keycloak-aplcache
Changes
broker/oidc/pom.xml 5(+5 -0)
Details
broker/oidc/pom.xml 5(+5 -0)
diff --git a/broker/oidc/pom.xml b/broker/oidc/pom.xml
index 478cb47..5bd4d54 100755
--- a/broker/oidc/pom.xml
+++ b/broker/oidc/pom.xml
@@ -17,6 +17,11 @@
<dependencies>
<dependency>
<groupId>org.keycloak</groupId>
+ <artifactId>keycloak-core</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.keycloak</groupId>
<artifactId>keycloak-broker-core</artifactId>
<version>${project.version}</version>
</dependency>
diff --git a/broker/oidc/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java b/broker/oidc/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
index f2245e3..274171c 100755
--- a/broker/oidc/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
+++ b/broker/oidc/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
@@ -33,9 +33,11 @@ import org.keycloak.events.EventType;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
+import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.services.managers.EventsManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.flows.Flows;
+import org.keycloak.util.JsonSerialization;
import javax.ws.rs.GET;
import javax.ws.rs.QueryParam;
@@ -47,6 +49,7 @@ import javax.ws.rs.core.UriInfo;
import java.io.IOException;
import java.net.URI;
import java.util.HashMap;
+import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -57,6 +60,9 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
protected static final Logger logger = Logger.getLogger(AbstractOAuth2IdentityProvider.class);
public static final String OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code";
+ public static final String FEDERATED_ACCESS_TOKEN = "FEDERATED_ACCESS_TOKEN";
+ public static final String FEDERATED_REFRESH_TOKEN = "FEDERATED_REFRESH_TOKEN";
+ public static final String FEDERATED_TOKEN_EXPIRATION = "FEDERATED_TOKEN_EXPIRATION";
protected static ObjectMapper mapper = new ObjectMapper();
public static final String OAUTH2_PARAMETER_ACCESS_TOKEN = "access_token";
@@ -69,7 +75,6 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
public static final String OAUTH2_PARAMETER_CLIENT_SECRET = "client_secret";
public static final String OAUTH2_PARAMETER_GRANT_TYPE = "grant_type";
- protected AuthenticationCallback callback;
public AbstractOAuth2IdentityProvider(C config) {
super(config);
@@ -81,8 +86,7 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
@Override
public Object callback(RealmModel realm, AuthenticationCallback callback) {
- this.callback = callback;
- return new Endpoint(realm);
+ return new Endpoint(callback, realm);
}
@Override
@@ -124,8 +128,17 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
return null;
}
- protected FederatedIdentity getFederatedIdentity(String response) {
- String accessToken = extractTokenFromResponse(response, OAUTH2_PARAMETER_ACCESS_TOKEN);
+ protected FederatedIdentity getFederatedIdentity(Map<String, String> notes, String response) {
+ AccessTokenResponse tokenResponse = null;
+ try {
+ tokenResponse = JsonSerialization.readValue(response, AccessTokenResponse.class);
+ } catch (IOException e) {
+ throw new IdentityBrokerException("Could not decode access token response.", e);
+ }
+ String accessToken = tokenResponse.getToken();
+ notes.put(FEDERATED_ACCESS_TOKEN, accessToken);
+ notes.put(FEDERATED_REFRESH_TOKEN, tokenResponse.getRefreshToken());
+ notes.put(FEDERATED_TOKEN_EXPIRATION, Long.toString(tokenResponse.getExpiresIn()));
if (accessToken == null) {
throw new IdentityBrokerException("No access token from server.");
@@ -164,6 +177,7 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
protected abstract String getDefaultScopes();
protected class Endpoint {
+ protected AuthenticationCallback callback;
protected RealmModel realm;
@Context
@@ -178,7 +192,8 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
@Context
protected UriInfo uriInfo;
- public Endpoint(RealmModel realm) {
+ public Endpoint(AuthenticationCallback callback, RealmModel realm) {
+ this.callback = callback;
this.realm = realm;
}
@@ -205,13 +220,14 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
.param(OAUTH2_PARAMETER_REDIRECT_URI, uriInfo.getAbsolutePath().toString())
.param(OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE).asString();
- FederatedIdentity federatedIdentity = getFederatedIdentity(response);
+ HashMap<String, String> userNotes = new HashMap<String, String>();
+ FederatedIdentity federatedIdentity = getFederatedIdentity(userNotes, response);
if (getConfig().isStoreToken()) {
federatedIdentity.setToken(response);
}
- return callback.authenticated(new HashMap<String, String>(), getConfig(), federatedIdentity, state);
+ return callback.authenticated(userNotes, getConfig(), federatedIdentity, state);
}
} catch (Exception e) {
logger.error("Failed to make identity provider oauth callback", e);
diff --git a/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java b/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
old mode 100644
new mode 100755
index 2c43d61..3e05272
--- a/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
+++ b/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
@@ -22,10 +22,32 @@ import org.keycloak.broker.oidc.util.SimpleHttp;
import org.keycloak.broker.provider.AuthenticationRequest;
import org.keycloak.broker.provider.FederatedIdentity;
import org.keycloak.broker.provider.IdentityBrokerException;
+import org.keycloak.broker.provider.IdentityProvider;
+import org.keycloak.events.Errors;
+import org.keycloak.events.EventBuilder;
+import org.keycloak.events.EventType;
import org.keycloak.jose.jws.JWSInput;
-
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserSessionModel;
+import org.keycloak.representations.AccessTokenResponse;
+import org.keycloak.representations.IDToken;
+import org.keycloak.services.managers.AuthenticationManager;
+import org.keycloak.services.managers.EventsManager;
+import org.keycloak.services.messages.Messages;
+import org.keycloak.services.resources.IdentityBrokerService;
+import org.keycloak.services.resources.RealmsResource;
+import org.keycloak.services.resources.flows.Flows;
+import org.keycloak.util.JsonSerialization;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
+import javax.ws.rs.core.UriInfo;
import java.io.IOException;
+import java.util.Map;
/**
* @author Pedro Igor
@@ -33,8 +55,8 @@ import java.io.IOException;
public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig> {
public static final String OAUTH2_PARAMETER_PROMPT = "prompt";
- public static final String OIDC_PARAMETER_ID_TOKEN = "id_token";
public static final String SCOPE_OPENID = "openid";
+ public static final String FEDERATED_ID_TOKEN = "FEDERATED_ID_TOKEN";
public OIDCIdentityProvider(OIDCIdentityProviderConfig config) {
super(config);
@@ -47,6 +69,54 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
}
@Override
+ public Object callback(RealmModel realm, AuthenticationCallback callback) {
+ return new OIDCEndpoint(callback, realm);
+ }
+
+ protected class OIDCEndpoint extends Endpoint {
+ public OIDCEndpoint(AuthenticationCallback callback, RealmModel realm) {
+ super(callback, realm);
+ }
+
+ @GET
+ @Path("logout_response")
+ public Response logoutResponse(@Context UriInfo uriInfo,
+ @QueryParam("state") String state) {
+ UserSessionModel userSession = session.sessions().getUserSession(realm, state);
+ if (userSession == null) {
+ logger.error("no valid user session");
+ EventBuilder event = new EventsManager(realm, session, clientConnection).createEventBuilder();
+ event.event(EventType.LOGOUT);
+ event.error(Errors.USER_SESSION_NOT_FOUND);
+ return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, headers, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
+ }
+ if (userSession.getState() != UserSessionModel.State.LOGGING_OUT) {
+ logger.error("usersession in different state");
+ EventBuilder event = new EventsManager(realm, session, clientConnection).createEventBuilder();
+ event.event(EventType.LOGOUT);
+ event.error(Errors.USER_SESSION_NOT_FOUND);
+ return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, headers, Messages.SESSION_NOT_ACTIVE);
+ }
+ return AuthenticationManager.finishBrowserLogout(session, realm, userSession, uriInfo, clientConnection, headers);
+ }
+ }
+
+ @Override
+ public Response keycloakInitiatedBrowserLogout(UserSessionModel userSession, UriInfo uriInfo, RealmModel realm) {
+ if (getConfig().getLogoutUrl() == null) return null;
+ UriBuilder logoutUri = UriBuilder.fromUri(getConfig().getLogoutUrl())
+ .queryParam("state", userSession.getId());
+ String idToken = userSession.getNote(FEDERATED_ID_TOKEN);
+ if (idToken != null) logoutUri.queryParam("id_token_hint", idToken);
+ String redirect = RealmsResource.brokerUrl(uriInfo)
+ .path(IdentityBrokerService.class, "getEndpoint")
+ .path(OIDCEndpoint.class, "logoutResponse")
+ .build(realm.getName(), getConfig().getAlias()).toString();
+ logoutUri.queryParam("post_logout_redirect_uri", redirect);
+ return Response.status(302).location(logoutUri.build()).build();
+ }
+
+ @Override
protected UriBuilder createAuthorizationUrl(AuthenticationRequest request) {
UriBuilder authorizationUrl = super.createAuthorizationUrl(request);
String prompt = getConfig().getPrompt();
@@ -59,26 +129,45 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
}
@Override
- protected FederatedIdentity getFederatedIdentity(String response) {
- String accessToken = extractTokenFromResponse(response, OAUTH2_PARAMETER_ACCESS_TOKEN);
+ protected FederatedIdentity getFederatedIdentity(Map<String, String> notes, String response) {
+ AccessTokenResponse tokenResponse = null;
+ try {
+ tokenResponse = JsonSerialization.readValue(response, AccessTokenResponse.class);
+ } catch (IOException e) {
+ throw new IdentityBrokerException("Could not decode access token response.", e);
+ }
+ String accessToken = tokenResponse.getToken();
if (accessToken == null) {
throw new IdentityBrokerException("No access_token from server.");
}
- String idToken = extractTokenFromResponse(response, OIDC_PARAMETER_ID_TOKEN);
+ String encodedIdToken = tokenResponse.getIdToken();
- validateIdToken(idToken);
+ notes.put(FEDERATED_ACCESS_TOKEN, accessToken);
+ notes.put(FEDERATED_ID_TOKEN, encodedIdToken);
+ notes.put(FEDERATED_REFRESH_TOKEN, tokenResponse.getRefreshToken());
+ notes.put(FEDERATED_TOKEN_EXPIRATION, Long.toString(tokenResponse.getExpiresIn()));
- try {
- JsonNode userInfo = SimpleHttp.doGet(getConfig().getUserInfoUrl())
- .header("Authorization", "Bearer " + accessToken)
- .asJson();
- String id = getJsonProperty(userInfo, "sub");
- String name = getJsonProperty(userInfo, "name");
- String preferredUsername = getJsonProperty(userInfo, "preferred_username");
- String email = getJsonProperty(userInfo, "email");
+ IDToken idToken = validateIdToken(encodedIdToken);
+
+ try {
+ String id = idToken.getSubject();
+ String name = idToken.getName();
+ String preferredUsername = idToken.getPreferredUsername();
+ String email = idToken.getEmail();
+
+ if (id == null || name == null || preferredUsername == null || email == null && getConfig().getUserInfoUrl() != null) {
+ JsonNode userInfo = SimpleHttp.doGet(getConfig().getUserInfoUrl())
+ .header("Authorization", "Bearer " + accessToken)
+ .asJson();
+
+ id = getJsonProperty(userInfo, "sub");
+ name = getJsonProperty(userInfo, "name");
+ preferredUsername = getJsonProperty(userInfo, "preferred_username");
+ email = getJsonProperty(userInfo, "email");
+ }
FederatedIdentity identity = new FederatedIdentity(id);
@@ -106,16 +195,16 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
}
}
- private void validateIdToken(String idToken) {
- if (idToken == null) {
+ private IDToken validateIdToken(String encodedToken) {
+ if (encodedToken == null) {
throw new IdentityBrokerException("No id_token from server.");
}
try {
- JsonNode idTokenInfo = asJsonNode(decodeJWS(idToken));
+ IDToken idToken = new JWSInput(encodedToken).readJsonContent(IDToken.class);
- String aud = getJsonProperty(idTokenInfo, "aud");
- String iss = getJsonProperty(idTokenInfo, "iss");
+ String aud = idToken.getAudience();
+ String iss = idToken.getIssuer();
if (aud != null && !aud.equals(getConfig().getClientId())) {
throw new RuntimeException("Wrong audience from id_token..");
@@ -128,12 +217,13 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
for (String trustedIssuer : issuers) {
if (iss != null && iss.equals(trustedIssuer.trim())) {
- return;
+ return idToken;
}
}
throw new IdentityBrokerException("Wrong issuer from id_token..");
}
+ return idToken;
} catch (IOException e) {
throw new IdentityBrokerException("Could not decode id token.", e);
}
diff --git a/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java b/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java
old mode 100644
new mode 100755
index de4043c..06d18f5
--- a/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java
+++ b/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java
@@ -35,4 +35,8 @@ public class OIDCIdentityProviderConfig extends OAuth2IdentityProviderConfig {
public String getIssuer() {
return getConfig().get("issuer");
}
+ public String getLogoutUrl() {
+ return getConfig().get("logoutUrl");
+ }
+
}
diff --git a/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java b/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java
index fd8ec0f..7baf553 100755
--- a/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java
+++ b/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java
@@ -1,7 +1,12 @@
package org.keycloak.representations;
+import org.codehaus.jackson.annotate.JsonAnyGetter;
+import org.codehaus.jackson.annotate.JsonAnySetter;
import org.codehaus.jackson.annotate.JsonProperty;
+import java.util.HashMap;
+import java.util.Map;
+
/**
* OAuth 2.0 Access Token Response json
*
@@ -33,6 +38,10 @@ public class AccessTokenResponse {
@JsonProperty("session-state")
protected String sessionState;
+ protected Map<String, Object> otherClaims = new HashMap<String, Object>();
+
+
+
public String getToken() {
return token;
}
@@ -96,4 +105,15 @@ public class AccessTokenResponse {
public void setSessionState(String sessionState) {
this.sessionState = sessionState;
}
+
+ @JsonAnyGetter
+ public Map<String, Object> getOtherClaims() {
+ return otherClaims;
+ }
+
+ @JsonAnySetter
+ public void setOtherClaims(String name, Object value) {
+ otherClaims.put(name, value);
+ }
+
}
diff --git a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
index a835b66..4d4f41b 100755
--- a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
+++ b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
@@ -76,7 +76,6 @@ import static org.keycloak.models.UserModel.RequiredAction.UPDATE_PROFILE;
*
* @author Pedro Igor
*/
-@Path("/broker")
public class IdentityBrokerService implements IdentityProvider.AuthenticationCallback {
private static final Logger LOGGER = Logger.getLogger(IdentityBrokerService.class);
diff --git a/services/src/main/java/org/keycloak/services/resources/RealmsResource.java b/services/src/main/java/org/keycloak/services/resources/RealmsResource.java
index 0feccb4..1f43e9a 100755
--- a/services/src/main/java/org/keycloak/services/resources/RealmsResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/RealmsResource.java
@@ -79,6 +79,10 @@ public class RealmsResource {
return uriInfo.getBaseUriBuilder().path(RealmsResource.class).path(RealmsResource.class, "getProtocol");
}
+ public static UriBuilder brokerUrl(UriInfo uriInfo) {
+ return uriInfo.getBaseUriBuilder().path(RealmsResource.class).path(RealmsResource.class, "getBrokerService");
+ }
+
@Path("{realm}/login-status-iframe.html")
@Deprecated
public Object getLoginStatusIframe(final @PathParam("realm") String name,