Examples with DynamicClientRegisterContext org.keycloak.services.clientpolicy.context.DynamicClientRegisterContext used on opensource projects

Example 1 with DynamicClientRegisterContext

use of org.keycloak.services.clientpolicy.context.DynamicClientRegisterContext in project keycloak by keycloak.

the class SecureClientUrisExecutor method executeOnEvent.

@Override
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
    switch(context.getEvent()) {
        case REGISTER:
            if (context instanceof AdminClientRegisterContext || context instanceof DynamicClientRegisterContext) {
                ClientRepresentation clientRep = ((ClientCRUDContext) context).getProposedClientRepresentation();
                confirmSecureUris(clientRep);
                // Use rootUrl as default redirectUrl to avoid creation of redirectUris with wildcards, which is done at later stages during client creation
                if (clientRep.getRootUrl() != null && (clientRep.getRedirectUris() == null || clientRep.getRedirectUris().isEmpty())) {
                    logger.debugf("Setup Redirect URI = %s for client %s", clientRep.getRootUrl(), clientRep.getClientId());
                    clientRep.setRedirectUris(Collections.singletonList(clientRep.getRootUrl()));
                }
            } else {
                throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "not allowed input format.");
            }
            return;
        case UPDATE:
            if (context instanceof AdminClientUpdateContext || context instanceof DynamicClientUpdateContext) {
                confirmSecureUris(((ClientCRUDContext) context).getProposedClientRepresentation());
            } else {
                throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "not allowed input format.");
            }
            return;
        case AUTHORIZATION_REQUEST:
            confirmSecureRedirectUri(((AuthorizationRequestContext) context).getRedirectUri());
            return;
        default:
            return;
    }
}

Example 2 with DynamicClientRegisterContext

use of org.keycloak.services.clientpolicy.context.DynamicClientRegisterContext in project keycloak by keycloak.

the class ClientRegistrationAuth method requireCreate.

public RegistrationAuth requireCreate(ClientRegistrationContext context) {
    init();
    RegistrationAuth registrationAuth = RegistrationAuth.ANONYMOUS;
    if (isBearerToken()) {
        checkClientProtocol();
        if (hasRole(AdminRoles.MANAGE_CLIENTS, AdminRoles.CREATE_CLIENT)) {
            registrationAuth = RegistrationAuth.AUTHENTICATED;
        } else {
            throw forbidden();
        }
    } else if (isInitialAccessToken()) {
        if (initialAccessModel.getRemainingCount() > 0) {
            if (initialAccessModel.getExpiration() == 0 || (initialAccessModel.getTimestamp() + initialAccessModel.getExpiration()) > Time.currentTime()) {
                registrationAuth = RegistrationAuth.AUTHENTICATED;
            } else {
                throw unauthorized("Expired initial access token");
            }
        } else {
            throw unauthorized("No remaining count on initial access token");
        }
    }
    try {
        session.clientPolicy().triggerOnEvent(new DynamicClientRegisterContext(context, jwt, realm));
        ClientRegistrationPolicyManager.triggerBeforeRegister(context, registrationAuth);
    } catch (ClientRegistrationPolicyException | ClientPolicyException crpe) {
        throw forbidden(crpe.getMessage());
    }
    return registrationAuth;
}