use of org.keycloak.services.clientpolicy.context.DynamicClientRegisterContext in project keycloak by keycloak.
the class SecureClientUrisExecutor method executeOnEvent.
@Override
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
switch(context.getEvent()) {
case REGISTER:
if (context instanceof AdminClientRegisterContext || context instanceof DynamicClientRegisterContext) {
ClientRepresentation clientRep = ((ClientCRUDContext) context).getProposedClientRepresentation();
confirmSecureUris(clientRep);
// Use rootUrl as default redirectUrl to avoid creation of redirectUris with wildcards, which is done at later stages during client creation
if (clientRep.getRootUrl() != null && (clientRep.getRedirectUris() == null || clientRep.getRedirectUris().isEmpty())) {
logger.debugf("Setup Redirect URI = %s for client %s", clientRep.getRootUrl(), clientRep.getClientId());
clientRep.setRedirectUris(Collections.singletonList(clientRep.getRootUrl()));
}
} else {
throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "not allowed input format.");
}
return;
case UPDATE:
if (context instanceof AdminClientUpdateContext || context instanceof DynamicClientUpdateContext) {
confirmSecureUris(((ClientCRUDContext) context).getProposedClientRepresentation());
} else {
throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "not allowed input format.");
}
return;
case AUTHORIZATION_REQUEST:
confirmSecureRedirectUri(((AuthorizationRequestContext) context).getRedirectUri());
return;
default:
return;
}
}
use of org.keycloak.services.clientpolicy.context.DynamicClientRegisterContext in project keycloak by keycloak.
the class ClientRegistrationAuth method requireCreate.
public RegistrationAuth requireCreate(ClientRegistrationContext context) {
init();
RegistrationAuth registrationAuth = RegistrationAuth.ANONYMOUS;
if (isBearerToken()) {
checkClientProtocol();
if (hasRole(AdminRoles.MANAGE_CLIENTS, AdminRoles.CREATE_CLIENT)) {
registrationAuth = RegistrationAuth.AUTHENTICATED;
} else {
throw forbidden();
}
} else if (isInitialAccessToken()) {
if (initialAccessModel.getRemainingCount() > 0) {
if (initialAccessModel.getExpiration() == 0 || (initialAccessModel.getTimestamp() + initialAccessModel.getExpiration()) > Time.currentTime()) {
registrationAuth = RegistrationAuth.AUTHENTICATED;
} else {
throw unauthorized("Expired initial access token");
}
} else {
throw unauthorized("No remaining count on initial access token");
}
}
try {
session.clientPolicy().triggerOnEvent(new DynamicClientRegisterContext(context, jwt, realm));
ClientRegistrationPolicyManager.triggerBeforeRegister(context, registrationAuth);
} catch (ClientRegistrationPolicyException | ClientPolicyException crpe) {
throw forbidden(crpe.getMessage());
}
return registrationAuth;
}
Aggregations