keycloak-uncached
Changes
model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/RealmAdapter.java 10(+10 -0)
pom.xml 2(+1 -1)
Details
diff --git a/model/api/src/main/java/org/keycloak/models/RealmModel.java b/model/api/src/main/java/org/keycloak/models/RealmModel.java
index 4601fcc..ffcd7a5 100755
--- a/model/api/src/main/java/org/keycloak/models/RealmModel.java
+++ b/model/api/src/main/java/org/keycloak/models/RealmModel.java
@@ -2,6 +2,7 @@ package org.keycloak.models;
import org.keycloak.enums.SslRequired;
+import java.security.Key;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
@@ -99,6 +100,8 @@ public interface RealmModel extends RoleContainerModel {
String getCodeSecret();
+ Key getCodeSecretKey();
+
void setCodeSecret(String codeSecret);
X509Certificate getCertificate();
diff --git a/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java b/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java
index 09111b4..5bf0dc9 100755
--- a/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java
+++ b/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java
@@ -15,6 +15,7 @@ import org.keycloak.models.UserModel;
import org.keycloak.util.CertificateUtils;
import org.keycloak.util.PemUtils;
+import javax.crypto.spec.SecretKeySpec;
import java.io.IOException;
import java.io.StringWriter;
import java.security.Key;
@@ -77,6 +78,10 @@ public final class KeycloakModelUtils {
return null;
}
+ public static Key getSecretKey(String secret) {
+ return secret != null ? new SecretKeySpec(secret.getBytes(), "HmacSHA256") : null;
+ }
+
public static String getPemFromKey(Key key) {
StringWriter writer = new StringWriter();
PEMWriter pemWriter = new PEMWriter(writer);
diff --git a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/RealmAdapter.java b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/RealmAdapter.java
index eaf9fca..8cc7297 100755
--- a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/RealmAdapter.java
+++ b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/RealmAdapter.java
@@ -13,6 +13,7 @@ import org.keycloak.models.UserFederationProviderModel;
import org.keycloak.models.cache.entities.CachedRealm;
import org.keycloak.models.utils.KeycloakModelUtils;
+import java.security.Key;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
@@ -34,6 +35,7 @@ public class RealmAdapter implements RealmModel {
protected RealmCache cache;
protected volatile transient PublicKey publicKey;
protected volatile transient PrivateKey privateKey;
+ protected volatile transient Key codeSecretKey;
protected volatile transient X509Certificate certificate;
public RealmAdapter(CachedRealm cached, CacheRealmProvider cacheSession) {
@@ -380,6 +382,14 @@ public class RealmAdapter implements RealmModel {
}
@Override
+ public Key getCodeSecretKey() {
+ if (codeSecretKey == null) {
+ codeSecretKey = KeycloakModelUtils.getSecretKey(getCodeSecret());
+ }
+ return codeSecretKey;
+ }
+
+ @Override
public void setCodeSecret(String codeSecret) {
getDelegateForUpdate();
updated.setCodeSecret(codeSecret);
diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java b/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java
index ee97080..b58bd71 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java
@@ -21,6 +21,7 @@ import org.keycloak.models.utils.KeycloakModelUtils;
import javax.persistence.EntityManager;
import javax.persistence.TypedQuery;
+import java.security.Key;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
@@ -46,6 +47,7 @@ public class RealmAdapter implements RealmModel {
protected volatile transient PublicKey publicKey;
protected volatile transient PrivateKey privateKey;
protected volatile transient X509Certificate certificate;
+ protected volatile transient Key codeSecretKey;
protected KeycloakSession session;
private PasswordPolicy passwordPolicy;
@@ -440,6 +442,14 @@ public class RealmAdapter implements RealmModel {
}
@Override
+ public Key getCodeSecretKey() {
+ if (codeSecretKey == null) {
+ codeSecretKey = KeycloakModelUtils.getSecretKey(getCodeSecret());
+ }
+ return codeSecretKey;
+ }
+
+ @Override
public void setCodeSecret(String codeSecret) {
realm.setCodeSecret(codeSecret);
}
diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java
index 5963ab0..49fe46b 100755
--- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java
+++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java
@@ -23,6 +23,7 @@ import org.keycloak.models.mongo.keycloak.entities.MongoRealmEntity;
import org.keycloak.models.mongo.keycloak.entities.MongoRoleEntity;
import org.keycloak.models.utils.KeycloakModelUtils;
+import java.security.Key;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
@@ -43,14 +44,13 @@ import java.util.Set;
*/
public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> implements RealmModel {
- private static final Logger logger = Logger.getLogger(RealmAdapter.class);
-
private final MongoRealmEntity realm;
private final RealmProvider model;
protected volatile transient PublicKey publicKey;
protected volatile transient PrivateKey privateKey;
protected volatile transient X509Certificate certificate;
+ protected volatile transient Key codeSecretKey;
private volatile transient PasswordPolicy passwordPolicy;
private volatile transient KeycloakSession session;
@@ -425,6 +425,14 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
}
@Override
+ public Key getCodeSecretKey() {
+ if (codeSecretKey == null) {
+ codeSecretKey = KeycloakModelUtils.getSecretKey(getCodeSecret());
+ }
+ return codeSecretKey;
+ }
+
+ @Override
public void setCodeSecret(String codeSecret) {
realm.setCodeSecret(codeSecret);
updateRealm();
pom.xml 2(+1 -1)
diff --git a/pom.xml b/pom.xml
index 223fe93..8c737d5 100755
--- a/pom.xml
+++ b/pom.xml
@@ -108,7 +108,7 @@
<module>events</module>
<module>model</module>
<module>integration</module>
- <module>proxy/proxy-server</module>
+ <module>proxy</module>
<module>picketlink</module>
<module>federation</module>
<module>services</module>
diff --git a/services/src/main/java/org/keycloak/services/managers/ClientSessionCode.java b/services/src/main/java/org/keycloak/services/managers/ClientSessionCode.java
index 5574cbb..24861f3 100755
--- a/services/src/main/java/org/keycloak/services/managers/ClientSessionCode.java
+++ b/services/src/main/java/org/keycloak/services/managers/ClientSessionCode.java
@@ -8,7 +8,8 @@ import org.keycloak.models.UserModel.RequiredAction;
import org.keycloak.util.Base64Url;
import org.keycloak.util.Time;
-import java.security.MessageDigest;
+import javax.crypto.Mac;
+import java.security.Key;
import java.util.HashSet;
import java.util.Set;
import java.util.UUID;
@@ -147,13 +148,13 @@ public class ClientSessionCode {
private static String createHash(RealmModel realm, ClientSessionModel clientSession) {
try {
- MessageDigest digest = MessageDigest.getInstance("sha-256");
- digest.update(realm.getCodeSecret().getBytes());
- digest.update(HASH_SEPERATOR);
- digest.update(clientSession.getId().getBytes());
- digest.update(HASH_SEPERATOR);
- digest.update(clientSession.getNote(ACTION_KEY).getBytes());
- return Base64Url.encode(digest.digest());
+ Key codeSecretKey = realm.getCodeSecretKey();
+ Mac mac = Mac.getInstance(codeSecretKey.getAlgorithm());
+ mac.init(codeSecretKey);
+ mac.update(clientSession.getId().getBytes());
+ mac.update(HASH_SEPERATOR);
+ mac.update(clientSession.getNote(ACTION_KEY).getBytes());
+ return Base64Url.encode(mac.doFinal());
} catch (Exception e) {
throw new RuntimeException(e);
}
diff --git a/testsuite/proxy/src/test/java/org/keycloak/testsuite/ProxyTest.java b/testsuite/proxy/src/test/java/org/keycloak/testsuite/ProxyTest.java
index 3c55b80..b025ba8 100755
--- a/testsuite/proxy/src/test/java/org/keycloak/testsuite/ProxyTest.java
+++ b/testsuite/proxy/src/test/java/org/keycloak/testsuite/ProxyTest.java
@@ -73,9 +73,7 @@ import java.security.Principal;
import java.util.Enumeration;
import java.util.regex.Matcher;
-/**
- * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
- */
+@Ignore
public class ProxyTest {
static String logoutUri = OpenIDConnectService.logoutUrl(UriBuilder.fromUri("http://localhost:8081/auth"))
.queryParam(OAuth2Constants.REDIRECT_URI, "http://localhost:8080/customer-portal").build("demo").toString();