Search in sources :

Example 1 with AuthorizationRequestContext

use of org.keycloak.services.clientpolicy.context.AuthorizationRequestContext in project keycloak by keycloak.

the class AuthorizationEndpoint method process.

private Response process(MultivaluedMap<String, String> params) {
    String clientId = AuthorizationEndpointRequestParserProcessor.getClientId(event, session, params);
    checkSsl();
    checkRealm();
    checkClient(clientId);
    request = AuthorizationEndpointRequestParserProcessor.parseRequest(event, session, client, params);
    AuthorizationEndpointChecker checker = new AuthorizationEndpointChecker().event(event).client(client).realm(realm).request(request).session(session).params(params);
    try {
        checker.checkRedirectUri();
        this.redirectUri = checker.getRedirectUri();
    } catch (AuthorizationEndpointChecker.AuthorizationCheckException ex) {
        ex.throwAsErrorPageException(authenticationSession);
    }
    try {
        checker.checkResponseType();
        this.parsedResponseType = checker.getParsedResponseType();
        this.parsedResponseMode = checker.getParsedResponseMode();
    } catch (AuthorizationEndpointChecker.AuthorizationCheckException ex) {
        OIDCResponseMode responseMode = checker.getParsedResponseMode() != null ? checker.getParsedResponseMode() : OIDCResponseMode.QUERY;
        return redirectErrorToClient(responseMode, ex.getError(), ex.getErrorDescription());
    }
    if (action == null) {
        action = AuthorizationEndpoint.Action.CODE;
    }
    try {
        checker.checkParRequired();
        checker.checkInvalidRequestMessage();
        checker.checkOIDCRequest();
        checker.checkValidScope();
        checker.checkOIDCParams();
        checker.checkPKCEParams();
    } catch (AuthorizationEndpointChecker.AuthorizationCheckException ex) {
        return redirectErrorToClient(parsedResponseMode, ex.getError(), ex.getErrorDescription());
    }
    try {
        session.clientPolicy().triggerOnEvent(new AuthorizationRequestContext(parsedResponseType, request, redirectUri, params));
    } catch (ClientPolicyException cpe) {
        return redirectErrorToClient(parsedResponseMode, cpe.getError(), cpe.getErrorDetail());
    }
    authenticationSession = createAuthenticationSession(client, request.getState());
    updateAuthenticationSession();
    // So back button doesn't work
    CacheControlUtil.noBackButtonCacheControlHeader();
    switch(action) {
        case REGISTER:
            return buildRegister();
        case FORGOT_CREDENTIALS:
            return buildForgotCredential();
        case CODE:
            return buildAuthorizationCodeAuthorizationResponse();
    }
    throw new RuntimeException("Unknown action " + action);
}
Also used : OIDCResponseMode(org.keycloak.protocol.oidc.utils.OIDCResponseMode) AuthorizationRequestContext(org.keycloak.services.clientpolicy.context.AuthorizationRequestContext) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)

Example 2 with AuthorizationRequestContext

use of org.keycloak.services.clientpolicy.context.AuthorizationRequestContext in project keycloak by keycloak.

the class PKCEEnforcerExecutor method executeOnEvent.

@Override
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
    switch(context.getEvent()) {
        case REGISTER:
        case UPDATE:
            ClientCRUDContext clientUpdateContext = (ClientCRUDContext) context;
            autoConfigure(clientUpdateContext.getProposedClientRepresentation());
            validate(clientUpdateContext.getProposedClientRepresentation());
            break;
        case AUTHORIZATION_REQUEST:
            AuthorizationRequestContext authorizationRequestContext = (AuthorizationRequestContext) context;
            executeOnAuthorizationRequest(authorizationRequestContext.getparsedResponseType(), authorizationRequestContext.getAuthorizationEndpointRequest(), authorizationRequestContext.getRedirectUri());
            return;
        case TOKEN_REQUEST:
            TokenRequestContext tokenRequestContext = (TokenRequestContext) context;
            executeOnTokenRequest(tokenRequestContext.getParams(), tokenRequestContext.getParseResult());
            return;
        default:
            return;
    }
}
Also used : TokenRequestContext(org.keycloak.services.clientpolicy.context.TokenRequestContext) ClientCRUDContext(org.keycloak.services.clientpolicy.context.ClientCRUDContext) AuthorizationRequestContext(org.keycloak.services.clientpolicy.context.AuthorizationRequestContext)

Example 3 with AuthorizationRequestContext

use of org.keycloak.services.clientpolicy.context.AuthorizationRequestContext in project keycloak by keycloak.

the class SecureRequestObjectExecutor method executeOnEvent.

@Override
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
    switch(context.getEvent()) {
        case AUTHORIZATION_REQUEST:
            AuthorizationRequestContext authorizationRequestContext = (AuthorizationRequestContext) context;
            executeOnAuthorizationRequest(authorizationRequestContext);
            break;
        default:
            return;
    }
}
Also used : AuthorizationRequestContext(org.keycloak.services.clientpolicy.context.AuthorizationRequestContext)

Example 4 with AuthorizationRequestContext

use of org.keycloak.services.clientpolicy.context.AuthorizationRequestContext in project keycloak by keycloak.

the class SecureRequestObjectExecutor method executeOnAuthorizationRequest.

private void executeOnAuthorizationRequest(AuthorizationRequestContext context) throws ClientPolicyException {
    logger.trace("Authz Endpoint - authz request");
    MultivaluedMap<String, String> params = context.getRequestParameters();
    if (params == null) {
        logger.trace("request parameter not exist.");
        throwClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Missing parameters", context);
    }
    String requestParam = params.getFirst(OIDCLoginProtocol.REQUEST_PARAM);
    String requestUriParam = params.getFirst(OIDCLoginProtocol.REQUEST_URI_PARAM);
    // check whether whether request object exists
    if (requestParam == null && requestUriParam == null) {
        logger.trace("request object not exist.");
        throwClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Missing parameter: 'request' or 'request_uri'", context);
    }
    JsonNode requestObject = (JsonNode) session.getAttribute(AuthzEndpointRequestParser.AUTHZ_REQUEST_OBJECT);
    // check whether request object exists
    if (requestObject == null || requestObject.isEmpty()) {
        logger.trace("request object not exist.");
        throwClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Invalid parameter: : 'request' or 'request_uri'", context);
    }
    // check whether scope exists in both query parameter and request object
    if (params.getFirst(OIDCLoginProtocol.SCOPE_PARAM) == null && requestObject.get(OIDCLoginProtocol.SCOPE_PARAM) == null) {
        logger.trace("scope object not exist.");
        throwClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Parameter 'scope' missing in the request parameters or in 'request' object", context);
    }
    // check whether "exp" claim exists
    if (requestObject.get("exp") == null) {
        logger.trace("exp claim not incuded.");
        throwClientPolicyException(INVALID_REQUEST_OBJECT, "Missing parameter in the 'request' object: exp", context);
    }
    // check whether request object not expired
    long exp = requestObject.get("exp").asLong();
    if (Time.currentTime() > exp) {
        // TODO: Time.currentTime() is int while exp is long...
        logger.trace("request object expired.");
        throw new ClientPolicyException(INVALID_REQUEST_OBJECT, "Request Expired");
    }
    // while needed for FAPI 1.0 Advanced security profile
    if (Optional.ofNullable(configuration.isVerifyNbf()).orElse(Boolean.FALSE).booleanValue()) {
        // check whether "nbf" claim exists
        if (requestObject.get("nbf") == null) {
            logger.trace("nbf claim not incuded.");
            throwClientPolicyException(INVALID_REQUEST_OBJECT, "Missing parameter in the 'request' object: nbf", context);
        }
        // check whether request object not yet being processed
        long nbf = requestObject.get("nbf").asLong();
        if (Time.currentTime() < nbf) {
            // TODO: Time.currentTime() is int while nbf is long...
            logger.trace("request object not yet being processed.");
            throwClientPolicyException(INVALID_REQUEST_OBJECT, "Request not yet being processed", context);
        }
        // check whether request object's available period is short
        int availablePeriod = Optional.ofNullable(configuration.getAvailablePeriod()).orElse(DEFAULT_AVAILABLE_PERIOD).intValue();
        if (exp - nbf > availablePeriod) {
            logger.trace("request object's available period is long.");
            throwClientPolicyException(INVALID_REQUEST_OBJECT, "Request's available period is long", context);
        }
    }
    // check whether "aud" claim exists
    List<String> aud = new ArrayList<String>();
    JsonNode audience = requestObject.get("aud");
    if (audience == null) {
        logger.trace("aud claim not incuded.");
        throwClientPolicyException(INVALID_REQUEST_OBJECT, "Missing parameter in the 'request' object: aud", context);
    }
    if (audience.isArray()) {
        for (JsonNode node : audience) aud.add(node.asText());
    } else {
        aud.add(audience.asText());
    }
    if (aud.isEmpty()) {
        logger.trace("aud claim not incuded.");
        throwClientPolicyException(INVALID_REQUEST_OBJECT, "Missing parameter value in the 'request' object: aud", context);
    }
    // check whether "aud" claim points to this keycloak as authz server
    String iss = Urls.realmIssuer(session.getContext().getUri().getBaseUri(), session.getContext().getRealm().getName());
    if (!aud.contains(iss)) {
        logger.trace("aud not points to the intended realm.");
        throwClientPolicyException(INVALID_REQUEST_OBJECT, "Invalid parameter in the 'request' object: aud", context);
    }
    // confirm whether all parameters in query string are included in the request object, and have the same values
    // argument "request" are parameters overridden by parameters in request object
    Optional<String> incorrectParam = AuthzEndpointRequestParser.KNOWN_REQ_PARAMS.stream().filter(param -> params.containsKey(param)).filter(param -> !isSameParameterIncluded(param, params.getFirst(param), requestObject)).findFirst();
    if (incorrectParam.isPresent()) {
        logger.warnf("Parameter '%s' does not have same value in 'request' object and in request parameters", incorrectParam.get());
        throwClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Invalid parameter. Parameters in 'request' object not matching with request parameters", context);
    }
    Boolean encryptionRequired = Optional.ofNullable(configuration.isEncryptionRequired()).orElse(Boolean.FALSE);
    if (encryptionRequired && session.getAttribute(AuthzEndpointRequestParser.AUTHZ_REQUEST_OBJECT_ENCRYPTED) == null) {
        logger.trace("request object's not encrypted.");
        throw new ClientPolicyException(INVALID_REQUEST_OBJECT, "Request object not encrypted");
    }
    logger.trace("Passed.");
}
Also used : JsonProperty(com.fasterxml.jackson.annotation.JsonProperty) ClientPolicyExecutorConfigurationRepresentation(org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation) Logger(org.jboss.logging.Logger) KeycloakSession(org.keycloak.models.KeycloakSession) AuthorizationRequestContext(org.keycloak.services.clientpolicy.context.AuthorizationRequestContext) ArrayList(java.util.ArrayList) MultivaluedMap(javax.ws.rs.core.MultivaluedMap) ClientPolicyContext(org.keycloak.services.clientpolicy.ClientPolicyContext) List(java.util.List) OAuthErrorException(org.keycloak.OAuthErrorException) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) INVALID_REQUEST_OBJECT(org.keycloak.OAuthErrorException.INVALID_REQUEST_OBJECT) AuthzEndpointRequestParser(org.keycloak.protocol.oidc.endpoints.request.AuthzEndpointRequestParser) Optional(java.util.Optional) OIDCLoginProtocol(org.keycloak.protocol.oidc.OIDCLoginProtocol) Urls(org.keycloak.services.Urls) JsonNode(com.fasterxml.jackson.databind.JsonNode) Time(org.keycloak.common.util.Time) ArrayList(java.util.ArrayList) JsonNode(com.fasterxml.jackson.databind.JsonNode) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)

Example 5 with AuthorizationRequestContext

use of org.keycloak.services.clientpolicy.context.AuthorizationRequestContext in project keycloak by keycloak.

the class SecureResponseTypeExecutor method executeOnEvent.

@Override
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
    switch(context.getEvent()) {
        case REGISTER:
        case UPDATE:
            ClientCRUDContext clientUpdateContext = (ClientCRUDContext) context;
            autoConfigure(clientUpdateContext.getProposedClientRepresentation());
            validate(clientUpdateContext.getProposedClientRepresentation());
            break;
        case AUTHORIZATION_REQUEST:
            AuthorizationRequestContext authorizationRequestContext = (AuthorizationRequestContext) context;
            executeOnAuthorizationRequest(authorizationRequestContext.getparsedResponseType(), authorizationRequestContext.getAuthorizationEndpointRequest(), authorizationRequestContext.getRedirectUri());
            break;
        default:
    }
    return;
}
Also used : ClientCRUDContext(org.keycloak.services.clientpolicy.context.ClientCRUDContext) AuthorizationRequestContext(org.keycloak.services.clientpolicy.context.AuthorizationRequestContext)

Aggregations

AuthorizationRequestContext (org.keycloak.services.clientpolicy.context.AuthorizationRequestContext)6 ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)2 ClientCRUDContext (org.keycloak.services.clientpolicy.context.ClientCRUDContext)2 JsonProperty (com.fasterxml.jackson.annotation.JsonProperty)1 JsonNode (com.fasterxml.jackson.databind.JsonNode)1 ArrayList (java.util.ArrayList)1 List (java.util.List)1 Optional (java.util.Optional)1 MultivaluedMap (javax.ws.rs.core.MultivaluedMap)1 Logger (org.jboss.logging.Logger)1 OAuthErrorException (org.keycloak.OAuthErrorException)1 INVALID_REQUEST_OBJECT (org.keycloak.OAuthErrorException.INVALID_REQUEST_OBJECT)1 Time (org.keycloak.common.util.Time)1 KeycloakSession (org.keycloak.models.KeycloakSession)1 OIDCLoginProtocol (org.keycloak.protocol.oidc.OIDCLoginProtocol)1 AuthzEndpointRequestParser (org.keycloak.protocol.oidc.endpoints.request.AuthzEndpointRequestParser)1 OIDCResponseMode (org.keycloak.protocol.oidc.utils.OIDCResponseMode)1 ClientPolicyExecutorConfigurationRepresentation (org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation)1 Urls (org.keycloak.services.Urls)1 ClientPolicyContext (org.keycloak.services.clientpolicy.ClientPolicyContext)1