Example 56 with ClientPolicyException
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class PKCEEnforcerExecutor method executeOnAuthorizationRequest.
private void executeOnAuthorizationRequest(OIDCResponseType parsedResponseType, AuthorizationEndpointRequest request, String redirectUri) throws ClientPolicyException {
ClientModel client = session.getContext().getClient();
String codeChallenge = request.getCodeChallenge();
String codeChallengeMethod = request.getCodeChallengeMethod();
String pkceCodeChallengeMethod = OIDCAdvancedConfigWrapper.fromClientModel(client).getPkceCodeChallengeMethod();
// check whether code challenge method is specified
if (codeChallengeMethod == null) {
throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Missing parameter: code_challenge_method");
}
// check whether acceptable code challenge method is specified
if (!isAcceptableCodeChallengeMethod(codeChallengeMethod)) {
throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Invalid parameter: invalid code_challenge_method");
}
// check whether specified code challenge method is configured one in advance
if (pkceCodeChallengeMethod != null && !codeChallengeMethod.equals(pkceCodeChallengeMethod)) {
throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Invalid parameter: code challenge method is not configured one");
}
// check whether code challenge is specified
if (codeChallenge == null) {
throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Missing parameter: code_challenge");
}
// check whether code challenge is formatted along with the PKCE specification
if (!isValidPkceCodeChallenge(codeChallenge)) {
throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Invalid parameter: code_challenge");
}
}
Also used :
ClientModel(org.keycloak.models.ClientModel)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
Example 57 with ClientPolicyException
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class SecureClientAuthenticatorExecutor method validateDuringClientRequest.
// Validate client authenticator also during client request
private void validateDuringClientRequest() throws ClientPolicyException {
ClientModel client = session.getContext().getClient();
// Allow public clients (There is separate executor to check access type)
if (client.isPublicClient())
return;
if (isValidClientAuthenticator(client.getClientAuthenticatorType()))
return;
logger.warnf("Client authentication method not allowed for client: %s", client.getClientId());
throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Configured client authentication method not allowed for client");
}
Also used :
ClientModel(org.keycloak.models.ClientModel)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
Example 58 with ClientPolicyException
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class SecureClientUrisExecutor method executeOnEvent.
@Override
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
switch(context.getEvent()) {
case REGISTER:
if (context instanceof AdminClientRegisterContext || context instanceof DynamicClientRegisterContext) {
ClientRepresentation clientRep = ((ClientCRUDContext) context).getProposedClientRepresentation();
confirmSecureUris(clientRep);
// Use rootUrl as default redirectUrl to avoid creation of redirectUris with wildcards, which is done at later stages during client creation
if (clientRep.getRootUrl() != null && (clientRep.getRedirectUris() == null || clientRep.getRedirectUris().isEmpty())) {
logger.debugf("Setup Redirect URI = %s for client %s", clientRep.getRootUrl(), clientRep.getClientId());
clientRep.setRedirectUris(Collections.singletonList(clientRep.getRootUrl()));
}
} else {
throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "not allowed input format.");
}
return;
case UPDATE:
if (context instanceof AdminClientUpdateContext || context instanceof DynamicClientUpdateContext) {
confirmSecureUris(((ClientCRUDContext) context).getProposedClientRepresentation());
} else {
throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "not allowed input format.");
}
return;
case AUTHORIZATION_REQUEST:
confirmSecureRedirectUri(((AuthorizationRequestContext) context).getRedirectUri());
return;
default:
return;
}
}
Also used :
ClientCRUDContext(org.keycloak.services.clientpolicy.context.ClientCRUDContext)
AdminClientUpdateContext(org.keycloak.services.clientpolicy.context.AdminClientUpdateContext)
DynamicClientUpdateContext(org.keycloak.services.clientpolicy.context.DynamicClientUpdateContext)
DynamicClientRegisterContext(org.keycloak.services.clientpolicy.context.DynamicClientRegisterContext)
AdminClientRegisterContext(org.keycloak.services.clientpolicy.context.AdminClientRegisterContext)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
Example 59 with ClientPolicyException
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class SecureSigningAlgorithmForSignedJwtExecutor method executeOnEvent.
@Override
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
switch(context.getEvent()) {
case TOKEN_REQUEST:
case SERVICE_ACCOUNT_TOKEN_REQUEST:
case TOKEN_REFRESH:
case TOKEN_REVOKE:
case TOKEN_INTROSPECT:
case LOGOUT_REQUEST:
boolean isRequireClientAssertion = Optional.ofNullable(configuration.isRequireClientAssertion()).orElse(Boolean.FALSE).booleanValue();
HttpRequest req = session.getContext().getContextObject(HttpRequest.class);
String clientAssertion = req.getDecodedFormParameters().getFirst(OAuth2Constants.CLIENT_ASSERTION);
if (!isRequireClientAssertion && ObjectUtil.isBlank(clientAssertion)) {
break;
}
JWSInput jws = null;
try {
jws = new JWSInput(clientAssertion);
} catch (JWSInputException e) {
throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "not allowed input format.");
}
verifySecureSigningAlgorithm(jws.getHeader().getAlgorithm().name());
break;
default:
return;
}
}
Also used :
HttpRequest(org.jboss.resteasy.spi.HttpRequest)
JWSInputException(org.keycloak.jose.jws.JWSInputException)
JWSInput(org.keycloak.jose.jws.JWSInput)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
Example 60 with ClientPolicyException
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class AbstractClientRegistrationProvider method update.
public ClientRepresentation update(String clientId, ClientRegistrationContext context) {
ClientRepresentation rep = context.getClient();
event.event(EventType.CLIENT_UPDATE).client(clientId);
ClientModel client = session.getContext().getRealm().getClientByClientId(clientId);
RegistrationAuth registrationAuth = auth.requireUpdate(context, client);
if (!client.getClientId().equals(rep.getClientId())) {
throw new ErrorResponseException(ErrorCodes.INVALID_CLIENT_METADATA, "Client Identifier modified", Response.Status.BAD_REQUEST);
}
RepresentationToModel.updateClient(rep, client);
RepresentationToModel.updateClientProtocolMappers(rep, client);
if (rep.getDefaultRoles() != null) {
client.updateDefaultRoles(rep.getDefaultRoles());
}
rep = ModelToRepresentation.toRepresentation(client, session);
Stream<String> defaultRolesNames = client.getDefaultRolesStream();
if (defaultRolesNames != null) {
rep.setDefaultRoles(defaultRolesNames.toArray(String[]::new));
}
if (auth.isRegistrationAccessToken()) {
String registrationAccessToken = ClientRegistrationTokenUtils.updateRegistrationAccessToken(session, client, auth.getRegistrationAuth());
rep.setRegistrationAccessToken(registrationAccessToken);
}
try {
session.clientPolicy().triggerOnEvent(new DynamicClientUpdatedContext(session, client, auth.getJwt(), client.getRealm()));
} catch (ClientPolicyException cpe) {
throw new ErrorResponseException(cpe.getError(), cpe.getErrorDetail(), Response.Status.BAD_REQUEST);
}
ClientRegistrationPolicyManager.triggerAfterUpdate(context, registrationAuth, client);
event.client(client.getClientId()).success();
return rep;
}
Also used :
ClientModel(org.keycloak.models.ClientModel)
RegistrationAuth(org.keycloak.services.clientregistration.policy.RegistrationAuth)
DynamicClientUpdatedContext(org.keycloak.services.clientpolicy.context.DynamicClientUpdatedContext)
ErrorResponseException(org.keycloak.services.ErrorResponseException)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
Aggregations
ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)62
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)23
Test (org.junit.Test)22
OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)19
ClientPoliciesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)14
ClientPolicyBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)14
ClientProfileBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)13
ClientProfilesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)13
ClientModel (org.keycloak.models.ClientModel)11
ErrorResponseException (org.keycloak.services.ErrorResponseException)10
OAuthErrorException (org.keycloak.OAuthErrorException)9
UserSessionModel (org.keycloak.models.UserSessionModel)9
CorsErrorResponseException (org.keycloak.services.CorsErrorResponseException)9
UserModel (org.keycloak.models.UserModel)8
IOException (java.io.IOException)6
Consumes (javax.ws.rs.Consumes)6
POST (javax.ws.rs.POST)6
Response (javax.ws.rs.core.Response)6
ClientSessionContext (org.keycloak.models.ClientSessionContext)6
RegistrationAuth (org.keycloak.services.clientregistration.policy.RegistrationAuth)6
