Examples with OIDCResponseMode org.keycloak.protocol.oidc.utils.OIDCResponseMode used on opensource projects

Search in sources :

Example 1 with OIDCResponseMode

use of org.keycloak.protocol.oidc.utils.OIDCResponseMode in project keycloak by keycloak.

the class AuthorizationEndpointChecker method checkResponseType.

public void checkResponseType() throws AuthorizationCheckException {
    String responseType = request.getResponseType();
    if (responseType == null) {
        ServicesLogger.LOGGER.missingParameter(OAuth2Constants.RESPONSE_TYPE);
        event.error(Errors.INVALID_REQUEST);
        throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, OAuthErrorException.INVALID_REQUEST, "Missing parameter: response_type");
    }
    event.detail(Details.RESPONSE_TYPE, responseType);
    try {
        this.parsedResponseType = OIDCResponseType.parse(responseType);
    } catch (IllegalArgumentException iae) {
        event.error(Errors.INVALID_REQUEST);
        throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, OAuthErrorException.UNSUPPORTED_RESPONSE_TYPE, null);
    }
    OIDCResponseMode parsedResponseMode = null;
    try {
        parsedResponseMode = OIDCResponseMode.parse(request.getResponseMode(), parsedResponseType);
    } catch (IllegalArgumentException iae) {
        ServicesLogger.LOGGER.invalidParameter(OIDCLoginProtocol.RESPONSE_MODE_PARAM);
        event.error(Errors.INVALID_REQUEST);
        throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, OAuthErrorException.INVALID_REQUEST, "Invalid parameter: response_mode");
    }
    event.detail(Details.RESPONSE_MODE, parsedResponseMode.toString().toLowerCase());
    // Disallowed by OIDC specs
    if (parsedResponseType.isImplicitOrHybridFlow() && parsedResponseMode == OIDCResponseMode.QUERY) {
        ServicesLogger.LOGGER.responseModeQueryNotAllowed();
        event.error(Errors.INVALID_REQUEST);
        throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, OAuthErrorException.INVALID_REQUEST, "Response_mode 'query' not allowed for implicit or hybrid flow");
    }
    this.parsedResponseMode = parsedResponseMode;
    if (parsedResponseType.isImplicitOrHybridFlow() && parsedResponseMode == OIDCResponseMode.QUERY_JWT && (!StringUtil.isNotBlank(client.getAttribute(OIDCConfigAttributes.AUTHORIZATION_ENCRYPTED_RESPONSE_ALG)) || !StringUtil.isNotBlank(client.getAttribute(OIDCConfigAttributes.AUTHORIZATION_ENCRYPTED_RESPONSE_ENC)))) {
        ServicesLogger.LOGGER.responseModeQueryJwtNotAllowed();
        event.error(Errors.INVALID_REQUEST);
        throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, OAuthErrorException.INVALID_REQUEST, "Response_mode 'query.jwt' is allowed only when the authorization response token is encrypted");
    }
    if ((parsedResponseType.hasResponseType(OIDCResponseType.CODE) || parsedResponseType.hasResponseType(OIDCResponseType.NONE)) && !client.isStandardFlowEnabled()) {
        ServicesLogger.LOGGER.flowNotAllowed("Standard");
        event.error(Errors.NOT_ALLOWED);
        throw new AuthorizationCheckException(Response.Status.UNAUTHORIZED, OAuthErrorException.UNAUTHORIZED_CLIENT, "Client is not allowed to initiate browser login with given response_type. Standard flow is disabled for the client.");
    }
    if (parsedResponseType.isImplicitOrHybridFlow() && !client.isImplicitFlowEnabled()) {
        ServicesLogger.LOGGER.flowNotAllowed("Implicit");
        event.error(Errors.NOT_ALLOWED);
        throw new AuthorizationCheckException(Response.Status.UNAUTHORIZED, OAuthErrorException.UNAUTHORIZED_CLIENT, "Client is not allowed to initiate browser login with given response_type. Implicit flow is disabled for the client.");
    }
}
Also used : OIDCResponseMode(org.keycloak.protocol.oidc.utils.OIDCResponseMode)

Example 2 with OIDCResponseMode

use of org.keycloak.protocol.oidc.utils.OIDCResponseMode in project keycloak by keycloak.

the class AuthorizationEndpoint method process.

private Response process(MultivaluedMap<String, String> params) {
    String clientId = AuthorizationEndpointRequestParserProcessor.getClientId(event, session, params);
    checkSsl();
    checkRealm();
    checkClient(clientId);
    request = AuthorizationEndpointRequestParserProcessor.parseRequest(event, session, client, params);
    AuthorizationEndpointChecker checker = new AuthorizationEndpointChecker().event(event).client(client).realm(realm).request(request).session(session).params(params);
    try {
        checker.checkRedirectUri();
        this.redirectUri = checker.getRedirectUri();
    } catch (AuthorizationEndpointChecker.AuthorizationCheckException ex) {
        ex.throwAsErrorPageException(authenticationSession);
    }
    try {
        checker.checkResponseType();
        this.parsedResponseType = checker.getParsedResponseType();
        this.parsedResponseMode = checker.getParsedResponseMode();
    } catch (AuthorizationEndpointChecker.AuthorizationCheckException ex) {
        OIDCResponseMode responseMode = checker.getParsedResponseMode() != null ? checker.getParsedResponseMode() : OIDCResponseMode.QUERY;
        return redirectErrorToClient(responseMode, ex.getError(), ex.getErrorDescription());
    }
    if (action == null) {
        action = AuthorizationEndpoint.Action.CODE;
    }
    try {
        checker.checkParRequired();
        checker.checkInvalidRequestMessage();
        checker.checkOIDCRequest();
        checker.checkValidScope();
        checker.checkOIDCParams();
        checker.checkPKCEParams();
    } catch (AuthorizationEndpointChecker.AuthorizationCheckException ex) {
        return redirectErrorToClient(parsedResponseMode, ex.getError(), ex.getErrorDescription());
    }
    try {
        session.clientPolicy().triggerOnEvent(new AuthorizationRequestContext(parsedResponseType, request, redirectUri, params));
    } catch (ClientPolicyException cpe) {
        return redirectErrorToClient(parsedResponseMode, cpe.getError(), cpe.getErrorDetail());
    }
    authenticationSession = createAuthenticationSession(client, request.getState());
    updateAuthenticationSession();
    // So back button doesn't work
    CacheControlUtil.noBackButtonCacheControlHeader();
    switch(action) {
        case REGISTER:
            return buildRegister();
        case FORGOT_CREDENTIALS:
            return buildForgotCredential();
        case CODE:
            return buildAuthorizationCodeAuthorizationResponse();
    }
    throw new RuntimeException("Unknown action " + action);
}
Also used : OIDCResponseMode(org.keycloak.protocol.oidc.utils.OIDCResponseMode) AuthorizationRequestContext(org.keycloak.services.clientpolicy.context.AuthorizationRequestContext) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)

Example 3 with OIDCResponseMode

use of org.keycloak.protocol.oidc.utils.OIDCResponseMode in project keycloak by keycloak.

the class LoginActionsService method initLoginEvent.

private void initLoginEvent(AuthenticationSessionModel authSession) {
    String responseType = authSession.getClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM);
    if (responseType == null) {
        responseType = "code";
    }
    String respMode = authSession.getClientNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM);
    OIDCResponseMode responseMode = OIDCResponseMode.parse(respMode, OIDCResponseType.parse(responseType));
    event.event(EventType.LOGIN).client(authSession.getClient()).detail(Details.CODE_ID, authSession.getParentSession().getId()).detail(Details.REDIRECT_URI, authSession.getRedirectUri()).detail(Details.AUTH_METHOD, authSession.getProtocol()).detail(Details.RESPONSE_TYPE, responseType).detail(Details.RESPONSE_MODE, responseMode.toString().toLowerCase());
    UserModel authenticatedUser = authSession.getAuthenticatedUser();
    if (authenticatedUser != null) {
        event.user(authenticatedUser).detail(Details.USERNAME, authenticatedUser.getUsername());
    }
    String attemptedUsername = authSession.getAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME);
    if (attemptedUsername != null) {
        event.detail(Details.USERNAME, attemptedUsername);
    }
    String rememberMe = authSession.getAuthNote(Details.REMEMBER_ME);
    if (rememberMe == null || !rememberMe.equalsIgnoreCase("true")) {
        rememberMe = "false";
    }
    event.detail(Details.REMEMBER_ME, rememberMe);
    Map<String, String> userSessionNotes = authSession.getUserSessionNotes();
    String identityProvider = userSessionNotes.get(Details.IDENTITY_PROVIDER);
    if (identityProvider != null) {
        event.detail(Details.IDENTITY_PROVIDER, identityProvider).detail(Details.IDENTITY_PROVIDER_USERNAME, userSessionNotes.get(Details.IDENTITY_PROVIDER_USERNAME));
    }
}
Also used : UserModel(org.keycloak.models.UserModel) OIDCResponseMode(org.keycloak.protocol.oidc.utils.OIDCResponseMode)

Aggregations

OIDCResponseMode (org.keycloak.protocol.oidc.utils.OIDCResponseMode)3 UserModel (org.keycloak.models.UserModel)1 ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)1 AuthorizationRequestContext (org.keycloak.services.clientpolicy.context.AuthorizationRequestContext)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial