Search in sources :

Example 1 with OAuth2Code

use of org.keycloak.protocol.oidc.utils.OAuth2Code in project keycloak by keycloak.

the class PKCEEnforcerExecutor method executeOnTokenRequest.

private void executeOnTokenRequest(MultivaluedMap<String, String> params, OAuth2CodeParser.ParseResult parseResult) throws ClientPolicyException {
    String codeVerifier = params.getFirst(OAuth2Constants.CODE_VERIFIER);
    OAuth2Code codeData = parseResult.getCodeData();
    String codeChallenge = codeData.getCodeChallenge();
    String codeChallengeMethod = codeData.getCodeChallengeMethod();
    checkParamsForPkceEnforcedClient(codeVerifier, codeChallenge, codeChallengeMethod);
}
Also used : OAuth2Code(org.keycloak.protocol.oidc.utils.OAuth2Code)

Example 2 with OAuth2Code

use of org.keycloak.protocol.oidc.utils.OAuth2Code in project keycloak by keycloak.

the class TokenEndpoint method codeToToken.

public Response codeToToken() {
    String code = formParams.getFirst(OAuth2Constants.CODE);
    if (code == null) {
        event.error(Errors.INVALID_CODE);
        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "Missing parameter: " + OAuth2Constants.CODE, Response.Status.BAD_REQUEST);
    }
    OAuth2CodeParser.ParseResult parseResult = OAuth2CodeParser.parseCode(session, code, realm, event);
    if (parseResult.isIllegalCode()) {
        AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();
        // Attempt to use same code twice should invalidate existing clientSession
        if (clientSession != null) {
            clientSession.detachFromUserSession();
        }
        event.error(Errors.INVALID_CODE);
        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "Code not valid", Response.Status.BAD_REQUEST);
    }
    AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();
    if (parseResult.isExpiredCode()) {
        event.error(Errors.EXPIRED_CODE);
        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "Code is expired", Response.Status.BAD_REQUEST);
    }
    UserSessionModel userSession = null;
    if (clientSession != null) {
        userSession = clientSession.getUserSession();
    }
    if (userSession == null) {
        event.error(Errors.USER_SESSION_NOT_FOUND);
        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "User session not found", Response.Status.BAD_REQUEST);
    }
    UserModel user = userSession.getUser();
    if (user == null) {
        event.error(Errors.USER_NOT_FOUND);
        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "User not found", Response.Status.BAD_REQUEST);
    }
    event.user(userSession.getUser());
    if (!user.isEnabled()) {
        event.error(Errors.USER_DISABLED);
        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "User disabled", Response.Status.BAD_REQUEST);
    }
    OAuth2Code codeData = parseResult.getCodeData();
    String redirectUri = codeData.getRedirectUriParam();
    String redirectUriParam = formParams.getFirst(OAuth2Constants.REDIRECT_URI);
    // KEYCLOAK-4478 Backwards compatibility with the adapters earlier than KC 3.4.2
    if (redirectUriParam != null && redirectUriParam.contains("session_state=") && !redirectUri.contains("session_state=")) {
        redirectUriParam = KeycloakUriBuilder.fromUri(redirectUriParam).replaceQueryParam(OAuth2Constants.SESSION_STATE, null).build().toString();
    }
    if (redirectUri != null && !redirectUri.equals(redirectUriParam)) {
        event.error(Errors.INVALID_CODE);
        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "Incorrect redirect_uri", Response.Status.BAD_REQUEST);
    }
    if (!client.getClientId().equals(clientSession.getClient().getClientId())) {
        event.error(Errors.INVALID_CODE);
        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "Auth error", Response.Status.BAD_REQUEST);
    }
    if (!client.isStandardFlowEnabled()) {
        event.error(Errors.NOT_ALLOWED);
        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "Client not allowed to exchange code", Response.Status.BAD_REQUEST);
    }
    if (!AuthenticationManager.isSessionValid(realm, userSession)) {
        event.error(Errors.USER_SESSION_NOT_FOUND);
        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "Session not active", Response.Status.BAD_REQUEST);
    }
    // https://tools.ietf.org/html/rfc7636#section-4.6
    String codeVerifier = formParams.getFirst(OAuth2Constants.CODE_VERIFIER);
    String codeChallenge = codeData.getCodeChallenge();
    String codeChallengeMethod = codeData.getCodeChallengeMethod();
    String authUserId = user.getId();
    String authUsername = user.getUsername();
    if (authUserId == null) {
        authUserId = "unknown";
    }
    if (authUsername == null) {
        authUsername = "unknown";
    }
    if (codeChallengeMethod != null && !codeChallengeMethod.isEmpty()) {
        PkceUtils.checkParamsForPkceEnforcedClient(codeVerifier, codeChallenge, codeChallengeMethod, authUserId, authUsername, event, cors);
    } else {
        // PKCE Activation is OFF, execute the codes implemented in KEYCLOAK-2604
        PkceUtils.checkParamsForPkceNotEnforcedClient(codeVerifier, codeChallenge, codeChallengeMethod, authUserId, authUsername, event, cors);
    }
    try {
        session.clientPolicy().triggerOnEvent(new TokenRequestContext(formParams, parseResult));
    } catch (ClientPolicyException cpe) {
        event.error(cpe.getError());
        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, cpe.getErrorDetail(), Response.Status.BAD_REQUEST);
    }
    updateClientSession(clientSession);
    updateUserSessionFromClientAuth(userSession);
    // Compute client scopes again from scope parameter. Check if user still has them granted
    // (but in code-to-token request, it could just theoretically happen that they are not available)
    String scopeParam = codeData.getScope();
    Supplier<Stream<ClientScopeModel>> clientScopesSupplier = () -> TokenManager.getRequestedClientScopes(scopeParam, client);
    if (!TokenManager.verifyConsentStillAvailable(session, user, client, clientScopesSupplier.get())) {
        event.error(Errors.NOT_ALLOWED);
        throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_SCOPE, "Client no longer has requested consent from user", Response.Status.BAD_REQUEST);
    }
    ClientSessionContext clientSessionCtx = DefaultClientSessionContext.fromClientSessionAndScopeParameter(clientSession, scopeParam, session);
    // Set nonce as an attribute in the ClientSessionContext. Will be used for the token generation
    clientSessionCtx.setAttribute(OIDCLoginProtocol.NONCE_PARAM, codeData.getNonce());
    return createTokenResponse(user, userSession, clientSessionCtx, scopeParam, true);
}
Also used : TokenRequestContext(org.keycloak.services.clientpolicy.context.TokenRequestContext) ServiceAccountTokenRequestContext(org.keycloak.services.clientpolicy.context.ServiceAccountTokenRequestContext) UserSessionModel(org.keycloak.models.UserSessionModel) AuthenticatedClientSessionModel(org.keycloak.models.AuthenticatedClientSessionModel) OAuth2CodeParser(org.keycloak.protocol.oidc.utils.OAuth2CodeParser) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) UserModel(org.keycloak.models.UserModel) DefaultClientSessionContext(org.keycloak.services.util.DefaultClientSessionContext) ClientSessionContext(org.keycloak.models.ClientSessionContext) OAuth2Code(org.keycloak.protocol.oidc.utils.OAuth2Code) Stream(java.util.stream.Stream) CorsErrorResponseException(org.keycloak.services.CorsErrorResponseException)

Example 3 with OAuth2Code

use of org.keycloak.protocol.oidc.utils.OAuth2Code in project keycloak by keycloak.

the class OIDCLoginProtocol method authenticated.

@Override
public Response authenticated(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx) {
    AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession();
    if (isOAuth2DeviceVerificationFlow(authSession)) {
        return approveOAuth2DeviceAuthorization(authSession, clientSession, session);
    }
    String responseTypeParam = authSession.getClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM);
    String responseModeParam = authSession.getClientNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM);
    setupResponseTypeAndMode(responseTypeParam, responseModeParam);
    String redirect = authSession.getRedirectUri();
    OIDCRedirectUriBuilder redirectUri = OIDCRedirectUriBuilder.fromUri(redirect, responseMode, session, clientSession);
    String state = authSession.getClientNote(OIDCLoginProtocol.STATE_PARAM);
    logger.debugv("redirectAccessCode: state: {0}", state);
    if (state != null)
        redirectUri.addParam(OAuth2Constants.STATE, state);
    OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientModel(clientSession.getClient());
    if (!clientConfig.isExcludeSessionStateFromAuthResponse()) {
        redirectUri.addParam(OAuth2Constants.SESSION_STATE, userSession.getId());
    }
    String nonce = authSession.getClientNote(OIDCLoginProtocol.NONCE_PARAM);
    clientSessionCtx.setAttribute(OIDCLoginProtocol.NONCE_PARAM, nonce);
    String kcActionStatus = authSession.getClientNote(Constants.KC_ACTION_STATUS);
    if (kcActionStatus != null) {
        redirectUri.addParam(Constants.KC_ACTION_STATUS, kcActionStatus);
    }
    // Standard or hybrid flow
    String code = null;
    if (responseType.hasResponseType(OIDCResponseType.CODE)) {
        OAuth2Code codeData = new OAuth2Code(UUID.randomUUID(), Time.currentTime() + userSession.getRealm().getAccessCodeLifespan(), nonce, authSession.getClientNote(OAuth2Constants.SCOPE), authSession.getClientNote(OIDCLoginProtocol.REDIRECT_URI_PARAM), authSession.getClientNote(OIDCLoginProtocol.CODE_CHALLENGE_PARAM), authSession.getClientNote(OIDCLoginProtocol.CODE_CHALLENGE_METHOD_PARAM));
        code = OAuth2CodeParser.persistCode(session, clientSession, codeData);
        redirectUri.addParam(OAuth2Constants.CODE, code);
    }
    // Implicit or hybrid flow
    if (responseType.isImplicitOrHybridFlow()) {
        org.keycloak.protocol.oidc.TokenManager tokenManager = new org.keycloak.protocol.oidc.TokenManager();
        org.keycloak.protocol.oidc.TokenManager.AccessTokenResponseBuilder responseBuilder = tokenManager.responseBuilder(realm, clientSession.getClient(), event, session, userSession, clientSessionCtx).generateAccessToken();
        if (responseType.hasResponseType(OIDCResponseType.ID_TOKEN)) {
            responseBuilder.generateIDToken(isIdTokenAsDetachedSignature(clientSession.getClient()));
            if (responseType.hasResponseType(OIDCResponseType.TOKEN)) {
                responseBuilder.generateAccessTokenHash();
            }
            if (responseType.hasResponseType(OIDCResponseType.CODE)) {
                responseBuilder.generateCodeHash(code);
            }
            // http://openid.net/specs/openid-financial-api-part-2.html#authorization-server
            if (state != null && !state.isEmpty())
                responseBuilder.generateStateHash(state);
        }
        AccessTokenResponse res = responseBuilder.build();
        if (responseType.hasResponseType(OIDCResponseType.ID_TOKEN)) {
            redirectUri.addParam(OAuth2Constants.ID_TOKEN, res.getIdToken());
        }
        if (responseType.hasResponseType(OIDCResponseType.TOKEN)) {
            redirectUri.addParam(OAuth2Constants.ACCESS_TOKEN, res.getToken());
            redirectUri.addParam(OAuth2Constants.TOKEN_TYPE, res.getTokenType());
            redirectUri.addParam(OAuth2Constants.EXPIRES_IN, String.valueOf(res.getExpiresIn()));
        }
    }
    return redirectUri.build();
}
Also used : AuthenticatedClientSessionModel(org.keycloak.models.AuthenticatedClientSessionModel) OIDCRedirectUriBuilder(org.keycloak.protocol.oidc.utils.OIDCRedirectUriBuilder) OAuth2Code(org.keycloak.protocol.oidc.utils.OAuth2Code) AccessTokenResponse(org.keycloak.representations.AccessTokenResponse)

Aggregations

OAuth2Code (org.keycloak.protocol.oidc.utils.OAuth2Code)3 AuthenticatedClientSessionModel (org.keycloak.models.AuthenticatedClientSessionModel)2 Stream (java.util.stream.Stream)1 ClientSessionContext (org.keycloak.models.ClientSessionContext)1 UserModel (org.keycloak.models.UserModel)1 UserSessionModel (org.keycloak.models.UserSessionModel)1 OAuth2CodeParser (org.keycloak.protocol.oidc.utils.OAuth2CodeParser)1 OIDCRedirectUriBuilder (org.keycloak.protocol.oidc.utils.OIDCRedirectUriBuilder)1 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)1 CorsErrorResponseException (org.keycloak.services.CorsErrorResponseException)1 ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)1 ServiceAccountTokenRequestContext (org.keycloak.services.clientpolicy.context.ServiceAccountTokenRequestContext)1 TokenRequestContext (org.keycloak.services.clientpolicy.context.TokenRequestContext)1 DefaultClientSessionContext (org.keycloak.services.util.DefaultClientSessionContext)1