Search in sources :

Example 1 with KeyLocator

use of org.keycloak.rotation.KeyLocator in project keycloak by keycloak.

the class AbstractSamlAuthenticationHandler method validateSamlSignature.

private void validateSamlSignature(SAMLDocumentHolder holder, boolean postBinding, String paramKey) throws VerificationException {
    KeyLocator signatureValidationKey = deployment.getIDP().getSignatureValidationKeyLocator();
    if (postBinding) {
        verifyPostBindingSignature(holder.getSamlDocument(), signatureValidationKey);
    } else {
        String keyId = getMessageSigningKeyId(holder.getSamlObject());
        verifyRedirectBindingSignature(paramKey, signatureValidationKey, keyId);
    }
}
Also used : KeyLocator(org.keycloak.rotation.KeyLocator)

Example 2 with KeyLocator

use of org.keycloak.rotation.KeyLocator in project keycloak by keycloak.

the class SamlClient method extractSamlResponseFromRedirect.

/**
 * Extracts and parses value of SAMLResponse query parameter from the given URI.
 * If the realmPublicKey parameter is passed the response signature is
 * validated.
 *
 * @param responseUri The redirect URI to use
 * @param realmPublicKey The public realm key for validating signature in REDIRECT query parameters
 * @return
 */
public static SAMLDocumentHolder extractSamlResponseFromRedirect(String responseUri, String realmPublicKey) throws IOException {
    MultivaluedMap<String, String> encodedParams = parseEncodedQueryParameters(URI.create(responseUri).getRawQuery());
    String samlResponse = encodedParams.getFirst(GeneralConstants.SAML_RESPONSE_KEY);
    String samlRequest = encodedParams.getFirst(GeneralConstants.SAML_REQUEST_KEY);
    assertTrue("Only one SAMLRequest/SAMLResponse check", (samlResponse != null && samlRequest == null) || (samlResponse == null && samlRequest != null));
    String samlDoc = RedirectBindingUtil.urlDecode(samlResponse != null ? samlResponse : samlRequest);
    SAMLDocumentHolder documentHolder = SAMLRequestParser.parseResponseRedirectBinding(samlDoc);
    if (realmPublicKey != null) {
        // if the public key is passed verify the signature of the redirect URI
        try {
            KeyLocator locator = new KeyLocator() {

                @Override
                public Key getKey(String kid) throws KeyManagementException {
                    return org.keycloak.testsuite.util.KeyUtils.publicKeyFromString(realmPublicKey);
                }

                @Override
                public void refreshKeyCache() {
                }
            };
            SamlProtocolUtils.verifyRedirectSignature(documentHolder, locator, encodedParams, samlResponse != null ? GeneralConstants.SAML_RESPONSE_KEY : GeneralConstants.SAML_REQUEST_KEY);
        } catch (VerificationException e) {
            throw new IOException(e);
        }
    }
    return documentHolder;
}
Also used : KeyLocator(org.keycloak.rotation.KeyLocator) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) VerificationException(org.keycloak.common.VerificationException) Matchers.containsString(org.hamcrest.Matchers.containsString) IOException(java.io.IOException)

Aggregations

KeyLocator (org.keycloak.rotation.KeyLocator)2 IOException (java.io.IOException)1 Matchers.containsString (org.hamcrest.Matchers.containsString)1 VerificationException (org.keycloak.common.VerificationException)1 SAMLDocumentHolder (org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)1