Example 1 with BackchannelAuthenticationRequestContext
use of org.keycloak.protocol.oidc.grants.ciba.clientpolicy.context.BackchannelAuthenticationRequestContext in project keycloak by keycloak.
the class SecureCibaSignedAuthenticationRequestExecutor method executeOnEvent.
@Override
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
switch(context.getEvent()) {
case BACKCHANNEL_AUTHENTICATION_REQUEST:
BackchannelAuthenticationRequestContext backchannelAuthenticationRequestContext = (BackchannelAuthenticationRequestContext) context;
executeOnBackchannelAuthenticationRequest(backchannelAuthenticationRequestContext.getRequest(), backchannelAuthenticationRequestContext.getRequestParameters());
return;
default:
return;
}
}
Also used :
BackchannelAuthenticationRequestContext(org.keycloak.protocol.oidc.grants.ciba.clientpolicy.context.BackchannelAuthenticationRequestContext)
Example 2 with BackchannelAuthenticationRequestContext
use of org.keycloak.protocol.oidc.grants.ciba.clientpolicy.context.BackchannelAuthenticationRequestContext in project keycloak by keycloak.
the class SecureCibaSessionEnforceExecutor method executeOnEvent.
@Override
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
switch(context.getEvent()) {
case BACKCHANNEL_AUTHENTICATION_REQUEST:
BackchannelAuthenticationRequestContext backchannelAuthenticationRequestContext = (BackchannelAuthenticationRequestContext) context;
executeOnBackchannelAuthenticationRequest(backchannelAuthenticationRequestContext.getRequest(), backchannelAuthenticationRequestContext.getRequestParameters());
return;
default:
return;
}
}
Also used :
BackchannelAuthenticationRequestContext(org.keycloak.protocol.oidc.grants.ciba.clientpolicy.context.BackchannelAuthenticationRequestContext)
Example 3 with BackchannelAuthenticationRequestContext
use of org.keycloak.protocol.oidc.grants.ciba.clientpolicy.context.BackchannelAuthenticationRequestContext in project keycloak by keycloak.
the class BackchannelAuthenticationEndpoint method authorizeClient.
private CIBAAuthenticationRequest authorizeClient(MultivaluedMap<String, String> params) {
ClientModel client = null;
try {
client = authenticateClient();
} catch (WebApplicationException wae) {
OAuth2ErrorRepresentation errorRep = (OAuth2ErrorRepresentation) wae.getResponse().getEntity();
throw new ErrorResponseException(errorRep.getError(), errorRep.getErrorDescription(), Response.Status.UNAUTHORIZED);
}
BackchannelAuthenticationEndpointRequest endpointRequest = BackchannelAuthenticationEndpointRequestParserProcessor.parseRequest(event, session, client, params, realm.getCibaPolicy());
UserModel user = resolveUser(endpointRequest, realm.getCibaPolicy().getAuthRequestedUserHint());
CIBAAuthenticationRequest request = new CIBAAuthenticationRequest(session, user, client);
request.setClient(client);
String scope = endpointRequest.getScope();
if (scope == null) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "missing parameter : scope", Response.Status.BAD_REQUEST);
}
request.setScope(scope);
// optional parameters
if (endpointRequest.getBindingMessage() != null) {
validateBindingMessage(endpointRequest.getBindingMessage());
request.setBindingMessage(endpointRequest.getBindingMessage());
}
if (endpointRequest.getAcr() != null)
request.setAcrValues(endpointRequest.getAcr());
CibaConfig policy = realm.getCibaPolicy();
// create JWE encoded auth_req_id from Auth Req ID.
Integer expiresIn = Optional.ofNullable(endpointRequest.getRequestedExpiry()).orElse(policy.getExpiresIn());
request.exp(request.getIat() + expiresIn.longValue());
StringBuilder scopes = new StringBuilder(Optional.ofNullable(request.getScope()).orElse(""));
client.getClientScopes(true).forEach((key, value) -> {
if (value.isDisplayOnConsentScreen())
scopes.append(" ").append(value.getName());
});
request.setScope(scopes.toString());
if (endpointRequest.getClientNotificationToken() != null) {
if (!policy.getBackchannelTokenDeliveryMode(client).equals(CibaConfig.CIBA_PING_MODE)) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Client Notification token supported only for the ping mode", Response.Status.BAD_REQUEST);
}
if (endpointRequest.getClientNotificationToken().length() > 1024) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Client Notification token length is limited to 1024 characters", Response.Status.BAD_REQUEST);
}
request.setClientNotificationToken(endpointRequest.getClientNotificationToken());
}
if (endpointRequest.getClientNotificationToken() == null && policy.getBackchannelTokenDeliveryMode(client).equals(CibaConfig.CIBA_PING_MODE)) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Client Notification token needs to be provided with the ping mode", Response.Status.BAD_REQUEST);
}
if (endpointRequest.getUserCode() != null) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "User code not supported", Response.Status.BAD_REQUEST);
}
extractAdditionalParams(endpointRequest, request);
try {
session.clientPolicy().triggerOnEvent(new BackchannelAuthenticationRequestContext(endpointRequest, request, params));
} catch (ClientPolicyException cpe) {
throw new ErrorResponseException(cpe.getError(), cpe.getErrorDetail(), Response.Status.BAD_REQUEST);
}
return request;
}
Also used :
BackchannelAuthenticationRequestContext(org.keycloak.protocol.oidc.grants.ciba.clientpolicy.context.BackchannelAuthenticationRequestContext)
WebApplicationException(javax.ws.rs.WebApplicationException)
OAuth2ErrorRepresentation(org.keycloak.representations.idm.OAuth2ErrorRepresentation)
CIBAAuthenticationRequest(org.keycloak.protocol.oidc.grants.ciba.channel.CIBAAuthenticationRequest)
BackchannelAuthenticationEndpointRequest(org.keycloak.protocol.oidc.grants.ciba.endpoints.request.BackchannelAuthenticationEndpointRequest)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
UserModel(org.keycloak.models.UserModel)
ClientModel(org.keycloak.models.ClientModel)
CibaConfig(org.keycloak.models.CibaConfig)
ErrorResponseException(org.keycloak.services.ErrorResponseException)
Aggregations
BackchannelAuthenticationRequestContext (org.keycloak.protocol.oidc.grants.ciba.clientpolicy.context.BackchannelAuthenticationRequestContext)3
WebApplicationException (javax.ws.rs.WebApplicationException)1
CibaConfig (org.keycloak.models.CibaConfig)1
ClientModel (org.keycloak.models.ClientModel)1
UserModel (org.keycloak.models.UserModel)1
CIBAAuthenticationRequest (org.keycloak.protocol.oidc.grants.ciba.channel.CIBAAuthenticationRequest)1
BackchannelAuthenticationEndpointRequest (org.keycloak.protocol.oidc.grants.ciba.endpoints.request.BackchannelAuthenticationEndpointRequest)1
OAuth2ErrorRepresentation (org.keycloak.representations.idm.OAuth2ErrorRepresentation)1
ErrorResponseException (org.keycloak.services.ErrorResponseException)1
ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)1
