use of org.keycloak.rotation.KeyLocator in project keycloak by keycloak.
the class AbstractSamlAuthenticationHandler method validateSamlSignature.
private void validateSamlSignature(SAMLDocumentHolder holder, boolean postBinding, String paramKey) throws VerificationException {
KeyLocator signatureValidationKey = deployment.getIDP().getSignatureValidationKeyLocator();
if (postBinding) {
verifyPostBindingSignature(holder.getSamlDocument(), signatureValidationKey);
} else {
String keyId = getMessageSigningKeyId(holder.getSamlObject());
verifyRedirectBindingSignature(paramKey, signatureValidationKey, keyId);
}
}
use of org.keycloak.rotation.KeyLocator in project keycloak by keycloak.
the class SamlClient method extractSamlResponseFromRedirect.
/**
* Extracts and parses value of SAMLResponse query parameter from the given URI.
* If the realmPublicKey parameter is passed the response signature is
* validated.
*
* @param responseUri The redirect URI to use
* @param realmPublicKey The public realm key for validating signature in REDIRECT query parameters
* @return
*/
public static SAMLDocumentHolder extractSamlResponseFromRedirect(String responseUri, String realmPublicKey) throws IOException {
MultivaluedMap<String, String> encodedParams = parseEncodedQueryParameters(URI.create(responseUri).getRawQuery());
String samlResponse = encodedParams.getFirst(GeneralConstants.SAML_RESPONSE_KEY);
String samlRequest = encodedParams.getFirst(GeneralConstants.SAML_REQUEST_KEY);
assertTrue("Only one SAMLRequest/SAMLResponse check", (samlResponse != null && samlRequest == null) || (samlResponse == null && samlRequest != null));
String samlDoc = RedirectBindingUtil.urlDecode(samlResponse != null ? samlResponse : samlRequest);
SAMLDocumentHolder documentHolder = SAMLRequestParser.parseResponseRedirectBinding(samlDoc);
if (realmPublicKey != null) {
// if the public key is passed verify the signature of the redirect URI
try {
KeyLocator locator = new KeyLocator() {
@Override
public Key getKey(String kid) throws KeyManagementException {
return org.keycloak.testsuite.util.KeyUtils.publicKeyFromString(realmPublicKey);
}
@Override
public void refreshKeyCache() {
}
};
SamlProtocolUtils.verifyRedirectSignature(documentHolder, locator, encodedParams, samlResponse != null ? GeneralConstants.SAML_RESPONSE_KEY : GeneralConstants.SAML_REQUEST_KEY);
} catch (VerificationException e) {
throw new IOException(e);
}
}
return documentHolder;
}
Aggregations