Example 1 with TokenRequestContext
use of org.keycloak.services.clientpolicy.context.TokenRequestContext in project keycloak by keycloak.
the class TokenEndpoint method codeToToken.
public Response codeToToken() {
String code = formParams.getFirst(OAuth2Constants.CODE);
if (code == null) {
event.error(Errors.INVALID_CODE);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "Missing parameter: " + OAuth2Constants.CODE, Response.Status.BAD_REQUEST);
}
OAuth2CodeParser.ParseResult parseResult = OAuth2CodeParser.parseCode(session, code, realm, event);
if (parseResult.isIllegalCode()) {
AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();
// Attempt to use same code twice should invalidate existing clientSession
if (clientSession != null) {
clientSession.detachFromUserSession();
}
event.error(Errors.INVALID_CODE);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "Code not valid", Response.Status.BAD_REQUEST);
}
AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();
if (parseResult.isExpiredCode()) {
event.error(Errors.EXPIRED_CODE);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "Code is expired", Response.Status.BAD_REQUEST);
}
UserSessionModel userSession = null;
if (clientSession != null) {
userSession = clientSession.getUserSession();
}
if (userSession == null) {
event.error(Errors.USER_SESSION_NOT_FOUND);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "User session not found", Response.Status.BAD_REQUEST);
}
UserModel user = userSession.getUser();
if (user == null) {
event.error(Errors.USER_NOT_FOUND);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "User not found", Response.Status.BAD_REQUEST);
}
event.user(userSession.getUser());
if (!user.isEnabled()) {
event.error(Errors.USER_DISABLED);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "User disabled", Response.Status.BAD_REQUEST);
}
OAuth2Code codeData = parseResult.getCodeData();
String redirectUri = codeData.getRedirectUriParam();
String redirectUriParam = formParams.getFirst(OAuth2Constants.REDIRECT_URI);
// KEYCLOAK-4478 Backwards compatibility with the adapters earlier than KC 3.4.2
if (redirectUriParam != null && redirectUriParam.contains("session_state=") && !redirectUri.contains("session_state=")) {
redirectUriParam = KeycloakUriBuilder.fromUri(redirectUriParam).replaceQueryParam(OAuth2Constants.SESSION_STATE, null).build().toString();
}
if (redirectUri != null && !redirectUri.equals(redirectUriParam)) {
event.error(Errors.INVALID_CODE);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "Incorrect redirect_uri", Response.Status.BAD_REQUEST);
}
if (!client.getClientId().equals(clientSession.getClient().getClientId())) {
event.error(Errors.INVALID_CODE);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "Auth error", Response.Status.BAD_REQUEST);
}
if (!client.isStandardFlowEnabled()) {
event.error(Errors.NOT_ALLOWED);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "Client not allowed to exchange code", Response.Status.BAD_REQUEST);
}
if (!AuthenticationManager.isSessionValid(realm, userSession)) {
event.error(Errors.USER_SESSION_NOT_FOUND);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, "Session not active", Response.Status.BAD_REQUEST);
}
// https://tools.ietf.org/html/rfc7636#section-4.6
String codeVerifier = formParams.getFirst(OAuth2Constants.CODE_VERIFIER);
String codeChallenge = codeData.getCodeChallenge();
String codeChallengeMethod = codeData.getCodeChallengeMethod();
String authUserId = user.getId();
String authUsername = user.getUsername();
if (authUserId == null) {
authUserId = "unknown";
}
if (authUsername == null) {
authUsername = "unknown";
}
if (codeChallengeMethod != null && !codeChallengeMethod.isEmpty()) {
PkceUtils.checkParamsForPkceEnforcedClient(codeVerifier, codeChallenge, codeChallengeMethod, authUserId, authUsername, event, cors);
} else {
// PKCE Activation is OFF, execute the codes implemented in KEYCLOAK-2604
PkceUtils.checkParamsForPkceNotEnforcedClient(codeVerifier, codeChallenge, codeChallengeMethod, authUserId, authUsername, event, cors);
}
try {
session.clientPolicy().triggerOnEvent(new TokenRequestContext(formParams, parseResult));
} catch (ClientPolicyException cpe) {
event.error(cpe.getError());
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, cpe.getErrorDetail(), Response.Status.BAD_REQUEST);
}
updateClientSession(clientSession);
updateUserSessionFromClientAuth(userSession);
// Compute client scopes again from scope parameter. Check if user still has them granted
// (but in code-to-token request, it could just theoretically happen that they are not available)
String scopeParam = codeData.getScope();
Supplier<Stream<ClientScopeModel>> clientScopesSupplier = () -> TokenManager.getRequestedClientScopes(scopeParam, client);
if (!TokenManager.verifyConsentStillAvailable(session, user, client, clientScopesSupplier.get())) {
event.error(Errors.NOT_ALLOWED);
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_SCOPE, "Client no longer has requested consent from user", Response.Status.BAD_REQUEST);
}
ClientSessionContext clientSessionCtx = DefaultClientSessionContext.fromClientSessionAndScopeParameter(clientSession, scopeParam, session);
// Set nonce as an attribute in the ClientSessionContext. Will be used for the token generation
clientSessionCtx.setAttribute(OIDCLoginProtocol.NONCE_PARAM, codeData.getNonce());
return createTokenResponse(user, userSession, clientSessionCtx, scopeParam, true);
}
Also used :
TokenRequestContext(org.keycloak.services.clientpolicy.context.TokenRequestContext)
ServiceAccountTokenRequestContext(org.keycloak.services.clientpolicy.context.ServiceAccountTokenRequestContext)
UserSessionModel(org.keycloak.models.UserSessionModel)
AuthenticatedClientSessionModel(org.keycloak.models.AuthenticatedClientSessionModel)
OAuth2CodeParser(org.keycloak.protocol.oidc.utils.OAuth2CodeParser)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
UserModel(org.keycloak.models.UserModel)
DefaultClientSessionContext(org.keycloak.services.util.DefaultClientSessionContext)
ClientSessionContext(org.keycloak.models.ClientSessionContext)
OAuth2Code(org.keycloak.protocol.oidc.utils.OAuth2Code)
Stream(java.util.stream.Stream)
CorsErrorResponseException(org.keycloak.services.CorsErrorResponseException)
Example 2 with TokenRequestContext
use of org.keycloak.services.clientpolicy.context.TokenRequestContext in project keycloak by keycloak.
the class PKCEEnforcerExecutor method executeOnEvent.
@Override
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
switch(context.getEvent()) {
case REGISTER:
case UPDATE:
ClientCRUDContext clientUpdateContext = (ClientCRUDContext) context;
autoConfigure(clientUpdateContext.getProposedClientRepresentation());
validate(clientUpdateContext.getProposedClientRepresentation());
break;
case AUTHORIZATION_REQUEST:
AuthorizationRequestContext authorizationRequestContext = (AuthorizationRequestContext) context;
executeOnAuthorizationRequest(authorizationRequestContext.getparsedResponseType(), authorizationRequestContext.getAuthorizationEndpointRequest(), authorizationRequestContext.getRedirectUri());
return;
case TOKEN_REQUEST:
TokenRequestContext tokenRequestContext = (TokenRequestContext) context;
executeOnTokenRequest(tokenRequestContext.getParams(), tokenRequestContext.getParseResult());
return;
default:
return;
}
}
Also used :
TokenRequestContext(org.keycloak.services.clientpolicy.context.TokenRequestContext)
ClientCRUDContext(org.keycloak.services.clientpolicy.context.ClientCRUDContext)
AuthorizationRequestContext(org.keycloak.services.clientpolicy.context.AuthorizationRequestContext)
Aggregations
TokenRequestContext (org.keycloak.services.clientpolicy.context.TokenRequestContext)2
Stream (java.util.stream.Stream)1
AuthenticatedClientSessionModel (org.keycloak.models.AuthenticatedClientSessionModel)1
ClientSessionContext (org.keycloak.models.ClientSessionContext)1
UserModel (org.keycloak.models.UserModel)1
UserSessionModel (org.keycloak.models.UserSessionModel)1
OAuth2Code (org.keycloak.protocol.oidc.utils.OAuth2Code)1
OAuth2CodeParser (org.keycloak.protocol.oidc.utils.OAuth2CodeParser)1
CorsErrorResponseException (org.keycloak.services.CorsErrorResponseException)1
ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)1
AuthorizationRequestContext (org.keycloak.services.clientpolicy.context.AuthorizationRequestContext)1
ClientCRUDContext (org.keycloak.services.clientpolicy.context.ClientCRUDContext)1
ServiceAccountTokenRequestContext (org.keycloak.services.clientpolicy.context.ServiceAccountTokenRequestContext)1
DefaultClientSessionContext (org.keycloak.services.util.DefaultClientSessionContext)1
