        ServicesLogger.LOGGER.oidcScopeMissing();
    }
    // So back button doesn't work
    CacheControlUtil.noBackButtonCacheControlHeader();
    if (!realm.getOAuth2DeviceConfig().isOAuth2DeviceAuthorizationGrantEnabled(client)) {
        event.error(Errors.NOT_ALLOWED);
        throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Client not allowed for OAuth 2.0 Device Authorization Grant", Response.Status.BAD_REQUEST);
    }
    // https://tools.ietf.org/html/rfc7636#section-4
    AuthorizationEndpointChecker checker = new AuthorizationEndpointChecker().event(event).client(client).request(request);
    try {
        checker.checkPKCEParams();
    } catch (AuthorizationEndpointChecker.AuthorizationCheckException ex) {
        throw new ErrorResponseException(ex.getError(), ex.getErrorDescription(), Response.Status.BAD_REQUEST);
    }
    try {
        session.clientPolicy().triggerOnEvent(new DeviceAuthorizationRequestContext(request, httpRequest.getDecodedFormParameters()));
    } catch (ClientPolicyException cpe) {
        throw new ErrorResponseException(cpe.getError(), cpe.getErrorDetail(), Response.Status.BAD_REQUEST);
    }
    int expiresIn = realm.getOAuth2DeviceConfig().getLifespan(client);
    int interval = realm.getOAuth2DeviceConfig().getPoolingInterval(client);
    OAuth2DeviceCodeModel deviceCode = OAuth2DeviceCodeModel.create(realm, client, Base64Url.encode(SecretGenerator.getInstance().randomBytes()), request.getScope(), request.getNonce(), expiresIn, interval, null, null, request.getAdditionalReqParams(), request.getCodeChallenge(), request.getCodeChallengeMethod());
    OAuth2DeviceUserCodeProvider userCodeProvider = session.getProvider(OAuth2DeviceUserCodeProvider.class);
    String secret = userCodeProvider.generate();
    OAuth2DeviceUserCodeModel userCode = new OAuth2DeviceUserCodeModel(realm, deviceCode.getDeviceCode(), secret);
    // To inform "expired_token" to the client, the lifespan of the cache provider is longer than device code
    int lifespanSeconds = expiresIn + interval + 10;
    OAuth2DeviceTokenStoreProvider store = session.getProvider(OAuth2DeviceTokenStoreProvider.class);
    store.put(deviceCode, userCode, lifespanSeconds);
    try {
        String deviceUrl = DeviceGrantType.oauth2DeviceVerificationUrl(session.getContext().getUri()).build(realm.getName()).toString();
        OAuth2DeviceAuthorizationResponse response = new OAuth2DeviceAuthorizationResponse();
        response.setDeviceCode(deviceCode.getDeviceCode());
        response.setUserCode(userCodeProvider.display(secret));
        response.setExpiresIn(expiresIn);
        response.setInterval(interval);
        response.setVerificationUri(deviceUrl);
        response.setVerificationUriComplete(deviceUrl + "?user_code=" + response.getUserCode());
        return cors.builder(Response.ok(JsonSerialization.writeValueAsBytes(response)).type(MediaType.APPLICATION_JSON_TYPE)).build();
    } catch (Exception e) {
        throw new RuntimeException("Error creating OAuth 2.0 Device Authorization Response.", e);
    }
}
Also used : DeviceAuthorizationRequestContext(org.keycloak.protocol.oidc.grants.device.clientpolicy.context.DeviceAuthorizationRequestContext) OAuth2DeviceTokenStoreProvider(org.keycloak.models.OAuth2DeviceTokenStoreProvider) AuthorizationEndpointRequest(org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest) OAuthErrorException(org.keycloak.OAuthErrorException) ErrorResponseException(org.keycloak.services.ErrorResponseException) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) ErrorPageException(org.keycloak.services.ErrorPageException) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) OAuth2DeviceUserCodeProvider(org.keycloak.models.OAuth2DeviceUserCodeProvider) ClientModel(org.keycloak.models.ClientModel) AuthorizationEndpointChecker(org.keycloak.protocol.oidc.endpoints.AuthorizationEndpointChecker) OAuth2DeviceCodeModel(org.keycloak.models.OAuth2DeviceCodeModel) OAuth2DeviceAuthorizationResponse(org.keycloak.representations.OAuth2DeviceAuthorizationResponse) ErrorResponseException(org.keycloak.services.ErrorResponseException) OAuth2DeviceUserCodeModel(org.keycloak.models.OAuth2DeviceUserCodeModel) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces)

Example 2 with OAuth2DeviceTokenStoreProvider

use of org.keycloak.models.OAuth2DeviceTokenStoreProvider in project keycloak by keycloak.

the class DeviceEndpoint method verifyUserCode.

/**
 * This endpoint is used by end-users to start the flow to authorize a device.
 *
 * @param userCode the user code to authorize
 * @return
 */
@GET
public Response verifyUserCode(@QueryParam("user_code") String userCode) {
    event.event(EventType.OAUTH2_DEVICE_VERIFY_USER_CODE);
    checkSsl();
    checkRealm();
    // So back button doesn't work
    CacheControlUtil.noBackButtonCacheControlHeader();
    // code is not known, we can infer the client neither. ask the user to provide the code.
    if (StringUtil.isNullOrEmpty(userCode)) {
        return createVerificationPage(null);
    } else {
        // code exists, probably due to using a verification_uri_complete. Start the authentication considering the client
        // that started the flow.
        OAuth2DeviceTokenStoreProvider store = session.getProvider(OAuth2DeviceTokenStoreProvider.class);
        OAuth2DeviceUserCodeProvider userCodeProvider = session.getProvider(OAuth2DeviceUserCodeProvider.class);
        String formattedUserCode = userCodeProvider.format(userCode);
        OAuth2DeviceCodeModel deviceCode = store.getByUserCode(realm, formattedUserCode);
        if (deviceCode == null) {
            return invalidUserCodeResponse(Messages.OAUTH2_DEVICE_INVALID_USER_CODE, "device code not found (it may already have been used)");
        }
        if (!deviceCode.isPending()) {
            event.detail("device_code_user_session_id", deviceCode.getUserSessionId());
            return invalidUserCodeResponse(Messages.OAUTH2_DEVICE_INVALID_USER_CODE, "device code already used and not yet deleted");
        }
        if (deviceCode.isDenied()) {
            return invalidUserCodeResponse(Messages.OAUTH2_DEVICE_INVALID_USER_CODE, "device code denied");
        }
        if (deviceCode.isExpired()) {
            return invalidUserCodeResponse(Messages.OAUTH2_DEVICE_EXPIRED_USER_CODE, "device code expired");
        }
        return processVerification(deviceCode, formattedUserCode);
    }
}
Also used : OAuth2DeviceTokenStoreProvider(org.keycloak.models.OAuth2DeviceTokenStoreProvider) OAuth2DeviceCodeModel(org.keycloak.models.OAuth2DeviceCodeModel) OAuth2DeviceUserCodeProvider(org.keycloak.models.OAuth2DeviceUserCodeProvider) GET(javax.ws.rs.GET)

Example 3 with OAuth2DeviceTokenStoreProvider

use of org.keycloak.models.OAuth2DeviceTokenStoreProvider in project keycloak by keycloak.

the class BackchannelAuthenticationCallbackEndpoint method cancelRequest.

private void cancelRequest(String authResultId) {
    OAuth2DeviceTokenStoreProvider store = session.getProvider(OAuth2DeviceTokenStoreProvider.class);
    OAuth2DeviceCodeModel userCode = store.getByUserCode(realm, authResultId);
    store.removeDeviceCode(realm, userCode.getDeviceCode());
    store.removeUserCode(realm, authResultId);
}
Also used : OAuth2DeviceTokenStoreProvider(org.keycloak.models.OAuth2DeviceTokenStoreProvider) OAuth2DeviceCodeModel(org.keycloak.models.OAuth2DeviceCodeModel)

Example 4 with OAuth2DeviceTokenStoreProvider

use of org.keycloak.models.OAuth2DeviceTokenStoreProvider in project keycloak by keycloak.

the class BackchannelAuthenticationCallbackEndpoint method verifyAuthenticationRequest.

private BackchannelAuthCallbackContext verifyAuthenticationRequest(HttpHeaders headers) {
    String rawBearerToken = AppAuthManager.extractAuthorizationHeaderTokenOrReturnNull(headers);
    if (rawBearerToken == null) {
        throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "Invalid token", Response.Status.UNAUTHORIZED);
    }
    AccessToken bearerToken;
    try {
        bearerToken = TokenVerifier.createWithoutSignature(session.tokens().decode(rawBearerToken, AccessToken.class)).withDefaultChecks().realmUrl(Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName())).checkActive(true).audience(Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName())).verify().getToken();
    } catch (Exception e) {
        event.error(Errors.INVALID_TOKEN);
        // authentication channel id format is invalid or it has already been used
        throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "Invalid token", Response.Status.FORBIDDEN);
    }
    OAuth2DeviceTokenStoreProvider store = session.getProvider(OAuth2DeviceTokenStoreProvider.class);
    OAuth2DeviceCodeModel deviceCode = store.getByUserCode(realm, bearerToken.getId());
    if (deviceCode == null) {
        throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "Invalid token", Response.Status.FORBIDDEN);
    }
    if (!deviceCode.isPending()) {
        cancelRequest(bearerToken.getId());
        throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "Invalid token", Response.Status.FORBIDDEN);
    }
    ClientModel issuedFor = realm.getClientByClientId(bearerToken.getIssuedFor());
    if (issuedFor == null || !issuedFor.isEnabled()) {
        throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Invalid token recipient", Response.Status.BAD_REQUEST);
    }
    if (!deviceCode.getClientId().equals(issuedFor.getClientId())) {
        throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Token recipient mismatch", Response.Status.BAD_REQUEST);
    }
    session.getContext().setClient(issuedFor);
    event.client(issuedFor);
    return new BackchannelAuthCallbackContext(bearerToken, deviceCode);
}
Also used : OAuth2DeviceTokenStoreProvider(org.keycloak.models.OAuth2DeviceTokenStoreProvider) ClientModel(org.keycloak.models.ClientModel) OAuth2DeviceCodeModel(org.keycloak.models.OAuth2DeviceCodeModel) AccessToken(org.keycloak.representations.AccessToken) ErrorResponseException(org.keycloak.services.ErrorResponseException) OAuthErrorException(org.keycloak.OAuthErrorException) ErrorResponseException(org.keycloak.services.ErrorResponseException) IOException(java.io.IOException)

Example 5 with OAuth2DeviceTokenStoreProvider

use of org.keycloak.models.OAuth2DeviceTokenStoreProvider in project keycloak by keycloak.

the class BackchannelAuthenticationCallbackEndpoint method denyRequest.

private void denyRequest(AccessToken authReqId, Status status) {
    if (CANCELLED.equals(status)) {
        event.error(Errors.NOT_ALLOWED);
    } else {
        event.error(Errors.CONSENT_DENIED);
    }
    OAuth2DeviceTokenStoreProvider store = session.getProvider(OAuth2DeviceTokenStoreProvider.class);
    store.deny(realm, authReqId.getId());
}
Also used : OAuth2DeviceTokenStoreProvider(org.keycloak.models.OAuth2DeviceTokenStoreProvider)

Aggregations

OAuth2DeviceTokenStoreProvider (org.keycloak.models.OAuth2DeviceTokenStoreProvider)11 OAuth2DeviceCodeModel (org.keycloak.models.OAuth2DeviceCodeModel)7 OAuthErrorException (org.keycloak.OAuthErrorException)3 ClientModel (org.keycloak.models.ClientModel)3 ErrorResponseException (org.keycloak.services.ErrorResponseException)3 ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)3 UriBuilder (javax.ws.rs.core.UriBuilder)2 ClientSessionContext (org.keycloak.models.ClientSessionContext)2 KeycloakContext (org.keycloak.models.KeycloakContext)2 KeycloakUriInfo (org.keycloak.models.KeycloakUriInfo)2 OAuth2DeviceUserCodeModel (org.keycloak.models.OAuth2DeviceUserCodeModel)2 OAuth2DeviceUserCodeProvider (org.keycloak.models.OAuth2DeviceUserCodeProvider)2 RealmModel (org.keycloak.models.RealmModel)2 UserModel (org.keycloak.models.UserModel)2 UserSessionModel (org.keycloak.models.UserSessionModel)2 CorsErrorResponseException (org.keycloak.services.CorsErrorResponseException)2 DefaultClientSessionContext (org.keycloak.services.util.DefaultClientSessionContext)2 IOException (java.io.IOException)1 Consumes (javax.ws.rs.Consumes)1 GET (javax.ws.rs.GET)1