Examples with OIDCAdvancedConfigWrapper org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper used on opensource projects

Search in sources :

Example 1 with OIDCAdvancedConfigWrapper

use of org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper in project keycloak by keycloak.

the class UserInfoEndpoint method issueUserInfo.

private Response issueUserInfo(String tokenString) {
    cors = Cors.add(request).auth().allowedMethods(request.getHttpMethod()).auth().exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS);
    try {
        session.clientPolicy().triggerOnEvent(new UserInfoRequestContext(tokenString));
    } catch (ClientPolicyException cpe) {
        throw new CorsErrorResponseException(cors.allowAllOrigins(), cpe.getError(), cpe.getErrorDetail(), cpe.getErrorStatus());
    }
    EventBuilder event = new EventBuilder(realm, session, clientConnection).event(EventType.USER_INFO_REQUEST).detail(Details.AUTH_METHOD, Details.VALIDATE_ACCESS_TOKEN);
    if (tokenString == null) {
        event.error(Errors.INVALID_TOKEN);
        throw new CorsErrorResponseException(cors.allowAllOrigins(), OAuthErrorException.INVALID_REQUEST, "Token not provided", Response.Status.BAD_REQUEST);
    }
    AccessToken token;
    ClientModel clientModel = null;
    try {
        TokenVerifier<AccessToken> verifier = TokenVerifier.create(tokenString, AccessToken.class).withDefaultChecks().realmUrl(Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
        SignatureVerifierContext verifierContext = session.getProvider(SignatureProvider.class, verifier.getHeader().getAlgorithm().name()).verifier(verifier.getHeader().getKeyId());
        verifier.verifierContext(verifierContext);
        token = verifier.verify().getToken();
        clientModel = realm.getClientByClientId(token.getIssuedFor());
        if (clientModel == null) {
            event.error(Errors.CLIENT_NOT_FOUND);
            throw new CorsErrorResponseException(cors.allowAllOrigins(), OAuthErrorException.INVALID_REQUEST, "Client not found", Response.Status.BAD_REQUEST);
        }
        cors.allowedOrigins(session, clientModel);
        TokenVerifier.createWithoutSignature(token).withChecks(NotBeforeCheck.forModel(clientModel), new TokenManager.TokenRevocationCheck(session)).verify();
    } catch (VerificationException e) {
        if (clientModel == null) {
            cors.allowAllOrigins();
        }
        event.error(Errors.INVALID_TOKEN);
        throw newUnauthorizedErrorResponseException(OAuthErrorException.INVALID_TOKEN, "Token verification failed");
    }
    if (!clientModel.getProtocol().equals(OIDCLoginProtocol.LOGIN_PROTOCOL)) {
        event.error(Errors.INVALID_CLIENT);
        throw new CorsErrorResponseException(cors, Errors.INVALID_CLIENT, "Wrong client protocol.", Response.Status.BAD_REQUEST);
    }
    session.getContext().setClient(clientModel);
    event.client(clientModel);
    if (!clientModel.isEnabled()) {
        event.error(Errors.CLIENT_DISABLED);
        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "Client disabled", Response.Status.BAD_REQUEST);
    }
    UserSessionModel userSession = findValidSession(token, event, clientModel);
    UserModel userModel = userSession.getUser();
    if (userModel == null) {
        event.error(Errors.USER_NOT_FOUND);
        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "User not found", Response.Status.BAD_REQUEST);
    }
    event.user(userModel).detail(Details.USERNAME, userModel.getUsername());
    // https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-3
    if (OIDCAdvancedConfigWrapper.fromClientModel(clientModel).isUseMtlsHokToken()) {
        if (!MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(token, request, session)) {
            event.error(Errors.NOT_ALLOWED);
            throw newUnauthorizedErrorResponseException(OAuthErrorException.UNAUTHORIZED_CLIENT, "Client certificate missing, or its thumbprint and one in the refresh token did NOT match");
        }
    }
    // Existence of authenticatedClientSession for our client already handled before
    AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessionByClient(clientModel.getId());
    // Retrieve by latest scope parameter
    ClientSessionContext clientSessionCtx = DefaultClientSessionContext.fromClientSessionScopeParameter(clientSession, session);
    AccessToken userInfo = new AccessToken();
    tokenManager.transformUserInfoAccessToken(session, userInfo, userSession, clientSessionCtx);
    Map<String, Object> claims = tokenManager.generateUserInfoClaims(userInfo, userModel);
    Response.ResponseBuilder responseBuilder;
    OIDCAdvancedConfigWrapper cfg = OIDCAdvancedConfigWrapper.fromClientModel(clientModel);
    if (cfg.isUserInfoSignatureRequired()) {
        String issuerUrl = Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName());
        String audience = clientModel.getClientId();
        claims.put("iss", issuerUrl);
        claims.put("aud", audience);
        String signatureAlgorithm = session.tokens().signatureAlgorithm(TokenCategory.USERINFO);
        SignatureProvider signatureProvider = session.getProvider(SignatureProvider.class, signatureAlgorithm);
        SignatureSignerContext signer = signatureProvider.signer();
        String signedUserInfo = new JWSBuilder().type("JWT").jsonContent(claims).sign(signer);
        responseBuilder = Response.ok(signedUserInfo).header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JWT);
        event.detail(Details.SIGNATURE_REQUIRED, "true");
        event.detail(Details.SIGNATURE_ALGORITHM, cfg.getUserInfoSignedResponseAlg().toString());
    } else {
        responseBuilder = Response.ok(claims).header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON);
        event.detail(Details.SIGNATURE_REQUIRED, "false");
    }
    event.success();
    return cors.builder(responseBuilder).build();
}
Also used : UserSessionModel(org.keycloak.models.UserSessionModel) SignatureVerifierContext(org.keycloak.crypto.SignatureVerifierContext) OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper) SignatureSignerContext(org.keycloak.crypto.SignatureSignerContext) AuthenticatedClientSessionModel(org.keycloak.models.AuthenticatedClientSessionModel) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) JWSBuilder(org.keycloak.jose.jws.JWSBuilder) UserModel(org.keycloak.models.UserModel) Response(javax.ws.rs.core.Response) HttpResponse(org.jboss.resteasy.spi.HttpResponse) ClientModel(org.keycloak.models.ClientModel) SignatureProvider(org.keycloak.crypto.SignatureProvider) UserInfoRequestContext(org.keycloak.services.clientpolicy.context.UserInfoRequestContext) EventBuilder(org.keycloak.events.EventBuilder) DefaultClientSessionContext(org.keycloak.services.util.DefaultClientSessionContext) ClientSessionContext(org.keycloak.models.ClientSessionContext) AccessToken(org.keycloak.representations.AccessToken) VerificationException(org.keycloak.common.VerificationException) CorsErrorResponseException(org.keycloak.services.CorsErrorResponseException)

Example 2 with OIDCAdvancedConfigWrapper

use of org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper in project keycloak by keycloak.

the class FAPICIBATest method testFAPICIBAWithoutBindingMessage.

@Test
public void testFAPICIBAWithoutBindingMessage() throws Exception {
    setupPolicyFAPICIBAForAllClient();
    // Register client with X509
    String clientUUID = createClientByAdmin("foo", (ClientRepresentation clientRep) -> {
        clientRep.setClientAuthenticatorType(X509ClientAuthenticator.PROVIDER_ID);
        OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep);
        clientConfig.setRequestUris(Collections.singletonList(TestApplicationResourceUrls.clientRequestUri()));
        clientConfig.setTlsClientAuthSubjectDn("EMAILADDRESS=contact@keycloak.org, CN=Keycloak Intermediate CA, OU=Keycloak, O=Red Hat, ST=MA, C=US");
        setClientAuthMethodNeutralSettings(clientRep);
    });
    ClientResource clientResource = adminClient.realm(REALM_NAME).clients().get(clientUUID);
    ClientRepresentation client = clientResource.toRepresentation();
    assertEquals(X509ClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
    // prepare invalid signed authentication request lacking binding message
    AuthorizationEndpointRequestObject requestObject = createFAPIValidAuthorizationEndpointRequestObject(username, null);
    String encodedRequestObject = registerSharedAuthenticationRequest(requestObject, clientId, Algorithm.PS256);
    // user Backchannel Authentication Request
    AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequestWithMTLS(clientId, encodedRequestObject, () -> MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore());
    assertThat(response.getStatusCode(), is(equalTo(400)));
    assertThat(response.getError(), is(equalTo(OAuthErrorException.INVALID_REQUEST)));
    assertThat(response.getErrorDescription(), is(equalTo("Missing parameter: binding_message")));
}
Also used : OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper) AuthorizationEndpointRequestObject(org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject) ClientResource(org.keycloak.admin.client.resource.ClientResource) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticationRequestAcknowledgement(org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 3 with OIDCAdvancedConfigWrapper

use of org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper in project keycloak by keycloak.

the class FAPICIBATest method testFAPICIBALoginWithMTLS.

@Test
public void testFAPICIBALoginWithMTLS() throws Exception {
    setupPolicyFAPICIBAForAllClient();
    // Register client with X509
    String clientUUID = createClientByAdmin("foo", (ClientRepresentation clientRep) -> {
        clientRep.setClientAuthenticatorType(X509ClientAuthenticator.PROVIDER_ID);
        OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep);
        clientConfig.setRequestUris(Collections.singletonList(TestApplicationResourceUrls.clientRequestUri()));
        clientConfig.setTlsClientAuthSubjectDn("EMAILADDRESS=contact@keycloak.org, CN=Keycloak Intermediate CA, OU=Keycloak, O=Red Hat, ST=MA, C=US");
        setClientAuthMethodNeutralSettings(clientRep);
    });
    ClientResource clientResource = adminClient.realm(REALM_NAME).clients().get(clientUUID);
    ClientRepresentation client = clientResource.toRepresentation();
    assertEquals(X509ClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
    // prepare valid signed authentication request
    AuthorizationEndpointRequestObject requestObject = createFAPIValidAuthorizationEndpointRequestObject(username, bindingMessage);
    String encodedRequestObject = registerSharedAuthenticationRequest(requestObject, clientId, Algorithm.PS256);
    // user Backchannel Authentication Request
    AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequestWithMTLS(clientId, encodedRequestObject, () -> MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore());
    assertThat(response.getStatusCode(), is(equalTo(200)));
    // user Authentication Channel Request
    TestAuthenticationChannelRequest testRequest = doAuthenticationChannelRequest(bindingMessage);
    AuthenticationChannelRequest authenticationChannelReq = testRequest.getRequest();
    assertThat(authenticationChannelReq.getBindingMessage(), is(equalTo(bindingMessage)));
    assertThat(authenticationChannelReq.getScope(), is(containsString(OAuth2Constants.SCOPE_OPENID)));
    // user Authentication Channel completed
    doAuthenticationChannelCallback(testRequest);
    // user Token Request
    OAuthClient.AccessTokenResponse tokenRes = doBackchannelAuthenticationTokenRequestWithMTLS(clientId, response.getAuthReqId(), () -> MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore());
    verifyBackchannelAuthenticationTokenRequest(tokenRes, clientId, username);
    // Logout and remove consent of the user for next logins
    logoutUserAndRevokeConsent(clientId, username);
}
Also used : OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper) OAuthClient(org.keycloak.testsuite.util.OAuthClient) AuthorizationEndpointRequestObject(org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject) ClientResource(org.keycloak.admin.client.resource.ClientResource) AuthenticationChannelRequest(org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelRequest) TestAuthenticationChannelRequest(org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticationRequestAcknowledgement(org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement) TestAuthenticationChannelRequest(org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 4 with OIDCAdvancedConfigWrapper

use of org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper in project keycloak by keycloak.

the class FAPICIBATest method testFAPICIBASignatureAlgorithms.

@Test
public void testFAPICIBASignatureAlgorithms() throws Exception {
    setupPolicyFAPICIBAForAllClient();
    // Test that unsecured algorithm (RS256) is not possible
    try {
        createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
            clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
            OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep);
            clientConfig.setIdTokenSignedResponseAlg(Algorithm.RS256);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_REQUEST, e.getMessage());
    }
    // Test that secured algorithm is possible to explicitly set
    String clientUUID = createClientByAdmin("client-jwt", (ClientRepresentation clientRep) -> {
        clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
        OIDCAdvancedConfigWrapper clientCfg = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep);
        clientCfg.setIdTokenSignedResponseAlg(Algorithm.ES256);
        Map<String, String> attr = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
        attr.put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, Algorithm.ES256);
        clientRep.setAttributes(attr);
    });
    ClientRepresentation client = getClientByAdmin(clientUUID);
    OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
    Assert.assertEquals(Algorithm.ES256, clientConfig.getIdTokenSignedResponseAlg());
    Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
    Assert.assertEquals(Algorithm.ES256, client.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG));
    // Test default algorithms set everywhere
    clientUUID = createClientByAdmin("client-jwt-default-alg", (ClientRepresentation clientRep) -> {
        clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
    });
    client = getClientByAdmin(clientUUID);
    clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
    Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg());
    Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
    Assert.assertEquals(Algorithm.PS256, clientConfig.getUserInfoSignedResponseAlg().toString());
    Assert.assertEquals(Algorithm.PS256, clientConfig.getTokenEndpointAuthSigningAlg());
    Assert.assertEquals(Algorithm.PS256, client.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
    Assert.assertEquals(Algorithm.PS256, client.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG));
}
Also used : OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper) Matchers.containsString(org.hamcrest.Matchers.containsString) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Example 5 with OIDCAdvancedConfigWrapper

use of org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper in project keycloak by keycloak.

the class MutualTLSClientTest method testClientInvocationWithOBBClient.

private void testClientInvocationWithOBBClient(String expectedSubjectDN, boolean expectSuccess) throws Exception {
    // given
    Supplier<CloseableHttpClient> clientWithProperCertificate = MutualTLSUtils::newCloseableHttpClientWithOBBKeyStoreAndTrustStore;
    // Canonical
    ClientResource client = ApiUtil.findClientByClientId(testRealm(), OBB_SUBJECT_DN_CLIENT_ID);
    ClientRepresentation clientRep = client.toRepresentation();
    OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep);
    config.setAllowRegexPatternComparison(false);
    config.setTlsClientAuthSubjectDn(expectedSubjectDN);
    client.update(clientRep);
    OAuthClient.AccessTokenResponse token = loginAndGetAccessTokenResponse(OBB_SUBJECT_DN_CLIENT_ID, clientWithProperCertificate);
    if (expectSuccess) {
        assertTokenObtained(token);
    } else {
        assertTokenNotObtained(token);
    }
}
Also used : CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper) OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientResource(org.keycloak.admin.client.resource.ClientResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)

Aggregations

OIDCAdvancedConfigWrapper (org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper)33 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)27 Test (org.junit.Test)22 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)17 ClientResource (org.keycloak.admin.client.resource.ClientResource)7 Matchers.containsString (org.hamcrest.Matchers.containsString)5 ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)5 OAuthClient (org.keycloak.testsuite.util.OAuthClient)4 JSONWebKeySet (org.keycloak.jose.jwk.JSONWebKeySet)3 ClientRegistrationException (org.keycloak.services.clientregistration.ClientRegistrationException)3 AuthenticationRequestAcknowledgement (org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement)3 IOException (java.io.IOException)2 Response (javax.ws.rs.core.Response)2 ClientAuthenticatorFactory (org.keycloak.authentication.ClientAuthenticatorFactory)2 ClientModel (org.keycloak.models.ClientModel)2 AccessToken (org.keycloak.representations.AccessToken)2 CertificateRepresentation (org.keycloak.representations.idm.CertificateRepresentation)2 AuthorizationEndpointRequestObject (org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject)2 GeneralSecurityException (java.security.GeneralSecurityException)1 PublicKey (java.security.PublicKey)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial