Search in sources :

Example 6 with OIDCConfigurationRepresentation

use of org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation in project keycloak by keycloak.

the class CustomOIDCWellKnownProvider method getConfig.

@Override
public Object getConfig() {
    OIDCConfigurationRepresentation config = (OIDCConfigurationRepresentation) super.getConfig();
    config.getOtherClaims().put("foo", "bar");
    return config;
}
Also used : OIDCConfigurationRepresentation(org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation)

Example 7 with OIDCConfigurationRepresentation

use of org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation in project keycloak by keycloak.

the class OIDCWellKnownProvider method getConfig.

@Override
public Object getConfig() {
    UriInfo frontendUriInfo = session.getContext().getUri(UrlType.FRONTEND);
    UriInfo backendUriInfo = session.getContext().getUri(UrlType.BACKEND);
    RealmModel realm = session.getContext().getRealm();
    UriBuilder frontendUriBuilder = RealmsResource.protocolUrl(frontendUriInfo);
    UriBuilder backendUriBuilder = RealmsResource.protocolUrl(backendUriInfo);
    OIDCConfigurationRepresentation config = new OIDCConfigurationRepresentation();
    config.setIssuer(Urls.realmIssuer(frontendUriInfo.getBaseUri(), realm.getName()));
    config.setAuthorizationEndpoint(frontendUriBuilder.clone().path(OIDCLoginProtocolService.class, "auth").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL).toString());
    config.setTokenEndpoint(backendUriBuilder.clone().path(OIDCLoginProtocolService.class, "token").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL).toString());
    config.setIntrospectionEndpoint(backendUriBuilder.clone().path(OIDCLoginProtocolService.class, "token").path(TokenEndpoint.class, "introspect").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL).toString());
    config.setUserinfoEndpoint(backendUriBuilder.clone().path(OIDCLoginProtocolService.class, "issueUserInfo").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL).toString());
    config.setLogoutEndpoint(frontendUriBuilder.clone().path(OIDCLoginProtocolService.class, "logout").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL).toString());
    config.setDeviceAuthorizationEndpoint(frontendUriBuilder.clone().path(OIDCLoginProtocolService.class, "auth").path(AuthorizationEndpoint.class, "authorizeDevice").path(DeviceEndpoint.class, "handleDeviceRequest").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL).toString());
    URI jwksUri = backendUriBuilder.clone().path(OIDCLoginProtocolService.class, "certs").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL);
    // NOTE: Don't hardcode HTTPS checks here. JWKS URI is exposed just in the development/testing environment. For the production environment, the OIDCWellKnownProvider
    // is not exposed over "http" at all.
    // if (isHttps(jwksUri)) {
    config.setJwksUri(jwksUri.toString());
    config.setCheckSessionIframe(frontendUriBuilder.clone().path(OIDCLoginProtocolService.class, "getLoginStatusIframe").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL).toString());
    config.setRegistrationEndpoint(RealmsResource.clientRegistrationUrl(backendUriInfo).path(ClientRegistrationService.class, "provider").build(realm.getName(), OIDCClientRegistrationProviderFactory.ID).toString());
    config.setIdTokenSigningAlgValuesSupported(getSupportedSigningAlgorithms(false));
    config.setIdTokenEncryptionAlgValuesSupported(getSupportedEncryptionAlg(false));
    config.setIdTokenEncryptionEncValuesSupported(getSupportedEncryptionEnc(false));
    config.setUserInfoSigningAlgValuesSupported(getSupportedSigningAlgorithms(true));
    config.setRequestObjectSigningAlgValuesSupported(getSupportedClientSigningAlgorithms(true));
    config.setRequestObjectEncryptionAlgValuesSupported(getSupportedEncryptionAlgorithms());
    config.setRequestObjectEncryptionEncValuesSupported(getSupportedContentEncryptionAlgorithms());
    config.setResponseTypesSupported(DEFAULT_RESPONSE_TYPES_SUPPORTED);
    config.setSubjectTypesSupported(DEFAULT_SUBJECT_TYPES_SUPPORTED);
    config.setResponseModesSupported(DEFAULT_RESPONSE_MODES_SUPPORTED);
    config.setGrantTypesSupported(DEFAULT_GRANT_TYPES_SUPPORTED);
    config.setAcrValuesSupported(getAcrValuesSupported(realm));
    config.setTokenEndpointAuthMethodsSupported(getClientAuthMethodsSupported());
    config.setTokenEndpointAuthSigningAlgValuesSupported(getSupportedClientSigningAlgorithms(false));
    config.setIntrospectionEndpointAuthMethodsSupported(getClientAuthMethodsSupported());
    config.setIntrospectionEndpointAuthSigningAlgValuesSupported(getSupportedClientSigningAlgorithms(false));
    config.setAuthorizationSigningAlgValuesSupported(getSupportedSigningAlgorithms(false));
    config.setAuthorizationEncryptionAlgValuesSupported(getSupportedEncryptionAlg(false));
    config.setAuthorizationEncryptionEncValuesSupported(getSupportedEncryptionEnc(false));
    config.setClaimsSupported(DEFAULT_CLAIMS_SUPPORTED);
    config.setClaimTypesSupported(DEFAULT_CLAIM_TYPES_SUPPORTED);
    config.setClaimsParameterSupported(true);
    // Include client scopes can be disabled in the environments with thousands of client scopes to avoid potentially expensive iteration over client scopes
    if (includeClientScopes) {
        List<String> scopeNames = realm.getClientScopesStream().filter(clientScope -> Objects.equals(OIDCLoginProtocol.LOGIN_PROTOCOL, clientScope.getProtocol())).map(ClientScopeModel::getName).collect(Collectors.toList());
        scopeNames.add(0, OAuth2Constants.SCOPE_OPENID);
        config.setScopesSupported(scopeNames);
    }
    config.setRequestParameterSupported(true);
    config.setRequestUriParameterSupported(true);
    config.setRequireRequestUriRegistration(true);
    // KEYCLOAK-7451 OAuth Authorization Server Metadata for Proof Key for Code Exchange
    config.setCodeChallengeMethodsSupported(DEFAULT_CODE_CHALLENGE_METHODS_SUPPORTED);
    // KEYCLOAK-6771 Certificate Bound Token
    // https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-6.2
    config.setTlsClientCertificateBoundAccessTokens(true);
    URI revocationEndpoint = frontendUriBuilder.clone().path(OIDCLoginProtocolService.class, "revoke").build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL);
    // NOTE: Don't hardcode HTTPS checks here. JWKS URI is exposed just in the development/testing environment. For the production environment, the OIDCWellKnownProvider
    // is not exposed over "http" at all.
    config.setRevocationEndpoint(revocationEndpoint.toString());
    config.setRevocationEndpointAuthMethodsSupported(getClientAuthMethodsSupported());
    config.setRevocationEndpointAuthSigningAlgValuesSupported(getSupportedClientSigningAlgorithms(false));
    config.setBackchannelLogoutSupported(true);
    config.setBackchannelLogoutSessionSupported(true);
    config.setBackchannelTokenDeliveryModesSupported(CibaConfig.CIBA_SUPPORTED_MODES);
    config.setBackchannelAuthenticationEndpoint(CibaGrantType.authorizationUrl(backendUriInfo.getBaseUriBuilder()).build(realm.getName()).toString());
    config.setBackchannelAuthenticationRequestSigningAlgValuesSupported(getSupportedBackchannelAuthenticationRequestSigningAlgorithms());
    config.setPushedAuthorizationRequestEndpoint(ParEndpoint.parUrl(backendUriInfo.getBaseUriBuilder()).build(realm.getName()).toString());
    config.setRequirePushedAuthorizationRequests(Boolean.FALSE);
    MTLSEndpointAliases mtlsEndpointAliases = getMtlsEndpointAliases(config);
    config.setMtlsEndpointAliases(mtlsEndpointAliases);
    config = checkConfigOverride(config);
    return config;
}
Also used : RealmModel(org.keycloak.models.RealmModel) TokenEndpoint(org.keycloak.protocol.oidc.endpoints.TokenEndpoint) ClientRegistrationService(org.keycloak.services.clientregistration.ClientRegistrationService) MTLSEndpointAliases(org.keycloak.protocol.oidc.representations.MTLSEndpointAliases) DeviceEndpoint(org.keycloak.protocol.oidc.grants.device.endpoints.DeviceEndpoint) UriBuilder(javax.ws.rs.core.UriBuilder) URI(java.net.URI) UriInfo(javax.ws.rs.core.UriInfo) OIDCConfigurationRepresentation(org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation)

Example 8 with OIDCConfigurationRepresentation

use of org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation in project keycloak by keycloak.

the class UmaConfiguration method create.

public static final UmaConfiguration create(KeycloakSession session) {
    WellKnownProvider oidcProvider = session.getProvider(WellKnownProvider.class, OIDCWellKnownProviderFactory.PROVIDER_ID);
    OIDCConfigurationRepresentation oidcConfig = OIDCConfigurationRepresentation.class.cast(oidcProvider.getConfig());
    UmaConfiguration configuration = new UmaConfiguration();
    configuration.setIssuer(oidcConfig.getIssuer());
    configuration.setAuthorizationEndpoint(oidcConfig.getAuthorizationEndpoint());
    configuration.setTokenEndpoint(oidcConfig.getTokenEndpoint());
    configuration.setJwksUri(oidcConfig.getJwksUri());
    configuration.setRegistrationEndpoint(oidcConfig.getRegistrationEndpoint());
    configuration.setScopesSupported(oidcConfig.getScopesSupported());
    configuration.setResponseTypesSupported(oidcConfig.getResponseTypesSupported());
    configuration.setResponseModesSupported(oidcConfig.getResponseModesSupported());
    configuration.setGrantTypesSupported(oidcConfig.getGrantTypesSupported());
    configuration.setTokenEndpointAuthMethodsSupported(oidcConfig.getTokenEndpointAuthMethodsSupported());
    configuration.setTokenEndpointAuthSigningAlgValuesSupported(oidcConfig.getTokenEndpointAuthSigningAlgValuesSupported());
    configuration.setIntrospectionEndpoint(oidcConfig.getIntrospectionEndpoint());
    configuration.setLogoutEndpoint(oidcConfig.getLogoutEndpoint());
    UriBuilder uriBuilder = session.getContext().getUri().getBaseUriBuilder();
    RealmModel realm = session.getContext().getRealm();
    configuration.setPermissionEndpoint(uriBuilder.clone().path(RealmsResource.class).path(RealmsResource.class, "getAuthorizationService").path(AuthorizationService.class, "getProtectionService").path(ProtectionService.class, "permission").build(realm.getName()).toString());
    configuration.setResourceRegistrationEndpoint(uriBuilder.clone().path(RealmsResource.class).path(RealmsResource.class, "getAuthorizationService").path(AuthorizationService.class, "getProtectionService").path(ProtectionService.class, "resource").build(realm.getName()).toString());
    configuration.setPolicyEndpoint(uriBuilder.clone().path(RealmsResource.class).path(RealmsResource.class, "getAuthorizationService").path(AuthorizationService.class, "getProtectionService").path(ProtectionService.class, "policy").build(realm.getName()).toString());
    return configuration;
}
Also used : RealmModel(org.keycloak.models.RealmModel) WellKnownProvider(org.keycloak.wellknown.WellKnownProvider) RealmsResource(org.keycloak.services.resources.RealmsResource) ProtectionService(org.keycloak.authorization.protection.ProtectionService) UriBuilder(javax.ws.rs.core.UriBuilder) OIDCConfigurationRepresentation(org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation)

Example 9 with OIDCConfigurationRepresentation

use of org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation in project keycloak by keycloak.

the class DefaultHostnameTest method assertWellKnown.

private void assertWellKnown(String realm, String expectedFrontendUrl) {
    OIDCConfigurationRepresentation config = oauth.requestHeaders(createRequestHeaders(expectedFrontendUrl)).doWellKnownRequest(realm);
    assertEquals(expectedFrontendUrl + "/realms/" + realm, config.getIssuer());
    assertEquals(expectedFrontendUrl + "/realms/" + realm + "/protocol/openid-connect/auth", config.getAuthorizationEndpoint());
    assertEquals(expectedBackendUrl + "/realms/" + realm + "/protocol/openid-connect/token", config.getTokenEndpoint());
    assertEquals(expectedBackendUrl + "/realms/" + realm + "/protocol/openid-connect/userinfo", config.getUserinfoEndpoint());
    assertEquals(expectedFrontendUrl + "/realms/" + realm + "/protocol/openid-connect/logout", config.getLogoutEndpoint());
    assertEquals(expectedBackendUrl + "/realms/" + realm + "/protocol/openid-connect/certs", config.getJwksUri());
    assertEquals(expectedFrontendUrl + "/realms/" + realm + "/protocol/openid-connect/login-status-iframe.html", config.getCheckSessionIframe());
    assertEquals(expectedBackendUrl + "/realms/" + realm + "/clients-registrations/openid-connect", config.getRegistrationEndpoint());
}
Also used : OIDCConfigurationRepresentation(org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation)

Example 10 with OIDCConfigurationRepresentation

use of org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation in project keycloak by keycloak.

the class TLSTest method testSSLAlwaysRequired.

@Test
public void testSSLAlwaysRequired() throws Exception {
    // Switch realm SSLRequired to Always
    RealmRepresentation realmRep = testRealm().toRepresentation();
    String origSslRequired = realmRep.getSslRequired();
    realmRep.setSslRequired(SslRequired.ALL.toString());
    testRealm().update(realmRep);
    // Try access "WellKnown" endpoint unsecured. It should fail
    oauth.baseUrl(AUTH_SERVER_ROOT_WITHOUT_TLS);
    OIDCConfigurationRepresentation config = oauth.doWellKnownRequest("test");
    Assert.assertNull(config.getAuthorizationEndpoint());
    Assert.assertEquals("HTTPS required", config.getOtherClaims().get("error_description"));
    // Try access "JWKS URL" unsecured. It should fail
    try {
        JSONWebKeySet keySet = oauth.doCertsRequest("test");
        Assert.fail("This should not be successful");
    } catch (Exception e) {
    // Expected
    }
    // Revert SSLRequired
    realmRep.setSslRequired(origSslRequired);
    testRealm().update(realmRep);
}
Also used : JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) OIDCConfigurationRepresentation(org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation) Test(org.junit.Test) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)

Aggregations

OIDCConfigurationRepresentation (org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation)18 Test (org.junit.Test)8 CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)7 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)6 AbstractAdminTest (org.keycloak.testsuite.admin.AbstractAdminTest)6 BrowserFlowTest (org.keycloak.testsuite.forms.BrowserFlowTest)6 LevelOfAssuranceFlowTest (org.keycloak.testsuite.forms.LevelOfAssuranceFlowTest)6 Client (javax.ws.rs.client.Client)5 OAuthClient (org.keycloak.testsuite.util.OAuthClient)5 JSONWebKeySet (org.keycloak.jose.jwk.JSONWebKeySet)4 MTLSEndpointAliases (org.keycloak.protocol.oidc.representations.MTLSEndpointAliases)3 URI (java.net.URI)2 PublicKey (java.security.PublicKey)2 UriBuilder (javax.ws.rs.core.UriBuilder)2 JWE (org.keycloak.jose.jwe.JWE)2 RealmModel (org.keycloak.models.RealmModel)2 KeysMetadataRepresentation (org.keycloak.representations.idm.KeysMetadataRepresentation)2 RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)2 RealmsResource (org.keycloak.services.resources.RealmsResource)2 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)2