keycloak-aplcache
Changes
adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authentication/JWTClientCredentialsProvider.java 25(+19 -6)
adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/PreAuthActionsHandler.java 31(+31 -0)
adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/rotation/JWKPublicKeyLocator.java 14(+7 -7)
model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java 34(+24 -10)
model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java 4(+4 -0)
model/infinispan/src/main/java/org/keycloak/keys/infinispan/InfinispanKeyStorageProvider.java 160(+160 -0)
model/infinispan/src/main/java/org/keycloak/keys/infinispan/InfinispanKeyStorageProviderFactory.java 84(+84 -0)
model/infinispan/src/main/resources/META-INF/services/org.keycloak.keys.KeyStorageProviderFactory 18(+18 -0)
model/infinispan/src/test/java/org/keycloak/models/keys/infinispan/InfinispanKeyStorageProviderTest.java 172(+172 -0)
services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java 14(+8 -6)
services/src/main/java/org/keycloak/protocol/oidc/endpoints/request/AuthorizationEndpointRequestParserProcessor.java 4(+2 -2)
services/src/main/java/org/keycloak/protocol/oidc/endpoints/request/AuthzEndpointRequestObjectParser.java 11(+9 -2)
services/src/main/java/org/keycloak/services/clientregistration/oidc/DescriptionConverter.java 53(+31 -22)
services/src/main/java/org/keycloak/services/clientregistration/oidc/OIDCClientRegistrationProvider.java 2(+0 -2)
services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java 40(+23 -17)
services/src/main/java/org/keycloak/social/stackoverflow/StackoverflowIdentityProvider.java 5(+3 -2)
services/src/main/java/org/keycloak/social/stackoverflow/StackoverflowIdentityProviderFactory.java 5(+3 -2)
services/src/test/java/org/keycloak/test/broker/oidc/AbstractOAuth2IdentityProviderTest.java 3(+2 -1)
testsuite/integration/src/test/java/org/keycloak/testsuite/broker/IdentityProviderRegistrationTest.java 4(+2 -2)
testsuite/integration/src/test/java/org/keycloak/testsuite/broker/ImportIdentityProviderTest.java 16(+8 -8)
testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeyCloakServerBrokerBasicTest.java 1(+1 -0)
testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeycloakServerBrokerWithSignatureTest.java 174(+174 -0)
testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/CustomIdentityProvider.java 4(+2 -2)
testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/CustomIdentityProviderFactory.java 5(+3 -2)
testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/social/CustomSocialProvider.java 4(+2 -2)
testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/social/CustomSocialProviderFactory.java 5(+3 -2)
testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/resource/TestingOIDCEndpointsApplicationResource.java 3(+2 -1)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractDemoServletsAdapterTest.java 39(+39 -0)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java 125(+2 -123)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCJwksClientRegistrationTest.java 308(+308 -0)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java 37(+20 -17)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java 3(+3 -0)
themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt.html 106(+73 -33)
themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-oidc.html 32(+27 -5)
Details
diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authentication/JWTClientCredentialsProvider.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authentication/JWTClientCredentialsProvider.java
index 2490c0e..4e109ce 100644
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authentication/JWTClientCredentialsProvider.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authentication/JWTClientCredentialsProvider.java
@@ -17,12 +17,15 @@
package org.keycloak.adapters.authentication;
-import java.security.PrivateKey;
+import java.security.KeyPair;
+import java.security.PublicKey;
import java.util.Map;
import org.keycloak.OAuth2Constants;
import org.keycloak.adapters.AdapterUtils;
import org.keycloak.adapters.KeycloakDeployment;
+import org.keycloak.jose.jwk.JWK;
+import org.keycloak.jose.jwk.JWKBuilder;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.common.util.KeystoreUtil;
@@ -38,7 +41,9 @@ public class JWTClientCredentialsProvider implements ClientCredentialsProvider {
public static final String PROVIDER_ID = "jwt";
- private PrivateKey privateKey;
+ private KeyPair keyPair;
+ private JWK publicKeyJwk;
+
private int tokenTimeout;
@Override
@@ -46,8 +51,9 @@ public class JWTClientCredentialsProvider implements ClientCredentialsProvider {
return PROVIDER_ID;
}
- public void setPrivateKey(PrivateKey privateKey) {
- this.privateKey = privateKey;
+ public void setupKeyPair(KeyPair keyPair) {
+ this.keyPair = keyPair;
+ this.publicKeyJwk = JWKBuilder.create().rs256(keyPair.getPublic());
}
public void setTokenTimeout(int tokenTimeout) {
@@ -58,6 +64,10 @@ public class JWTClientCredentialsProvider implements ClientCredentialsProvider {
return tokenTimeout;
}
+ public PublicKey getPublicKey() {
+ return keyPair.getPublic();
+ }
+
@Override
public void init(KeycloakDeployment deployment, Object config) {
if (config == null || !(config instanceof Map)) {
@@ -88,7 +98,9 @@ public class JWTClientCredentialsProvider implements ClientCredentialsProvider {
if (clientKeyAlias == null) {
clientKeyAlias = deployment.getResourceName();
}
- this.privateKey = KeystoreUtil.loadPrivateKeyFromKeystore(clientKeystoreFile, clientKeystorePassword, clientKeyPassword, clientKeyAlias, clientKeystoreFormat);
+
+ KeyPair keyPair = KeystoreUtil.loadKeyPairFromKeystore(clientKeystoreFile, clientKeystorePassword, clientKeyPassword, clientKeyAlias, clientKeystoreFormat);
+ setupKeyPair(keyPair);
this.tokenTimeout = asInt(cfg, "token-timeout", 10);
}
@@ -120,8 +132,9 @@ public class JWTClientCredentialsProvider implements ClientCredentialsProvider {
public String createSignedRequestToken(String clientId, String realmInfoUrl) {
JsonWebToken jwt = createRequestToken(clientId, realmInfoUrl);
return new JWSBuilder()
+ .kid(publicKeyJwk.getKeyId())
.jsonContent(jwt)
- .rsa256(privateKey);
+ .rsa256(keyPair.getPrivate());
}
protected JsonWebToken createRequestToken(String clientId, String realmInfoUrl) {
diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/PreAuthActionsHandler.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/PreAuthActionsHandler.java
index 5a1df8c..6a625b4 100755
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/PreAuthActionsHandler.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/PreAuthActionsHandler.java
@@ -20,9 +20,14 @@ package org.keycloak.adapters;
import java.security.PublicKey;
import org.jboss.logging.Logger;
+import org.keycloak.adapters.authentication.ClientCredentialsProvider;
+import org.keycloak.adapters.authentication.JWTClientCredentialsProvider;
import org.keycloak.adapters.rotation.AdapterRSATokenVerifier;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.UserSessionManagement;
+import org.keycloak.jose.jwk.JSONWebKeySet;
+import org.keycloak.jose.jwk.JWK;
+import org.keycloak.jose.jwk.JWKBuilder;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.representations.VersionRepresentation;
import org.keycloak.constants.AdapterConstants;
@@ -85,6 +90,10 @@ public class PreAuthActionsHandler {
if (!resolveDeployment()) return true;
handleTestAvailable();
return true;
+ } else if (requestUri.endsWith(AdapterConstants.K_JWKS)) {
+ if (!resolveDeployment()) return true;
+ handleJwksRequest();
+ return true;
}
return false;
}
@@ -244,4 +253,26 @@ public class PreAuthActionsHandler {
}
}
+ protected void handleJwksRequest() {
+ try {
+ JSONWebKeySet jwks = new JSONWebKeySet();
+ ClientCredentialsProvider clientCredentialsProvider = deployment.getClientAuthenticator();
+
+ // For now, just get signature key from JWT provider. We can add more if we support encryption etc.
+ if (clientCredentialsProvider instanceof JWTClientCredentialsProvider) {
+ PublicKey publicKey = ((JWTClientCredentialsProvider) clientCredentialsProvider).getPublicKey();
+ JWK jwk = JWKBuilder.create().rs256(publicKey);
+ jwks.setKeys(new JWK[] { jwk });
+ } else {
+ jwks.setKeys(new JWK[] {});
+ }
+
+ facade.getResponse().setStatus(200);
+ facade.getResponse().setHeader("Content-Type", "application/json");
+ JsonSerialization.writeValueToStream(facade.getResponse().getOutputStream(), jwks);
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ }
+
}
diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/rotation/JWKPublicKeyLocator.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/rotation/JWKPublicKeyLocator.java
index 5003923..1af4055 100644
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/rotation/JWKPublicKeyLocator.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/rotation/JWKPublicKeyLocator.java
@@ -71,8 +71,7 @@ public class JWKPublicKeyLocator implements PublicKeyLocator {
sendRequest(deployment);
lastRequestTime = currentTime;
} else {
- // TODO: debug
- log.infof("Won't send request to realm jwks url. Last request time was %d", lastRequestTime);
+ log.debugf("Won't send request to realm jwks url. Last request time was %d", lastRequestTime);
}
}
}
@@ -83,9 +82,9 @@ public class JWKPublicKeyLocator implements PublicKeyLocator {
private void sendRequest(KeycloakDeployment deployment) {
- // Send the request
- // TODO: trace or remove?
- log.infof("Going to send request to retrieve new set of realm public keys for client %s", deployment.getResourceName());
+ if (log.isTraceEnabled()) {
+ log.tracef("Going to send request to retrieve new set of realm public keys for client %s", deployment.getResourceName());
+ }
HttpGet getMethod = new HttpGet(deployment.getJwksUrl());
try {
@@ -93,8 +92,9 @@ public class JWKPublicKeyLocator implements PublicKeyLocator {
Map<String, PublicKey> publicKeys = JWKSUtils.getKeysForUse(jwks, JWK.Use.SIG);
- // TODO: Debug with condition
- log.infof("Realm public keys successfully retrieved for client %s. New kids: %s", deployment.getResourceName(), publicKeys.keySet().toString());
+ if (log.isDebugEnabled()) {
+ log.debugf("Realm public keys successfully retrieved for client %s. New kids: %s", deployment.getResourceName(), publicKeys.keySet().toString());
+ }
// Update current keys
currentKeys.clear();
diff --git a/common/src/main/java/org/keycloak/common/util/KeystoreUtil.java b/common/src/main/java/org/keycloak/common/util/KeystoreUtil.java
index 4515c96..eecd6b6 100755
--- a/common/src/main/java/org/keycloak/common/util/KeystoreUtil.java
+++ b/common/src/main/java/org/keycloak/common/util/KeystoreUtil.java
@@ -20,8 +20,10 @@ package org.keycloak.common.util;
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
+import java.security.KeyPair;
import java.security.KeyStore;
import java.security.PrivateKey;
+import java.security.PublicKey;
import org.keycloak.common.constants.GenericConstants;
@@ -49,7 +51,7 @@ public class KeystoreUtil {
return trustStore;
}
- public static PrivateKey loadPrivateKeyFromKeystore(String keystoreFile, String storePassword, String keyPassword, String keyAlias, KeystoreFormat format) {
+ public static KeyPair loadKeyPairFromKeystore(String keystoreFile, String storePassword, String keyPassword, String keyAlias, KeystoreFormat format) {
InputStream stream = FindFile.findFile(keystoreFile);
try {
@@ -61,11 +63,12 @@ public class KeystoreUtil {
}
keyStore.load(stream, storePassword.toCharArray());
- PrivateKey key = (PrivateKey) keyStore.getKey(keyAlias, keyPassword.toCharArray());
- if (key == null) {
+ PrivateKey privateKey = (PrivateKey) keyStore.getKey(keyAlias, keyPassword.toCharArray());
+ if (privateKey == null) {
throw new RuntimeException("Couldn't load key with alias '" + keyAlias + "' from keystore");
}
- return key;
+ PublicKey publicKey = keyStore.getCertificate(keyAlias).getPublicKey();
+ return new KeyPair(publicKey, privateKey);
} catch (Exception e) {
throw new RuntimeException("Failed to load private key: " + e.getMessage(), e);
}
diff --git a/core/src/main/java/org/keycloak/constants/AdapterConstants.java b/core/src/main/java/org/keycloak/constants/AdapterConstants.java
index 6458d90..ea1086e 100755
--- a/core/src/main/java/org/keycloak/constants/AdapterConstants.java
+++ b/core/src/main/java/org/keycloak/constants/AdapterConstants.java
@@ -29,6 +29,7 @@ public interface AdapterConstants {
public static final String K_PUSH_NOT_BEFORE = "k_push_not_before";
public static final String K_TEST_AVAILABLE = "k_test_available";
public static final String K_QUERY_BEARER_TOKEN = "k_query_bearer_token";
+ public static final String K_JWKS = "k_jwks";
// This param name is defined again in Keycloak Subsystem class
// org.keycloak.subsystem.extensionKeycloakAdapterConfigDeploymentProcessor. We have this value in
diff --git a/core/src/main/java/org/keycloak/jose/jwk/JWKBuilder.java b/core/src/main/java/org/keycloak/jose/jwk/JWKBuilder.java
index 824ff55..ae37ebf 100644
--- a/core/src/main/java/org/keycloak/jose/jwk/JWKBuilder.java
+++ b/core/src/main/java/org/keycloak/jose/jwk/JWKBuilder.java
@@ -34,6 +34,7 @@ public class JWKBuilder {
public static final String DEFAULT_PUBLIC_KEY_USE = "sig";
public static final String DEFAULT_MESSAGE_DIGEST = "SHA-256";
+ private String kid;
private JWKBuilder() {
}
@@ -42,11 +43,18 @@ public class JWKBuilder {
return new JWKBuilder();
}
+ public JWKBuilder kid(String kid) {
+ this.kid = kid;
+ return this;
+ }
+
public JWK rs256(PublicKey key) {
RSAPublicKey rsaKey = (RSAPublicKey) key;
RSAPublicJWK k = new RSAPublicJWK();
- k.setKeyId(createKeyId(key));
+
+ String kid = this.kid != null ? this.kid : createKeyId(key);
+ k.setKeyId(kid);
k.setKeyType(RSAPublicJWK.RSA);
k.setAlgorithm(RSAPublicJWK.RS256);
k.setPublicKeyUse(DEFAULT_PUBLIC_KEY_USE);
@@ -56,7 +64,7 @@ public class JWKBuilder {
return k;
}
- private String createKeyId(Key key) {
+ public static String createKeyId(Key key) {
try {
return Base64Url.encode(MessageDigest.getInstance(DEFAULT_MESSAGE_DIGEST).digest(key.getEncoded()));
} catch (NoSuchAlgorithmException e) {
diff --git a/core/src/main/java/org/keycloak/OAuth2Constants.java b/core/src/main/java/org/keycloak/OAuth2Constants.java
index 2a7d37b..cf52423 100644
--- a/core/src/main/java/org/keycloak/OAuth2Constants.java
+++ b/core/src/main/java/org/keycloak/OAuth2Constants.java
@@ -81,6 +81,8 @@ public interface OAuth2Constants {
String MAX_AGE = "max_age";
+ String JWT = "JWT";
+
}
diff --git a/core/src/main/java/org/keycloak/representations/idm/CertificateRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/CertificateRepresentation.java
index 03539ff..d10616c 100755
--- a/core/src/main/java/org/keycloak/representations/idm/CertificateRepresentation.java
+++ b/core/src/main/java/org/keycloak/representations/idm/CertificateRepresentation.java
@@ -27,6 +27,7 @@ public class CertificateRepresentation {
protected String privateKey;
protected String publicKey;
protected String certificate;
+ protected String kid;
public String getPrivateKey() {
return privateKey;
@@ -52,5 +53,11 @@ public class CertificateRepresentation {
this.certificate = certificate;
}
+ public String getKid() {
+ return kid;
+ }
+ public void setKid(String kid) {
+ this.kid = kid;
+ }
}
diff --git a/core/src/main/java/org/keycloak/util/JWKSUtils.java b/core/src/main/java/org/keycloak/util/JWKSUtils.java
index 72ffe91..3a784b3 100644
--- a/core/src/main/java/org/keycloak/util/JWKSUtils.java
+++ b/core/src/main/java/org/keycloak/util/JWKSUtils.java
@@ -42,4 +42,15 @@ public class JWKSUtils {
return result;
}
+
+ public static JWK getKeyForUse(JSONWebKeySet keySet, JWK.Use requestedUse) {
+ for (JWK jwk : keySet.getKeys()) {
+ JWKParser parser = JWKParser.create(jwk);
+ if (parser.getJwk().getPublicKeyUse().equals(requestedUse.asString()) && parser.isKeyTypeSupported(jwk.getKeyType())) {
+ return jwk;
+ }
+ }
+
+ return null;
+ }
}
diff --git a/distribution/demo-dist/src/main/xslt/standalone.xsl b/distribution/demo-dist/src/main/xslt/standalone.xsl
index d67ce63..856980a 100755
--- a/distribution/demo-dist/src/main/xslt/standalone.xsl
+++ b/distribution/demo-dist/src/main/xslt/standalone.xsl
@@ -89,6 +89,10 @@
<local-cache name="loginFailures"/>
<local-cache name="authorization"/>
<local-cache name="work"/>
+ <local-cache name="keys">
+ <eviction max-entries="1000" strategy="LRU"/>
+ <expiration max-idle="3600000" />
+ </local-cache>
</cache-container>
<xsl:apply-templates select="node()|@*"/>
</xsl:copy>
diff --git a/distribution/server-overlay/cli/keycloak-install.cli b/distribution/server-overlay/cli/keycloak-install.cli
index dbb2c32..d62bcf1 100644
--- a/distribution/server-overlay/cli/keycloak-install.cli
+++ b/distribution/server-overlay/cli/keycloak-install.cli
@@ -10,5 +10,8 @@ embed-server --server-config=standalone.xml
/subsystem=infinispan/cache-container=keycloak/local-cache=work:add()
/subsystem=infinispan/cache-container=keycloak/local-cache=authorization:add()
/subsystem=infinispan/cache-container=keycloak/local-cache=authorization/eviction=EVICTION:add(max-entries=100,strategy=LRU)
+/subsystem=infinispan/cache-container=keycloak/local-cache=keys:add()
+/subsystem=infinispan/cache-container=keycloak/local-cache=keys/eviction=EVICTION:add(max-entries=1000,strategy=LRU)
+/subsystem=infinispan/cache-container=keycloak/local-cache=keys/expiration=EXPIRATION:add(max-idle=3600000)
/extension=org.keycloak.keycloak-server-subsystem/:add(module=org.keycloak.keycloak-server-subsystem)
run-batch --file=default-keycloak-subsys-config.cli
\ No newline at end of file
diff --git a/distribution/server-overlay/cli/keycloak-install-ha.cli b/distribution/server-overlay/cli/keycloak-install-ha.cli
index bc7d863..17fd5f0 100644
--- a/distribution/server-overlay/cli/keycloak-install-ha.cli
+++ b/distribution/server-overlay/cli/keycloak-install-ha.cli
@@ -10,5 +10,8 @@ embed-server --server-config=standalone-ha.xml
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:add(mode="SYNC",owners="1")
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authorization:add(mode="SYNC",owners="1")
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work:add(mode="SYNC")
+/subsystem=infinispan/cache-container=keycloak/local-cache=keys:add()
+/subsystem=infinispan/cache-container=keycloak/local-cache=keys/eviction=EVICTION:add(max-entries=1000,strategy=LRU)
+/subsystem=infinispan/cache-container=keycloak/local-cache=keys/expiration=EXPIRATION:add(max-idle=3600000)
/extension=org.keycloak.keycloak-server-subsystem/:add(module=org.keycloak.keycloak-server-subsystem)
run-batch --file=default-keycloak-subsys-config.cli
diff --git a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java
index 7b5f1d9..8ad75fd 100755
--- a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java
+++ b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java
@@ -17,6 +17,8 @@
package org.keycloak.connections.infinispan;
+import java.util.concurrent.TimeUnit;
+
import org.infinispan.configuration.cache.CacheMode;
import org.infinispan.configuration.cache.Configuration;
import org.infinispan.configuration.cache.ConfigurationBuilder;
@@ -98,7 +100,7 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
cacheManager = (EmbeddedCacheManager) new InitialContext().lookup(cacheContainerLookup);
containerManaged = true;
- cacheManager.defineConfiguration(InfinispanConnectionProvider.REALM_REVISIONS_CACHE_NAME, getRevisionCacheConfig(true, InfinispanConnectionProvider.REALM_REVISIONS_CACHE_DEFAULT_MAX));
+ cacheManager.defineConfiguration(InfinispanConnectionProvider.REALM_REVISIONS_CACHE_NAME, getRevisionCacheConfig(InfinispanConnectionProvider.REALM_REVISIONS_CACHE_DEFAULT_MAX));
cacheManager.getCache(InfinispanConnectionProvider.REALM_CACHE_NAME, true);
long maxEntries = cacheManager.getCache(InfinispanConnectionProvider.USER_CACHE_NAME).getCacheConfiguration().eviction().maxEntries();
@@ -106,9 +108,11 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
maxEntries = InfinispanConnectionProvider.USER_REVISIONS_CACHE_DEFAULT_MAX;
}
- cacheManager.defineConfiguration(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, getRevisionCacheConfig(true, maxEntries));
+ cacheManager.defineConfiguration(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, getRevisionCacheConfig(maxEntries));
cacheManager.getCache(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, true);
cacheManager.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME, true);
+ cacheManager.getCache(InfinispanConnectionProvider.KEYS_CACHE_NAME, true);
+
logger.debugv("Using container managed Infinispan cache container, lookup={1}", cacheContainerLookup);
} catch (Exception e) {
throw new RuntimeException("Failed to retrieve cache container", e);
@@ -116,6 +120,9 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
}
protected void initEmbedded() {
+
+
+
GlobalConfigurationBuilder gcb = new GlobalConfigurationBuilder();
boolean clustered = config.getBoolean("clustered", false);
@@ -176,7 +183,7 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
counterConfigBuilder.transaction().transactionManagerLookup(new DummyTransactionManagerLookup());
counterConfigBuilder.transaction().lockingMode(LockingMode.PESSIMISTIC);
- cacheManager.defineConfiguration(InfinispanConnectionProvider.REALM_REVISIONS_CACHE_NAME, getRevisionCacheConfig(false, InfinispanConnectionProvider.REALM_REVISIONS_CACHE_DEFAULT_MAX));
+ cacheManager.defineConfiguration(InfinispanConnectionProvider.REALM_REVISIONS_CACHE_NAME, getRevisionCacheConfig(InfinispanConnectionProvider.REALM_REVISIONS_CACHE_DEFAULT_MAX));
cacheManager.getCache(InfinispanConnectionProvider.REALM_CACHE_NAME, true);
long maxEntries = cacheManager.getCache(InfinispanConnectionProvider.USER_CACHE_NAME).getCacheConfiguration().eviction().maxEntries();
@@ -184,19 +191,19 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
maxEntries = InfinispanConnectionProvider.USER_REVISIONS_CACHE_DEFAULT_MAX;
}
- cacheManager.defineConfiguration(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, getRevisionCacheConfig(false, maxEntries));
+ cacheManager.defineConfiguration(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, getRevisionCacheConfig(maxEntries));
cacheManager.getCache(InfinispanConnectionProvider.USER_REVISIONS_CACHE_NAME, true);
+
+ cacheManager.defineConfiguration(InfinispanConnectionProvider.KEYS_CACHE_NAME, getKeysCacheConfig());
+ cacheManager.getCache(InfinispanConnectionProvider.KEYS_CACHE_NAME, true);
}
- private Configuration getRevisionCacheConfig(boolean managed, long maxEntries) {
+ private Configuration getRevisionCacheConfig(long maxEntries) {
ConfigurationBuilder cb = new ConfigurationBuilder();
cb.invocationBatching().enable().transaction().transactionMode(TransactionMode.TRANSACTIONAL);
- // Workaround: Use Dummy manager even in managed ( wildfly/eap ) environment. Without this workaround, there is an issue in EAP7 overlay.
- // After start+end revisions batch is left the JTA transaction in committed state. This is incorrect and causes other issues afterwards.
- // TODO: Investigate
- // if (!managed)
- cb.transaction().transactionManagerLookup(new DummyTransactionManagerLookup());
+ // Use Dummy manager even in managed ( wildfly/eap ) environment. We don't want infinispan to participate in global transaction
+ cb.transaction().transactionManagerLookup(new DummyTransactionManagerLookup());
cb.transaction().lockingMode(LockingMode.PESSIMISTIC);
@@ -204,4 +211,11 @@ public class DefaultInfinispanConnectionProviderFactory implements InfinispanCon
return cb.build();
}
+ protected Configuration getKeysCacheConfig() {
+ ConfigurationBuilder cb = new ConfigurationBuilder();
+ cb.eviction().strategy(EvictionStrategy.LRU).type(EvictionType.COUNT).size(InfinispanConnectionProvider.KEYS_CACHE_DEFAULT_MAX);
+ cb.expiration().maxIdle(InfinispanConnectionProvider.KEYS_CACHE_MAX_IDLE_SECONDS, TimeUnit.SECONDS);
+ return cb.build();
+ }
+
}
diff --git a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java
index 143056c..1468460 100755
--- a/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java
+++ b/model/infinispan/src/main/java/org/keycloak/connections/infinispan/InfinispanConnectionProvider.java
@@ -39,6 +39,10 @@ public interface InfinispanConnectionProvider extends Provider {
String WORK_CACHE_NAME = "work";
String AUTHORIZATION_CACHE_NAME = "authorization";
+ String KEYS_CACHE_NAME = "keys";
+ int KEYS_CACHE_DEFAULT_MAX = 500;
+ int KEYS_CACHE_MAX_IDLE_SECONDS = 3600;
+
<K, V> Cache<K, V> getCache(String name);
diff --git a/model/infinispan/src/main/java/org/keycloak/keys/infinispan/InfinispanKeyStorageProvider.java b/model/infinispan/src/main/java/org/keycloak/keys/infinispan/InfinispanKeyStorageProvider.java
new file mode 100644
index 0000000..9010b16
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/keys/infinispan/InfinispanKeyStorageProvider.java
@@ -0,0 +1,160 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.keys.infinispan;
+
+import java.security.PublicKey;
+import java.util.Collections;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.FutureTask;
+
+import org.infinispan.Cache;
+import org.jboss.logging.Logger;
+import org.keycloak.common.util.Time;
+import org.keycloak.keys.KeyLoader;
+import org.keycloak.keys.KeyStorageProvider;
+
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class InfinispanKeyStorageProvider implements KeyStorageProvider {
+
+ private static final Logger log = Logger.getLogger(InfinispanKeyStorageProvider.class);
+
+ private final Cache<String, PublicKeysEntry> keys;
+
+ private final Map<String, FutureTask<PublicKeysEntry>> tasksInProgress;
+
+ private final int minTimeBetweenRequests ;
+
+ public InfinispanKeyStorageProvider(Cache<String, PublicKeysEntry> keys, Map<String, FutureTask<PublicKeysEntry>> tasksInProgress, int minTimeBetweenRequests) {
+ this.keys = keys;
+ this.tasksInProgress = tasksInProgress;
+ this.minTimeBetweenRequests = minTimeBetweenRequests;
+ }
+
+
+ @Override
+ public PublicKey getPublicKey(String modelKey, String kid, KeyLoader loader) {
+ // Check if key is in cache
+ PublicKeysEntry entry = keys.get(modelKey);
+ if (entry != null) {
+ PublicKey publicKey = getPublicKey(entry.getCurrentKeys(), kid);
+ if (publicKey != null) {
+ return publicKey;
+ }
+ }
+
+ int lastRequestTime = entry==null ? 0 : entry.getLastRequestTime();
+ int currentTime = Time.currentTime();
+
+ // Check if we are allowed to send request
+ if (currentTime > lastRequestTime + minTimeBetweenRequests) {
+
+ WrapperCallable wrapperCallable = new WrapperCallable(modelKey, loader);
+ FutureTask<PublicKeysEntry> task = new FutureTask<>(wrapperCallable);
+ FutureTask<PublicKeysEntry> existing = tasksInProgress.putIfAbsent(modelKey, task);
+
+ if (existing == null) {
+ task.run();
+ } else {
+ task = existing;
+ }
+
+ try {
+ entry = task.get();
+
+ // Computation finished. Let's see if key is available
+ PublicKey publicKey = getPublicKey(entry.getCurrentKeys(), kid);
+ if (publicKey != null) {
+ return publicKey;
+ }
+
+ } catch (ExecutionException ee) {
+ throw new RuntimeException("Error when loading public keys", ee);
+ } catch (InterruptedException ie) {
+ throw new RuntimeException("Error. Interrupted when loading public keys", ie);
+ } finally {
+ // Our thread inserted the task. Let's clean
+ if (existing == null) {
+ tasksInProgress.remove(modelKey);
+ }
+ }
+ } else {
+ log.warnf("Won't load the keys for model '%s' . Last request time was %d", modelKey, lastRequestTime);
+ }
+
+ Set<String> availableKids = entry==null ? Collections.emptySet() : entry.getCurrentKeys().keySet();
+ log.warnf("PublicKey wasn't found in the storage. Requested kid: '%s' . Available kids: '%s'", kid, availableKids);
+
+ return null;
+ }
+
+ private PublicKey getPublicKey(Map<String, PublicKey> publicKeys, String kid) {
+ // Backwards compatibility
+ if (kid == null && !publicKeys.isEmpty()) {
+ return publicKeys.values().iterator().next();
+ } else {
+ return publicKeys.get(kid);
+ }
+ }
+
+
+ @Override
+ public void close() {
+
+ }
+
+
+ private class WrapperCallable implements Callable<PublicKeysEntry> {
+
+ private final String modelKey;
+ private final KeyLoader delegate;
+
+ public WrapperCallable(String modelKey, KeyLoader delegate) {
+ this.modelKey = modelKey;
+ this.delegate = delegate;
+ }
+
+ @Override
+ public PublicKeysEntry call() throws Exception {
+ PublicKeysEntry entry = keys.get(modelKey);
+
+ int lastRequestTime = entry==null ? 0 : entry.getLastRequestTime();
+ int currentTime = Time.currentTime();
+
+ // Check again if we are allowed to send request. There is a chance other task was already finished and removed from tasksInProgress in the meantime.
+ if (currentTime > lastRequestTime + minTimeBetweenRequests) {
+
+ Map<String, PublicKey> publicKeys = delegate.loadKeys();
+
+ if (log.isDebugEnabled()) {
+ log.debugf("Public keys retrieved successfully for model %s. New kids: %s", modelKey, publicKeys.keySet().toString());
+ }
+
+ entry = new PublicKeysEntry(currentTime, publicKeys);
+
+ keys.put(modelKey, entry);
+ }
+ return entry;
+ }
+ }
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/keys/infinispan/InfinispanKeyStorageProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/keys/infinispan/InfinispanKeyStorageProviderFactory.java
new file mode 100644
index 0000000..3a4ba5a
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/keys/infinispan/InfinispanKeyStorageProviderFactory.java
@@ -0,0 +1,84 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.keys.infinispan;
+
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.FutureTask;
+
+import org.infinispan.Cache;
+import org.jboss.logging.Logger;
+import org.keycloak.Config;
+import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
+import org.keycloak.keys.KeyStorageProvider;
+import org.keycloak.keys.KeyStorageProviderFactory;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class InfinispanKeyStorageProviderFactory implements KeyStorageProviderFactory {
+
+ private static final Logger log = Logger.getLogger(InfinispanKeyStorageProviderFactory.class);
+
+ public static final String PROVIDER_ID = "infinispan";
+
+ private Cache<String, PublicKeysEntry> keysCache;
+
+ private final Map<String, FutureTask<PublicKeysEntry>> tasksInProgress = new ConcurrentHashMap<>();
+
+ private int minTimeBetweenRequests;
+
+ @Override
+ public KeyStorageProvider create(KeycloakSession session) {
+ lazyInit(session);
+ return new InfinispanKeyStorageProvider(keysCache, tasksInProgress, minTimeBetweenRequests);
+ }
+
+ private void lazyInit(KeycloakSession session) {
+ if (keysCache == null) {
+ synchronized (this) {
+ if (keysCache == null) {
+ this.keysCache = session.getProvider(InfinispanConnectionProvider.class).getCache(InfinispanConnectionProvider.KEYS_CACHE_NAME);
+ }
+ }
+ }
+ }
+
+ @Override
+ public void init(Config.Scope config) {
+ minTimeBetweenRequests = config.getInt("minTimeBetweenRequests", 10);
+ log.debugf("minTimeBetweenRequests is %d", minTimeBetweenRequests);
+ }
+
+ @Override
+ public void postInit(KeycloakSessionFactory factory) {
+
+ }
+
+ @Override
+ public void close() {
+
+ }
+
+ @Override
+ public String getId() {
+ return PROVIDER_ID;
+ }
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/keys/infinispan/PublicKeysEntry.java b/model/infinispan/src/main/java/org/keycloak/keys/infinispan/PublicKeysEntry.java
new file mode 100644
index 0000000..cb0561c
--- /dev/null
+++ b/model/infinispan/src/main/java/org/keycloak/keys/infinispan/PublicKeysEntry.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.keys.infinispan;
+
+import java.io.Serializable;
+import java.security.PublicKey;
+import java.util.Map;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class PublicKeysEntry implements Serializable {
+
+ private final int lastRequestTime;
+
+ private final Map<String, PublicKey> currentKeys;
+
+ public PublicKeysEntry(int lastRequestTime, Map<String, PublicKey> currentKeys) {
+ this.lastRequestTime = lastRequestTime;
+ this.currentKeys = currentKeys;
+ }
+
+ public int getLastRequestTime() {
+ return lastRequestTime;
+ }
+
+ public Map<String, PublicKey> getCurrentKeys() {
+ return currentKeys;
+ }
+}
diff --git a/model/infinispan/src/main/resources/META-INF/services/org.keycloak.keys.KeyStorageProviderFactory b/model/infinispan/src/main/resources/META-INF/services/org.keycloak.keys.KeyStorageProviderFactory
new file mode 100644
index 0000000..bed25ea
--- /dev/null
+++ b/model/infinispan/src/main/resources/META-INF/services/org.keycloak.keys.KeyStorageProviderFactory
@@ -0,0 +1,18 @@
+#
+# Copyright 2016 Red Hat, Inc. and/or its affiliates
+# and other contributors as indicated by the @author tags.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+org.keycloak.keys.infinispan.InfinispanKeyStorageProviderFactory
\ No newline at end of file
diff --git a/model/infinispan/src/test/java/org/keycloak/models/keys/infinispan/InfinispanKeyStorageProviderTest.java b/model/infinispan/src/test/java/org/keycloak/models/keys/infinispan/InfinispanKeyStorageProviderTest.java
new file mode 100644
index 0000000..99a5f07
--- /dev/null
+++ b/model/infinispan/src/test/java/org/keycloak/models/keys/infinispan/InfinispanKeyStorageProviderTest.java
@@ -0,0 +1,172 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.models.keys.infinispan;
+
+import java.security.PublicKey;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.FutureTask;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import org.infinispan.Cache;
+import org.infinispan.configuration.cache.Configuration;
+import org.infinispan.configuration.cache.ConfigurationBuilder;
+import org.infinispan.configuration.global.GlobalConfigurationBuilder;
+import org.infinispan.eviction.EvictionStrategy;
+import org.infinispan.eviction.EvictionType;
+import org.infinispan.manager.DefaultCacheManager;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.keycloak.common.util.Time;
+import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
+import org.keycloak.keys.KeyLoader;
+import org.keycloak.keys.infinispan.InfinispanKeyStorageProvider;
+import org.keycloak.keys.infinispan.PublicKeysEntry;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class InfinispanKeyStorageProviderTest {
+
+ private Map<String, AtomicInteger> counters = new ConcurrentHashMap<>();
+
+ Cache<String, PublicKeysEntry> keys = getKeysCache();
+ Map<String, FutureTask<PublicKeysEntry>> tasksInProgress = new ConcurrentHashMap<>();
+ int minTimeBetweenRequests = 10;
+
+ @Before
+ public void before() {
+ Time.setOffset(0);
+ }
+
+ @After
+ public void after() {
+ Time.setOffset(0);
+ }
+
+ @Test
+ public void testConcurrency() throws Exception {
+ // Just one thread will execute the task
+ List<Thread> threads = new LinkedList<>();
+ for (int i=0 ; i<10 ; i++) {
+ Thread t = new Thread(new SampleWorker("model1"));
+ threads.add(t);
+ }
+ startAndJoinAll(threads);
+ Assert.assertEquals(counters.get("model1").get(), 1);
+ threads.clear();
+
+ // model1 won't be executed due to lastRequestTime. model2 will be executed just with one thread
+ for (int i=0 ; i<10 ; i++) {
+ Thread t = new Thread(new SampleWorker("model1"));
+ threads.add(t);
+ }
+ for (int i=0 ; i<10 ; i++) {
+ Thread t = new Thread(new SampleWorker("model2"));
+ threads.add(t);
+ }
+ startAndJoinAll(threads);
+ Assert.assertEquals(counters.get("model1").get(), 1);
+ Assert.assertEquals(counters.get("model2").get(), 1);
+ threads.clear();
+
+ // Increase time offset
+ Time.setOffset(20);
+
+ // Time updated. So another thread should successfully run loader for both model1 and model2
+ for (int i=0 ; i<10 ; i++) {
+ Thread t = new Thread(new SampleWorker("model1"));
+ threads.add(t);
+ }
+ for (int i=0 ; i<10 ; i++) {
+ Thread t = new Thread(new SampleWorker("model2"));
+ threads.add(t);
+ }
+ startAndJoinAll(threads);
+ Assert.assertEquals(counters.get("model1").get(), 2);
+ Assert.assertEquals(counters.get("model2").get(), 2);
+ threads.clear();
+ }
+
+
+ private void startAndJoinAll(List<Thread> threads) throws Exception {
+ for (Thread t : threads) {
+ t.start();
+ }
+ for (Thread t : threads) {
+ t.join();
+ }
+ }
+
+
+ private class SampleWorker implements Runnable {
+
+
+ private final String modelKey;
+
+ private SampleWorker(String modelKey) {
+ this.modelKey = modelKey;
+ }
+
+ @Override
+ public void run() {
+ InfinispanKeyStorageProvider provider = new InfinispanKeyStorageProvider(keys, tasksInProgress, minTimeBetweenRequests);
+ provider.getPublicKey(modelKey, "kid1", new SampleLoader(modelKey));
+ }
+
+ }
+
+
+ private class SampleLoader implements KeyLoader {
+
+ private final String modelKey;
+
+ private SampleLoader(String modelKey) {
+ this.modelKey = modelKey;
+ }
+
+ @Override
+ public Map<String, PublicKey> loadKeys() throws Exception {
+ counters.putIfAbsent(modelKey, new AtomicInteger(0));
+ AtomicInteger currentCounter = counters.get(modelKey);
+
+ currentCounter.incrementAndGet();
+ return Collections.emptyMap();
+ }
+ }
+
+
+ protected Cache<String, PublicKeysEntry> getKeysCache() {
+ GlobalConfigurationBuilder gcb = new GlobalConfigurationBuilder();
+ gcb.globalJmxStatistics().allowDuplicateDomains(true);
+
+ final DefaultCacheManager cacheManager = new DefaultCacheManager(gcb.build());
+
+ ConfigurationBuilder cb = new ConfigurationBuilder();
+ cb.eviction().strategy(EvictionStrategy.LRU).type(EvictionType.COUNT).size(InfinispanConnectionProvider.KEYS_CACHE_DEFAULT_MAX);
+ Configuration cfg = cb.build();
+
+ cacheManager.defineConfiguration(InfinispanConnectionProvider.KEYS_CACHE_NAME, cfg);
+ return cacheManager.getCache(InfinispanConnectionProvider.KEYS_CACHE_NAME);
+ }
+}
diff --git a/server-spi/src/main/java/org/keycloak/broker/provider/AbstractIdentityProvider.java b/server-spi/src/main/java/org/keycloak/broker/provider/AbstractIdentityProvider.java
index 5532606..8f57133 100755
--- a/server-spi/src/main/java/org/keycloak/broker/provider/AbstractIdentityProvider.java
+++ b/server-spi/src/main/java/org/keycloak/broker/provider/AbstractIdentityProvider.java
@@ -32,9 +32,11 @@ import javax.ws.rs.core.UriInfo;
*/
public abstract class AbstractIdentityProvider<C extends IdentityProviderModel> implements IdentityProvider<C> {
+ protected final KeycloakSession session;
private final C config;
- public AbstractIdentityProvider(C config) {
+ public AbstractIdentityProvider(KeycloakSession session, C config) {
+ this.session = session;
this.config = config;
}
diff --git a/server-spi/src/main/java/org/keycloak/broker/provider/IdentityProviderFactory.java b/server-spi/src/main/java/org/keycloak/broker/provider/IdentityProviderFactory.java
index 93ef720..c189316 100755
--- a/server-spi/src/main/java/org/keycloak/broker/provider/IdentityProviderFactory.java
+++ b/server-spi/src/main/java/org/keycloak/broker/provider/IdentityProviderFactory.java
@@ -39,10 +39,11 @@ public interface IdentityProviderFactory<T extends IdentityProvider> extends Pro
* <p>Creates an {@link IdentityProvider} based on the configuration contained in
* <code>model</code>.</p>
*
+ * @param session
* @param model The configuration to be used to create the identity provider.
* @return
*/
- T create(IdentityProviderModel model);
+ T create(KeycloakSession session, IdentityProviderModel model);
/**
* <p>Creates an {@link IdentityProvider} based on the configuration from
diff --git a/server-spi/src/main/java/org/keycloak/keys/KeyLoader.java b/server-spi/src/main/java/org/keycloak/keys/KeyLoader.java
new file mode 100644
index 0000000..aa5631d
--- /dev/null
+++ b/server-spi/src/main/java/org/keycloak/keys/KeyLoader.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.keys;
+
+import java.security.PublicKey;
+import java.util.Map;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public interface KeyLoader {
+
+ Map<String, PublicKey> loadKeys() throws Exception;
+
+}
diff --git a/server-spi/src/main/java/org/keycloak/keys/KeyStorageProvider.java b/server-spi/src/main/java/org/keycloak/keys/KeyStorageProvider.java
new file mode 100644
index 0000000..3033f2b
--- /dev/null
+++ b/server-spi/src/main/java/org/keycloak/keys/KeyStorageProvider.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.keys;
+
+import java.security.PublicKey;
+
+import org.keycloak.provider.Provider;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public interface KeyStorageProvider extends Provider {
+
+
+ /**
+ * Get public key to verify messages signed by particular client. Used for example during JWT client authentication
+ *
+ * @param modelKey
+ * @param kid
+ * @param loader
+ * @return
+ */
+ PublicKey getPublicKey(String modelKey, String kid, KeyLoader loader);
+
+}
diff --git a/server-spi/src/main/java/org/keycloak/keys/KeyStorageProviderFactory.java b/server-spi/src/main/java/org/keycloak/keys/KeyStorageProviderFactory.java
new file mode 100644
index 0000000..2ae9f1d
--- /dev/null
+++ b/server-spi/src/main/java/org/keycloak/keys/KeyStorageProviderFactory.java
@@ -0,0 +1,26 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.keys;
+
+import org.keycloak.provider.ProviderFactory;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public interface KeyStorageProviderFactory extends ProviderFactory<KeyStorageProvider> {
+}
diff --git a/server-spi/src/main/java/org/keycloak/keys/KeyStorageSpi.java b/server-spi/src/main/java/org/keycloak/keys/KeyStorageSpi.java
new file mode 100644
index 0000000..162e186
--- /dev/null
+++ b/server-spi/src/main/java/org/keycloak/keys/KeyStorageSpi.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.keys;
+
+import org.keycloak.provider.Provider;
+import org.keycloak.provider.ProviderFactory;
+import org.keycloak.provider.Spi;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class KeyStorageSpi implements Spi {
+
+ @Override
+ public boolean isInternal() {
+ return true;
+ }
+
+ @Override
+ public String getName() {
+ return "keyStorage";
+ }
+
+ @Override
+ public Class<? extends Provider> getProviderClass() {
+ return KeyStorageProvider.class;
+ }
+
+ @Override
+ public Class<? extends ProviderFactory> getProviderFactoryClass() {
+ return KeyStorageProviderFactory.class;
+ }
+}
diff --git a/server-spi/src/main/resources/META-INF/services/org.keycloak.provider.Spi b/server-spi/src/main/resources/META-INF/services/org.keycloak.provider.Spi
index 889c7a4..5b1f529 100755
--- a/server-spi/src/main/resources/META-INF/services/org.keycloak.provider.Spi
+++ b/server-spi/src/main/resources/META-INF/services/org.keycloak.provider.Spi
@@ -65,3 +65,4 @@ org.keycloak.policy.PasswordPolicyManagerSpi
org.keycloak.transaction.TransactionManagerLookupSpi
org.keycloak.credential.hash.PasswordHashSpi
org.keycloak.credential.CredentialSpi
+org.keycloak.keys.KeyStorageSpi
diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java
index 86dd4e8..2f3ed58 100644
--- a/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java
@@ -38,6 +38,7 @@ import org.keycloak.authentication.ClientAuthenticationFlowContext;
import org.keycloak.common.util.Time;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.crypto.RSAProvider;
+import org.keycloak.keys.loader.KeyStorageManager;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ModelException;
@@ -125,7 +126,7 @@ public class JWTClientAuthenticator extends AbstractClientAuthenticator {
}
// Get client key and validate signature
- PublicKey clientPublicKey = getSignatureValidationKey(client, context);
+ PublicKey clientPublicKey = getSignatureValidationKey(client, context, jws);
if (clientPublicKey == null) {
// Error response already set to context
return;
@@ -166,13 +167,14 @@ public class JWTClientAuthenticator extends AbstractClientAuthenticator {
}
}
- protected PublicKey getSignatureValidationKey(ClientModel client, ClientAuthenticationFlowContext context) {
- try {
- return CertificateInfoHelper.getSignatureValidationKey(client, ATTR_PREFIX);
- } catch (ModelException me) {
- Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", me.getMessage());
+ protected PublicKey getSignatureValidationKey(ClientModel client, ClientAuthenticationFlowContext context, JWSInput jws) {
+ PublicKey publicKey = KeyStorageManager.getClientPublicKey(context.getSession(), client, jws);
+ if (publicKey == null) {
+ Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Unable to load public key");
context.failure(AuthenticationFlowError.CLIENT_CREDENTIALS_SETUP_REQUIRED, challengeResponse);
return null;
+ } else {
+ return publicKey;
}
}
diff --git a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
index bad6d19..64792d7 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
@@ -73,8 +73,8 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
public static final String OAUTH2_PARAMETER_GRANT_TYPE = "grant_type";
- public AbstractOAuth2IdentityProvider(C config) {
- super(config);
+ public AbstractOAuth2IdentityProvider(KeycloakSession session, C config) {
+ super(session, config);
if (config.getDefaultScope() == null || config.getDefaultScope().isEmpty()) {
config.setDefaultScope(getDefaultScopes());
diff --git a/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java
index 3c1e553..492a796 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java
@@ -23,6 +23,7 @@ import org.keycloak.constants.AdapterConstants;
import org.keycloak.events.EventBuilder;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
+import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.representations.AccessTokenResponse;
@@ -46,8 +47,8 @@ public class KeycloakOIDCIdentityProvider extends OIDCIdentityProvider {
public static final String VALIDATED_ACCESS_TOKEN = "VALIDATED_ACCESS_TOKEN";
- public KeycloakOIDCIdentityProvider(OIDCIdentityProviderConfig config) {
- super(config);
+ public KeycloakOIDCIdentityProvider(KeycloakSession session, OIDCIdentityProviderConfig config) {
+ super(session, config);
}
@Override
@@ -56,8 +57,8 @@ public class KeycloakOIDCIdentityProvider extends OIDCIdentityProvider {
}
@Override
- protected void processAccessTokenResponse(BrokeredIdentityContext context, PublicKey idpKey, AccessTokenResponse response) {
- JsonWebToken access = validateToken(idpKey, response.getToken());
+ protected void processAccessTokenResponse(BrokeredIdentityContext context, AccessTokenResponse response) {
+ JsonWebToken access = validateToken(response.getToken());
context.getContextData().put(VALIDATED_ACCESS_TOKEN, access);
}
@@ -76,13 +77,12 @@ public class KeycloakOIDCIdentityProvider extends OIDCIdentityProvider {
logger.warn("Failed to verify logout request");
return Response.status(400).build();
}
- PublicKey key = getExternalIdpKey();
- if (key != null) {
- if (!verify(token, key)) {
- logger.warn("Failed to verify logout request");
- return Response.status(400).build();
- }
+
+ if (!verify(token)) {
+ logger.warn("Failed to verify logout request");
+ return Response.status(400).build();
}
+
LogoutAction action = null;
try {
action = JsonSerialization.readValue(token.getContent(), LogoutAction.class);
diff --git a/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProviderFactory.java b/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProviderFactory.java
index 56f24a2..87e7b73 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProviderFactory.java
@@ -36,8 +36,8 @@ public class KeycloakOIDCIdentityProviderFactory extends AbstractIdentityProvide
}
@Override
- public KeycloakOIDCIdentityProvider create(IdentityProviderModel model) {
- return new KeycloakOIDCIdentityProvider(new OIDCIdentityProviderConfig(model));
+ public KeycloakOIDCIdentityProvider create(KeycloakSession session, IdentityProviderModel model) {
+ return new KeycloakOIDCIdentityProvider(session, new OIDCIdentityProviderConfig(model));
}
@Override
diff --git a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
index 7e19ea6..aeedd9c 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
@@ -31,6 +31,7 @@ import org.keycloak.events.EventType;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.jose.jws.crypto.RSAProvider;
+import org.keycloak.keys.loader.KeyStorageManager;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
@@ -71,8 +72,8 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
public static final String FEDERATED_ACCESS_TOKEN_RESPONSE = "FEDERATED_ACCESS_TOKEN_RESPONSE";
public static final String VALIDATED_ID_TOKEN = "VALIDATED_ID_TOKEN";
- public OIDCIdentityProvider(OIDCIdentityProviderConfig config) {
- super(config);
+ public OIDCIdentityProvider(KeycloakSession session, OIDCIdentityProviderConfig config) {
+ super(session, config);
String defaultScope = config.getDefaultScope();
@@ -86,21 +87,6 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
return new OIDCEndpoint(callback, realm, event);
}
- protected PublicKey getExternalIdpKey() {
- String signingCert = getConfig().getCertificateSignatureVerifier();
- try {
- if (signingCert != null && !signingCert.trim().equals("")) {
- return PemUtils.decodeCertificate(signingCert).getPublicKey();
- } else if (getConfig().getPublicKeySignatureVerifier() != null && !getConfig().getPublicKeySignatureVerifier().trim().equals("")) {
- return PemUtils.decodePublicKey(getConfig().getPublicKeySignatureVerifier());
- }
- } catch (Exception e) {
- throw new RuntimeException(e);
- }
- return null;
-
- }
-
protected class OIDCEndpoint extends Endpoint {
public OIDCEndpoint(AuthenticationCallback callback, RealmModel realm, EventBuilder event) {
super(callback, realm, event);
@@ -233,7 +219,7 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
return authorizationUrl;
}
- protected void processAccessTokenResponse(BrokeredIdentityContext context, PublicKey idpKey, AccessTokenResponse response) {
+ protected void processAccessTokenResponse(BrokeredIdentityContext context, AccessTokenResponse response) {
}
@@ -245,14 +231,11 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
} catch (IOException e) {
throw new IdentityBrokerException("Could not decode access token response.", e);
}
- PublicKey key = getExternalIdpKey();
- String accessToken = verifyAccessToken(key, tokenResponse);
+ String accessToken = verifyAccessToken(tokenResponse);
String encodedIdToken = tokenResponse.getIdToken();
-
-
- JsonWebToken idToken = validateToken(key, encodedIdToken);
+ JsonWebToken idToken = validateToken(encodedIdToken);
try {
String id = idToken.getSubject();
@@ -274,7 +257,7 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
}
identity.getContextData().put(FEDERATED_ACCESS_TOKEN_RESPONSE, tokenResponse);
identity.getContextData().put(VALIDATED_ID_TOKEN, idToken);
- processAccessTokenResponse(identity, key, tokenResponse);
+ processAccessTokenResponse(identity, tokenResponse);
identity.setId(id);
identity.setName(name);
@@ -305,7 +288,7 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
}
}
- private String verifyAccessToken(PublicKey key, AccessTokenResponse tokenResponse) {
+ private String verifyAccessToken(AccessTokenResponse tokenResponse) {
String accessToken = tokenResponse.getToken();
if (accessToken == null) {
@@ -314,14 +297,15 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
return accessToken;
}
- protected boolean verify(JWSInput jws, PublicKey key) {
- if (key == null) return true;
+ protected boolean verify(JWSInput jws) {
if (!getConfig().isValidateSignature()) return true;
- return RSAProvider.verify(jws, key);
+ PublicKey publicKey = KeyStorageManager.getIdentityProviderPublicKey(session, session.getContext().getRealm(), getConfig(), jws);
+
+ return publicKey != null && RSAProvider.verify(jws, publicKey);
}
- protected JsonWebToken validateToken(PublicKey key, String encodedToken) {
+ protected JsonWebToken validateToken(String encodedToken) {
if (encodedToken == null) {
throw new IdentityBrokerException("No token from server.");
}
@@ -329,7 +313,7 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
JsonWebToken token;
try {
JWSInput jws = new JWSInput(encodedToken);
- if (!verify(jws, key)) {
+ if (!verify(jws)) {
throw new IdentityBrokerException("token signature validation failed");
}
token = jws.readJsonContent(JsonWebToken.class);
diff --git a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java
index d747190..e7fdfd2 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java
@@ -17,12 +17,18 @@
package org.keycloak.broker.oidc;
import org.keycloak.models.IdentityProviderModel;
+import org.keycloak.models.KeycloakSession;
/**
* @author Pedro Igor
*/
public class OIDCIdentityProviderConfig extends OAuth2IdentityProviderConfig {
+ private static final String JWKS_URL = "jwksUrl";
+
+ private static final String USE_JWKS_URL = "useJwksUrl";
+
+
public OIDCIdentityProviderConfig(IdentityProviderModel identityProviderModel) {
super(identityProviderModel);
}
@@ -46,13 +52,7 @@ public class OIDCIdentityProviderConfig extends OAuth2IdentityProviderConfig {
public void setLogoutUrl(String url) {
getConfig().put("logoutUrl", url);
}
- public String getCertificateSignatureVerifier() {
- return getConfig().get("certificateSignatureVerifier");
- }
- public void setCertificateSignatureVerifier(String signingCertificate) {
- getConfig().put("certificateSignatureVerifier", signingCertificate);
- }
public String getPublicKeySignatureVerifier() {
return getConfig().get("publicKeySignatureVerifier");
}
@@ -69,6 +69,22 @@ public class OIDCIdentityProviderConfig extends OAuth2IdentityProviderConfig {
getConfig().put("validateSignature", String.valueOf(validateSignature));
}
+ public boolean isUseJwksUrl() {
+ return Boolean.valueOf(getConfig().get(USE_JWKS_URL));
+ }
+
+ public void setUseJwksUrl(boolean useJwksUrl) {
+ getConfig().put(USE_JWKS_URL, String.valueOf(useJwksUrl));
+ }
+
+ public String getJwksUrl() {
+ return getConfig().get(JWKS_URL);
+ }
+
+ public void setJwksUrl(String jwksUrl) {
+ getConfig().put(JWKS_URL, jwksUrl);
+ }
+
public boolean isBackchannelSupported() {
return Boolean.valueOf(getConfig().get("backchannelSupported"));
}
diff --git a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java
index a0e5017..4bd8486 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java
@@ -18,13 +18,15 @@ package org.keycloak.broker.oidc;
import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
import org.keycloak.jose.jwk.JWK;
+import org.keycloak.jose.jwk.JWKParser;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.jose.jwk.JSONWebKeySet;
import org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation;
-import org.keycloak.protocol.oidc.utils.JWKSUtils;
+import org.keycloak.protocol.oidc.utils.JWKSHttpUtils;
import org.keycloak.services.ServicesLogger;
+import org.keycloak.util.JWKSUtils;
import org.keycloak.util.JsonSerialization;
import java.io.IOException;
@@ -47,8 +49,8 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory
}
@Override
- public OIDCIdentityProvider create(IdentityProviderModel model) {
- return new OIDCIdentityProvider(new OIDCIdentityProviderConfig(model));
+ public OIDCIdentityProvider create(KeycloakSession session, IdentityProviderModel model) {
+ return new OIDCIdentityProvider(session, new OIDCIdentityProviderConfig(model));
}
@Override
@@ -75,24 +77,11 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory
config.setTokenUrl(rep.getTokenEndpoint());
config.setUserInfoUrl(rep.getUserinfoEndpoint());
if (rep.getJwksUri() != null) {
- sendJwksRequest(session, rep, config);
+ config.setValidateSignature(true);
+ config.setUseJwksUrl(true);
+ config.setJwksUrl(rep.getJwksUri());
}
return config.getConfig();
}
- protected static void sendJwksRequest(KeycloakSession session, OIDCConfigurationRepresentation rep, OIDCIdentityProviderConfig config) {
- try {
- JSONWebKeySet keySet = JWKSUtils.sendJwksRequest(session, rep.getJwksUri());
- PublicKey key = JWKSUtils.getKeyForUse(keySet, JWK.Use.SIG);
- if (key == null) {
- logger.supportedJwkNotFound(JWK.Use.SIG.asString());
- } else {
- config.setPublicKeySignatureVerifier(KeycloakModelUtils.getPemFromKey(key));
- config.setValidateSignature(true);
- }
- } catch (IOException e) {
- throw new RuntimeException("Failed to query JWKSet from: " + rep.getJwksUri(), e);
- }
- }
-
}
diff --git a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java
index 3d9a536..f7db32b 100755
--- a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java
@@ -56,8 +56,8 @@ import java.security.PublicKey;
*/
public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityProviderConfig> {
protected static final Logger logger = Logger.getLogger(SAMLIdentityProvider.class);
- public SAMLIdentityProvider(SAMLIdentityProviderConfig config) {
- super(config);
+ public SAMLIdentityProvider(KeycloakSession session, SAMLIdentityProviderConfig config) {
+ super(session, config);
}
@Override
diff --git a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderFactory.java b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderFactory.java
index 2617995..714c47e 100755
--- a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderFactory.java
@@ -50,8 +50,8 @@ public class SAMLIdentityProviderFactory extends AbstractIdentityProviderFactory
}
@Override
- public SAMLIdentityProvider create(IdentityProviderModel model) {
- return new SAMLIdentityProvider(new SAMLIdentityProviderConfig(model));
+ public SAMLIdentityProvider create(KeycloakSession session, IdentityProviderModel model) {
+ return new SAMLIdentityProvider(session, new SAMLIdentityProviderConfig(model));
}
@Override
diff --git a/services/src/main/java/org/keycloak/keys/loader/ClientPublicKeyLoader.java b/services/src/main/java/org/keycloak/keys/loader/ClientPublicKeyLoader.java
new file mode 100644
index 0000000..39524ce
--- /dev/null
+++ b/services/src/main/java/org/keycloak/keys/loader/ClientPublicKeyLoader.java
@@ -0,0 +1,101 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.keys.loader;
+
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+import java.util.Map;
+
+import org.keycloak.authentication.authenticators.client.JWTClientAuthenticator;
+import org.keycloak.jose.jwk.JSONWebKeySet;
+import org.keycloak.jose.jwk.JWK;
+import org.keycloak.jose.jwk.JWKBuilder;
+import org.keycloak.keys.KeyLoader;
+import org.keycloak.models.ClientModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.ModelException;
+import org.keycloak.models.utils.KeycloakModelUtils;
+import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
+import org.keycloak.protocol.oidc.utils.JWKSHttpUtils;
+import org.keycloak.representations.idm.CertificateRepresentation;
+import org.keycloak.services.ServicesLogger;
+import org.keycloak.services.util.CertificateInfoHelper;
+import org.keycloak.util.JWKSUtils;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class ClientPublicKeyLoader implements KeyLoader {
+
+ protected static ServicesLogger logger = ServicesLogger.ROOT_LOGGER;
+
+ private final KeycloakSession session;
+ private final ClientModel client;
+
+ public ClientPublicKeyLoader(KeycloakSession session, ClientModel client) {
+ this.session = session;
+ this.client = client;
+ }
+
+
+ @Override
+ public Map<String, PublicKey> loadKeys() throws Exception {
+ OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientModel(client);
+ if (config.isUseJwksUrl()) {
+ String jwksUrl = config.getJwksUrl();
+ JSONWebKeySet jwks = JWKSHttpUtils.sendJwksRequest(session, jwksUrl);
+ return JWKSUtils.getKeysForUse(jwks, JWK.Use.SIG);
+ } else {
+ try {
+ CertificateRepresentation certInfo = CertificateInfoHelper.getCertificateFromClient(client, JWTClientAuthenticator.ATTR_PREFIX);
+ PublicKey publicKey = getSignatureValidationKey(certInfo);
+
+ // Check if we have kid in DB, generate otherwise
+ String kid = certInfo.getKid() != null ? certInfo.getKid() : JWKBuilder.createKeyId(publicKey);
+ return Collections.singletonMap(kid, publicKey);
+ } catch (ModelException me) {
+ logger.warnf(me, "Unable to retrieve publicKey for verify signature of client '%s' . Error details: %s", client.getClientId(), me.getMessage());
+ return Collections.emptyMap();
+ }
+
+ }
+ }
+
+ private static PublicKey getSignatureValidationKey(CertificateRepresentation certInfo) throws ModelException {
+ String encodedCertificate = certInfo.getCertificate();
+ String encodedPublicKey = certInfo.getPublicKey();
+
+ if (encodedCertificate == null && encodedPublicKey == null) {
+ throw new ModelException("Client doesn't have certificate or publicKey configured");
+ }
+
+ if (encodedCertificate != null && encodedPublicKey != null) {
+ throw new ModelException("Client has both publicKey and certificate configured");
+ }
+
+ if (encodedCertificate != null) {
+ X509Certificate clientCert = KeycloakModelUtils.getCertificate(encodedCertificate);
+ return clientCert.getPublicKey();
+ } else {
+ return KeycloakModelUtils.getPublicKey(encodedPublicKey);
+ }
+ }
+
+
+}
diff --git a/services/src/main/java/org/keycloak/keys/loader/KeyStorageManager.java b/services/src/main/java/org/keycloak/keys/loader/KeyStorageManager.java
new file mode 100644
index 0000000..219afc4
--- /dev/null
+++ b/services/src/main/java/org/keycloak/keys/loader/KeyStorageManager.java
@@ -0,0 +1,62 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.keys.loader;
+
+import java.security.PublicKey;
+
+import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
+import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.keys.KeyStorageProvider;
+import org.keycloak.models.ClientModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class KeyStorageManager {
+
+ public static PublicKey getClientPublicKey(KeycloakSession session, ClientModel client, JWSInput input) {
+ String kid = input.getHeader().getKeyId();
+
+ KeyStorageProvider keyStorage = session.getProvider(KeyStorageProvider.class);
+
+ String modelKey = getModelKey(client);
+ ClientPublicKeyLoader loader = new ClientPublicKeyLoader(session, client);
+ return keyStorage.getPublicKey(modelKey, kid, loader);
+ }
+
+ private static String getModelKey(ClientModel client) {
+ return client.getRealm().getId() + "::client::" + client.getId();
+ }
+
+
+ public static PublicKey getIdentityProviderPublicKey(KeycloakSession session, RealmModel realm, OIDCIdentityProviderConfig idpConfig, JWSInput input) {
+ String kid = input.getHeader().getKeyId();
+
+ KeyStorageProvider keyStorage = session.getProvider(KeyStorageProvider.class);
+
+ String modelKey = getModelKey(realm, idpConfig);
+ OIDCIdentityProviderLoader loader = new OIDCIdentityProviderLoader(session, idpConfig);
+ return keyStorage.getPublicKey(modelKey, kid, loader);
+ }
+
+ private static String getModelKey(RealmModel realm, OIDCIdentityProviderConfig idpConfig) {
+ return realm.getId() + "::idp::" + idpConfig.getInternalId();
+ }
+}
diff --git a/services/src/main/java/org/keycloak/keys/loader/OIDCIdentityProviderLoader.java b/services/src/main/java/org/keycloak/keys/loader/OIDCIdentityProviderLoader.java
new file mode 100644
index 0000000..79032ff
--- /dev/null
+++ b/services/src/main/java/org/keycloak/keys/loader/OIDCIdentityProviderLoader.java
@@ -0,0 +1,80 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.keys.loader;
+
+import java.security.PublicKey;
+import java.util.Collections;
+import java.util.Map;
+
+import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
+import org.keycloak.common.util.PemUtils;
+import org.keycloak.jose.jwk.JSONWebKeySet;
+import org.keycloak.jose.jwk.JWK;
+import org.keycloak.jose.jwk.JWKBuilder;
+import org.keycloak.keys.KeyLoader;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.protocol.oidc.utils.JWKSHttpUtils;
+import org.keycloak.services.ServicesLogger;
+import org.keycloak.util.JWKSUtils;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OIDCIdentityProviderLoader implements KeyLoader {
+
+ protected static ServicesLogger logger = ServicesLogger.ROOT_LOGGER;
+
+ private final KeycloakSession session;
+ private final OIDCIdentityProviderConfig config;
+
+ public OIDCIdentityProviderLoader(KeycloakSession session, OIDCIdentityProviderConfig config) {
+ this.session = session;
+ this.config = config;
+ }
+
+ @Override
+ public Map<String, PublicKey> loadKeys() throws Exception {
+ if (config.isUseJwksUrl()) {
+ String jwksUrl = config.getJwksUrl();
+ JSONWebKeySet jwks = JWKSHttpUtils.sendJwksRequest(session, jwksUrl);
+ return JWKSUtils.getKeysForUse(jwks, JWK.Use.SIG);
+ } else {
+ try {
+ PublicKey publicKey = getSavedPublicKey();
+ if (publicKey == null) {
+ return Collections.emptyMap();
+ }
+
+ String kid = JWKBuilder.createKeyId(publicKey);
+ return Collections.singletonMap(kid, publicKey);
+ } catch (Exception e) {
+ logger.warnf(e, "Unable to retrieve publicKey for verify signature of identityProvider '%s' . Error details: %s", config.getAlias(), e.getMessage());
+ return Collections.emptyMap();
+ }
+ }
+ }
+
+ protected PublicKey getSavedPublicKey() throws Exception {
+ if (config.getPublicKeySignatureVerifier() != null && !config.getPublicKeySignatureVerifier().trim().equals("")) {
+ return PemUtils.decodePublicKey(config.getPublicKeySignatureVerifier());
+ } else {
+ logger.warnf("No public key saved on identityProvider %s", config.getAlias());
+ return null;
+ }
+ }
+}
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/request/AuthorizationEndpointRequestParserProcessor.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/request/AuthorizationEndpointRequestParserProcessor.java
index 8db219c..5ae49f5 100644
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/request/AuthorizationEndpointRequestParserProcessor.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/request/AuthorizationEndpointRequestParserProcessor.java
@@ -54,12 +54,12 @@ public class AuthorizationEndpointRequestParserProcessor {
}
if (requestParam != null) {
- new AuthzEndpointRequestObjectParser(requestParam, client).parseRequest(request);
+ new AuthzEndpointRequestObjectParser(session, requestParam, client).parseRequest(request);
} else if (requestUriParam != null) {
InputStream is = session.getProvider(HttpClientProvider.class).get(requestUriParam);
String retrievedRequest = StreamUtil.readString(is);
- new AuthzEndpointRequestObjectParser(retrievedRequest, client).parseRequest(request);
+ new AuthzEndpointRequestObjectParser(session, retrievedRequest, client).parseRequest(request);
}
return request;
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/request/AuthzEndpointRequestObjectParser.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/request/AuthzEndpointRequestObjectParser.java
index 658a2c0..9a3f5ab 100644
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/request/AuthzEndpointRequestObjectParser.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/request/AuthzEndpointRequestObjectParser.java
@@ -27,7 +27,10 @@ import org.keycloak.jose.jws.Algorithm;
import org.keycloak.jose.jws.JWSHeader;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.crypto.RSAProvider;
+import org.keycloak.keys.KeyStorageProvider;
+import org.keycloak.keys.loader.KeyStorageManager;
import org.keycloak.models.ClientModel;
+import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.services.util.CertificateInfoHelper;
import org.keycloak.util.JsonSerialization;
@@ -41,7 +44,7 @@ class AuthzEndpointRequestObjectParser extends AuthzEndpointRequestParser {
private final Map<String, Object> requestParams;
- public AuthzEndpointRequestObjectParser(String requestObject, ClientModel client) throws Exception {
+ public AuthzEndpointRequestObjectParser(KeycloakSession session, String requestObject, ClientModel client) throws Exception {
JWSInput input = new JWSInput(requestObject);
JWSHeader header = input.getHeader();
@@ -54,7 +57,11 @@ class AuthzEndpointRequestObjectParser extends AuthzEndpointRequestParser {
if (header.getAlgorithm() == Algorithm.none) {
this.requestParams = JsonSerialization.readValue(input.getContent(), TypedHashMap.class);
} else if (header.getAlgorithm() == Algorithm.RS256) {
- PublicKey clientPublicKey = CertificateInfoHelper.getSignatureValidationKey(client, JWTClientAuthenticator.ATTR_PREFIX);
+ PublicKey clientPublicKey = KeyStorageManager.getClientPublicKey(session, client, input);
+ if (clientPublicKey == null) {
+ throw new RuntimeException("Client public key not found");
+ }
+
boolean verified = RSAProvider.verify(input, clientPublicKey);
if (!verified) {
throw new RuntimeException("Failed to verify signature on 'request' object");
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OIDCAdvancedConfigWrapper.java b/services/src/main/java/org/keycloak/protocol/oidc/OIDCAdvancedConfigWrapper.java
index 756c12a..588a06c 100644
--- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCAdvancedConfigWrapper.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCAdvancedConfigWrapper.java
@@ -32,6 +32,10 @@ public class OIDCAdvancedConfigWrapper {
private static final String REQUEST_OBJECT_SIGNATURE_ALG = "request.object.signature.alg";
+ private static final String JWKS_URL = "jwks.url";
+
+ private static final String USE_JWKS_URL = "use.jwks.url";
+
private final ClientModel clientModel;
private final ClientRepresentation clientRep;
@@ -74,6 +78,23 @@ public class OIDCAdvancedConfigWrapper {
setAttribute(REQUEST_OBJECT_SIGNATURE_ALG, algStr);
}
+ public boolean isUseJwksUrl() {
+ String useJwksUrl = getAttribute(USE_JWKS_URL);
+ return Boolean.parseBoolean(useJwksUrl);
+ }
+
+ public void setUseJwksUrl(boolean useJwksUrl) {
+ String val = String.valueOf(useJwksUrl);
+ setAttribute(USE_JWKS_URL, val);
+ }
+
+ public String getJwksUrl() {
+ return getAttribute(JWKS_URL);
+ }
+
+ public void setJwksUrl(String jwksUrl) {
+ setAttribute(JWKS_URL, jwksUrl);
+ }
private String getAttribute(String attrKey) {
if (clientModel != null) {
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
index ac1d8e1..40e5391 100755
--- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
@@ -81,7 +81,6 @@ import java.util.Set;
*/
public class TokenManager {
protected static final ServicesLogger logger = ServicesLogger.ROOT_LOGGER;
- private static final String JWT = "JWT";
// Harcoded for now
Algorithm jwsAlgorithm = Algorithm.RS256;
@@ -621,7 +620,7 @@ public class TokenManager {
public String encodeToken(RealmModel realm, Object token) {
String encodedToken = new JWSBuilder()
- .type(JWT)
+ .type(OAuth2Constants.JWT)
.kid(realm.getKeyId())
.jsonContent(token)
.sign(jwsAlgorithm, realm.getPrivateKey());
@@ -747,7 +746,7 @@ public class TokenManager {
AccessTokenResponse res = new AccessTokenResponse();
if (accessToken != null) {
- String encodedToken = new JWSBuilder().type(JWT).kid(realm.getKeyId()).jsonContent(accessToken).sign(jwsAlgorithm, realm.getPrivateKey());
+ String encodedToken = new JWSBuilder().type(OAuth2Constants.JWT).kid(realm.getKeyId()).jsonContent(accessToken).sign(jwsAlgorithm, realm.getPrivateKey());
res.setToken(encodedToken);
res.setTokenType("bearer");
res.setSessionState(accessToken.getSessionState());
@@ -765,11 +764,11 @@ public class TokenManager {
}
if (idToken != null) {
- String encodedToken = new JWSBuilder().type(JWT).kid(realm.getKeyId()).jsonContent(idToken).sign(jwsAlgorithm, realm.getPrivateKey());
+ String encodedToken = new JWSBuilder().type(OAuth2Constants.JWT).kid(realm.getKeyId()).jsonContent(idToken).sign(jwsAlgorithm, realm.getPrivateKey());
res.setIdToken(encodedToken);
}
if (refreshToken != null) {
- String encodedToken = new JWSBuilder().type(JWT).kid(realm.getKeyId()).jsonContent(refreshToken).sign(jwsAlgorithm, realm.getPrivateKey());
+ String encodedToken = new JWSBuilder().type(OAuth2Constants.JWT).kid(realm.getKeyId()).jsonContent(refreshToken).sign(jwsAlgorithm, realm.getPrivateKey());
res.setRefreshToken(encodedToken);
if (refreshToken.getExpiration() != 0) {
res.setRefreshExpiresIn(refreshToken.getExpiration() - Time.currentTime());
diff --git a/services/src/main/java/org/keycloak/services/clientregistration/oidc/DescriptionConverter.java b/services/src/main/java/org/keycloak/services/clientregistration/oidc/DescriptionConverter.java
index 2024a6f..59f36b2 100644
--- a/services/src/main/java/org/keycloak/services/clientregistration/oidc/DescriptionConverter.java
+++ b/services/src/main/java/org/keycloak/services/clientregistration/oidc/DescriptionConverter.java
@@ -24,6 +24,7 @@ import org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthen
import org.keycloak.authentication.authenticators.client.JWTClientAuthenticator;
import org.keycloak.jose.jwk.JSONWebKeySet;
import org.keycloak.jose.jwk.JWK;
+import org.keycloak.jose.jwk.JWKParser;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.utils.KeycloakModelUtils;
@@ -31,7 +32,7 @@ import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.mappers.PairwiseSubMapperHelper;
import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
-import org.keycloak.protocol.oidc.utils.JWKSUtils;
+import org.keycloak.protocol.oidc.utils.JWKSHttpUtils;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.protocol.oidc.utils.PairwiseSubMapperUtils;
import org.keycloak.protocol.oidc.utils.SubjectType;
@@ -41,6 +42,7 @@ import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.oidc.OIDCClientRepresentation;
import org.keycloak.services.clientregistration.ClientRegistrationException;
import org.keycloak.services.util.CertificateInfoHelper;
+import org.keycloak.util.JWKSUtils;
import java.io.IOException;
import java.net.URI;
@@ -94,19 +96,11 @@ public class DescriptionConverter {
}
client.setClientAuthenticatorType(clientAuthFactory.getId());
- PublicKey publicKey = retrievePublicKey(session, clientOIDC);
- if (authMethod != null && authMethod.equals(OIDCLoginProtocol.PRIVATE_KEY_JWT) && publicKey == null) {
+ boolean publicKeySet = setPublicKey(clientOIDC, client);
+ if (authMethod != null && authMethod.equals(OIDCLoginProtocol.PRIVATE_KEY_JWT) && !publicKeySet) {
throw new ClientRegistrationException("Didn't find key of supported keyType for use " + JWK.Use.SIG.asString());
}
- if (publicKey != null) {
- String publicKeyPem = KeycloakModelUtils.getPemFromKey(publicKey);
-
- CertificateRepresentation rep = new CertificateRepresentation();
- rep.setPublicKey(publicKeyPem);
- CertificateInfoHelper.updateClientRepresentationCertificateInfo(client, rep, JWTClientAuthenticator.ATTR_PREFIX);
- }
-
OIDCAdvancedConfigWrapper configWrapper = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
if (clientOIDC.getUserinfoSignedResponseAlg() != null) {
Algorithm algorithm = Enum.valueOf(Algorithm.class, clientOIDC.getUserinfoSignedResponseAlg());
@@ -122,27 +116,39 @@ public class DescriptionConverter {
}
- private static PublicKey retrievePublicKey(KeycloakSession session, OIDCClientRepresentation clientOIDC) {
+ private static boolean setPublicKey(OIDCClientRepresentation clientOIDC, ClientRepresentation clientRep) {
if (clientOIDC.getJwksUri() == null && clientOIDC.getJwks() == null) {
- return null;
+ return false;
}
if (clientOIDC.getJwksUri() != null && clientOIDC.getJwks() != null) {
throw new ClientRegistrationException("Illegal to use both jwks_uri and jwks");
}
- JSONWebKeySet keySet;
+ OIDCAdvancedConfigWrapper configWrapper = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep);
+
if (clientOIDC.getJwks() != null) {
- keySet = clientOIDC.getJwks();
- } else {
- try {
- keySet = JWKSUtils.sendJwksRequest(session, clientOIDC.getJwksUri());
- } catch (IOException ioe) {
- throw new ClientRegistrationException("Failed to send JWKS request to specified jwks_uri", ioe);
+ JSONWebKeySet keySet = clientOIDC.getJwks();
+ JWK publicKeyJWk = JWKSUtils.getKeyForUse(keySet, JWK.Use.SIG);
+ if (publicKeyJWk == null) {
+ return false;
+ } else {
+ PublicKey publicKey = JWKParser.create(publicKeyJWk).toPublicKey();
+ String publicKeyPem = KeycloakModelUtils.getPemFromKey(publicKey);
+ CertificateRepresentation rep = new CertificateRepresentation();
+ rep.setPublicKey(publicKeyPem);
+ rep.setKid(publicKeyJWk.getKeyId());
+ CertificateInfoHelper.updateClientRepresentationCertificateInfo(clientRep, rep, JWTClientAuthenticator.ATTR_PREFIX);
+
+ configWrapper.setUseJwksUrl(false);
+
+ return true;
}
+ } else {
+ configWrapper.setUseJwksUrl(true);
+ configWrapper.setJwksUrl(clientOIDC.getJwksUri());
+ return true;
}
-
- return JWKSUtils.getKeyForUse(keySet, JWK.Use.SIG);
}
@@ -176,6 +182,9 @@ public class DescriptionConverter {
if (config.getRequestObjectSignatureAlg() != null) {
response.setRequestObjectSigningAlg(config.getRequestObjectSignatureAlg().toString());
}
+ if (config.isUseJwksUrl()) {
+ response.setJwksUri(config.getJwksUrl());
+ }
List<ProtocolMapperRepresentation> foundPairwiseMappers = PairwiseSubMapperUtils.getPairwiseSubMappers(client);
SubjectType subjectType = foundPairwiseMappers.isEmpty() ? SubjectType.PUBLIC : SubjectType.PAIRWISE;
diff --git a/services/src/main/java/org/keycloak/services/clientregistration/oidc/OIDCClientRegistrationProvider.java b/services/src/main/java/org/keycloak/services/clientregistration/oidc/OIDCClientRegistrationProvider.java
index 5277505..f797a78 100755
--- a/services/src/main/java/org/keycloak/services/clientregistration/oidc/OIDCClientRegistrationProvider.java
+++ b/services/src/main/java/org/keycloak/services/clientregistration/oidc/OIDCClientRegistrationProvider.java
@@ -23,11 +23,9 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.RepresentationToModel;
-import org.keycloak.protocol.ProtocolMapperConfigException;
import org.keycloak.protocol.oidc.mappers.AbstractPairwiseSubMapper;
import org.keycloak.protocol.oidc.mappers.PairwiseSubMapperHelper;
import org.keycloak.protocol.oidc.mappers.SHA256PairwiseSubMapper;
-import org.keycloak.protocol.oidc.utils.PairwiseSubMapperValidator;
import org.keycloak.protocol.oidc.utils.SubjectType;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.oidc.OIDCClientRepresentation;
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java b/services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java
index 152d632..6fd30ce 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java
@@ -27,16 +27,18 @@ import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.jose.jwk.JSONWebKeySet;
import org.keycloak.jose.jwk.JWK;
+import org.keycloak.jose.jwk.JWKParser;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
-import org.keycloak.protocol.oidc.utils.JWKSUtils;
+import org.keycloak.protocol.oidc.utils.JWKSHttpUtils;
import org.keycloak.representations.KeyStoreConfig;
import org.keycloak.representations.idm.CertificateRepresentation;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.common.util.PemUtils;
import org.keycloak.services.util.CertificateInfoHelper;
+import org.keycloak.util.JWKSUtils;
import org.keycloak.util.JsonSerialization;
import javax.ws.rs.Consumes;
@@ -149,16 +151,15 @@ public class ClientAttributeCertificateResource {
throw new NotFoundException("Could not find client");
}
- CertificateRepresentation info = getCertFromRequest(uriInfo, input);
-
try {
+ CertificateRepresentation info = getCertFromRequest(input);
CertificateInfoHelper.updateClientModelCertificateInfo(client, info, attributePrefix);
+
+ adminEvent.operation(OperationType.ACTION).resourcePath(session.getContext().getUri()).representation(info).success();
+ return info;
} catch (IllegalStateException ise) {
throw new ErrorResponseException("certificate-not-found", "Certificate or key with given alias not found in the keystore", Response.Status.BAD_REQUEST);
}
-
- adminEvent.operation(OperationType.ACTION).resourcePath(session.getContext().getUri()).representation(info).success();
- return info;
}
/**
@@ -180,20 +181,19 @@ public class ClientAttributeCertificateResource {
throw new NotFoundException("Could not find client");
}
- CertificateRepresentation info = getCertFromRequest(uriInfo, input);
- info.setPrivateKey(null);
-
try {
+ CertificateRepresentation info = getCertFromRequest(input);
+ info.setPrivateKey(null);
CertificateInfoHelper.updateClientModelCertificateInfo(client, info, attributePrefix);
+
+ adminEvent.operation(OperationType.ACTION).resourcePath(session.getContext().getUri()).representation(info).success();
+ return info;
} catch (IllegalStateException ise) {
throw new ErrorResponseException("certificate-not-found", "Certificate or key with given alias not found in the keystore", Response.Status.BAD_REQUEST);
}
-
- adminEvent.operation(OperationType.ACTION).resourcePath(session.getContext().getUri()).representation(info).success();
- return info;
}
- private CertificateRepresentation getCertFromRequest(UriInfo uriInfo, MultipartFormDataInput input) throws IOException {
+ private CertificateRepresentation getCertFromRequest(MultipartFormDataInput input) throws IOException {
auth.requireManage();
CertificateRepresentation info = new CertificateRepresentation();
Map<String, List<InputPart>> uploadForm = input.getFormDataMap();
@@ -218,10 +218,16 @@ public class ClientAttributeCertificateResource {
} else if (keystoreFormat.equals(JSON_WEB_KEY_SET)) {
InputStream stream = inputParts.get(0).getBody(InputStream.class, null);
JSONWebKeySet keySet = JsonSerialization.readValue(stream, JSONWebKeySet.class);
- PublicKey publicKey = JWKSUtils.getKeyForUse(keySet, JWK.Use.SIG);
- String publicKeyPem = KeycloakModelUtils.getPemFromKey(publicKey);
- info.setPublicKey(publicKeyPem);
- return info;
+ JWK publicKeyJwk = JWKSUtils.getKeyForUse(keySet, JWK.Use.SIG);
+ if (publicKeyJwk == null) {
+ throw new IllegalStateException("Certificate not found for use sig");
+ } else {
+ PublicKey publicKey = JWKParser.create(publicKeyJwk).toPublicKey();
+ String publicKeyPem = KeycloakModelUtils.getPemFromKey(publicKey);
+ info.setPublicKey(publicKeyPem);
+ info.setKid(publicKeyJwk.getKeyId());
+ return info;
+ }
}
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/IdentityProviderResource.java b/services/src/main/java/org/keycloak/services/resources/admin/IdentityProviderResource.java
index d92bd46..fa7355d 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/IdentityProviderResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/IdentityProviderResource.java
@@ -229,7 +229,7 @@ public class IdentityProviderResource {
try {
IdentityProviderFactory factory = getIdentityProviderFactory();
- return factory.create(identityProviderModel).export(uriInfo, realm, format);
+ return factory.create(session, identityProviderModel).export(uriInfo, realm, format);
} catch (Exception e) {
return ErrorResponse.error("Could not export public broker configuration for identity provider [" + identityProviderModel.getProviderId() + "].", Response.Status.NOT_FOUND);
}
diff --git a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
index 9181817..7ea641d 100755
--- a/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
+++ b/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
@@ -801,7 +801,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
throw new IdentityBrokerException("Could not find factory for identity provider [" + alias + "].");
}
- return providerFactory.create(identityProviderModel);
+ return providerFactory.create(session, identityProviderModel);
}
throw new IdentityBrokerException("Identity Provider [" + alias + "] not found.");
diff --git a/services/src/main/java/org/keycloak/services/util/CertificateInfoHelper.java b/services/src/main/java/org/keycloak/services/util/CertificateInfoHelper.java
index 359d28d..5cc9b1f 100644
--- a/services/src/main/java/org/keycloak/services/util/CertificateInfoHelper.java
+++ b/services/src/main/java/org/keycloak/services/util/CertificateInfoHelper.java
@@ -42,6 +42,8 @@ public class CertificateInfoHelper {
public static final String X509CERTIFICATE = "certificate";
public static final String PUBLIC_KEY = "public.key";
+ public static final String KID = "kid";
+
// CLIENT MODEL METHODS
@@ -49,11 +51,13 @@ public class CertificateInfoHelper {
String privateKeyAttribute = attributePrefix + "." + PRIVATE_KEY;
String certificateAttribute = attributePrefix + "." + X509CERTIFICATE;
String publicKeyAttribute = attributePrefix + "." + PUBLIC_KEY;
+ String kidAttribute = attributePrefix + "." + KID;
CertificateRepresentation rep = new CertificateRepresentation();
rep.setCertificate(client.getAttribute(certificateAttribute));
rep.setPublicKey(client.getAttribute(publicKeyAttribute));
rep.setPrivateKey(client.getAttribute(privateKeyAttribute));
+ rep.setKid(client.getAttribute(kidAttribute));
return rep;
}
@@ -63,6 +67,7 @@ public class CertificateInfoHelper {
String privateKeyAttribute = attributePrefix + "." + PRIVATE_KEY;
String certificateAttribute = attributePrefix + "." + X509CERTIFICATE;
String publicKeyAttribute = attributePrefix + "." + PUBLIC_KEY;
+ String kidAttribute = attributePrefix + "." + KID;
if (rep.getPublicKey() == null && rep.getCertificate() == null) {
throw new IllegalStateException("Both certificate and publicKey are null!");
@@ -75,6 +80,7 @@ public class CertificateInfoHelper {
setOrRemoveAttr(client, privateKeyAttribute, rep.getPrivateKey());
setOrRemoveAttr(client, publicKeyAttribute, rep.getPublicKey());
setOrRemoveAttr(client, certificateAttribute, rep.getCertificate());
+ setOrRemoveAttr(client, kidAttribute, rep.getKid());
}
private static void setOrRemoveAttr(ClientModel client, String attrName, String attrValue) {
@@ -86,36 +92,13 @@ public class CertificateInfoHelper {
}
- public static PublicKey getSignatureValidationKey(ClientModel client, String attributePrefix) throws ModelException {
- CertificateRepresentation certInfo = getCertificateFromClient(client, attributePrefix);
-
- String encodedCertificate = certInfo.getCertificate();
- String encodedPublicKey = certInfo.getPublicKey();
-
- if (encodedCertificate == null && encodedPublicKey == null) {
- throw new ModelException("Client doesn't have certificate or publicKey configured");
- }
-
- if (encodedCertificate != null && encodedPublicKey != null) {
- throw new ModelException("Client has both publicKey and certificate configured");
- }
-
- // TODO: Caching of publicKeys / certificates, so it doesn't need to be always computed from pem. For performance reasons...
- if (encodedCertificate != null) {
- X509Certificate clientCert = KeycloakModelUtils.getCertificate(encodedCertificate);
- return clientCert.getPublicKey();
- } else {
- return KeycloakModelUtils.getPublicKey(encodedPublicKey);
- }
- }
-
-
// CLIENT REPRESENTATION METHODS
public static void updateClientRepresentationCertificateInfo(ClientRepresentation client, CertificateRepresentation rep, String attributePrefix) {
String privateKeyAttribute = attributePrefix + "." + PRIVATE_KEY;
String certificateAttribute = attributePrefix + "." + X509CERTIFICATE;
String publicKeyAttribute = attributePrefix + "." + PUBLIC_KEY;
+ String kidAttribute = attributePrefix + "." + KID;
if (rep.getPublicKey() == null && rep.getCertificate() == null) {
throw new IllegalStateException("Both certificate and publicKey are null!");
@@ -128,6 +111,7 @@ public class CertificateInfoHelper {
setOrRemoveAttr(client, privateKeyAttribute, rep.getPrivateKey());
setOrRemoveAttr(client, publicKeyAttribute, rep.getPublicKey());
setOrRemoveAttr(client, certificateAttribute, rep.getCertificate());
+ setOrRemoveAttr(client, kidAttribute, rep.getKid());
}
private static void setOrRemoveAttr(ClientRepresentation client, String attrName, String attrValue) {
diff --git a/services/src/main/java/org/keycloak/social/facebook/FacebookIdentityProvider.java b/services/src/main/java/org/keycloak/social/facebook/FacebookIdentityProvider.java
index 0600114..f76057d 100755
--- a/services/src/main/java/org/keycloak/social/facebook/FacebookIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/social/facebook/FacebookIdentityProvider.java
@@ -26,6 +26,7 @@ import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.broker.social.SocialIdentityProvider;
+import org.keycloak.models.KeycloakSession;
/**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@@ -37,8 +38,8 @@ public class FacebookIdentityProvider extends AbstractOAuth2IdentityProvider imp
public static final String PROFILE_URL = "https://graph.facebook.com/me?fields=id,name,email,first_name,last_name";
public static final String DEFAULT_SCOPE = "email";
- public FacebookIdentityProvider(OAuth2IdentityProviderConfig config) {
- super(config);
+ public FacebookIdentityProvider(KeycloakSession session, OAuth2IdentityProviderConfig config) {
+ super(session, config);
config.setAuthorizationUrl(AUTH_URL);
config.setTokenUrl(TOKEN_URL);
config.setUserInfoUrl(PROFILE_URL);
diff --git a/services/src/main/java/org/keycloak/social/facebook/FacebookIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/facebook/FacebookIdentityProviderFactory.java
index 08a088b..5995a4c 100755
--- a/services/src/main/java/org/keycloak/social/facebook/FacebookIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/facebook/FacebookIdentityProviderFactory.java
@@ -20,6 +20,7 @@ import org.keycloak.broker.oidc.OAuth2IdentityProviderConfig;
import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.broker.social.SocialIdentityProviderFactory;
+import org.keycloak.models.KeycloakSession;
/**
* @author Pedro Igor
@@ -34,8 +35,8 @@ public class FacebookIdentityProviderFactory extends AbstractIdentityProviderFac
}
@Override
- public FacebookIdentityProvider create(IdentityProviderModel model) {
- return new FacebookIdentityProvider(new OAuth2IdentityProviderConfig(model));
+ public FacebookIdentityProvider create(KeycloakSession session, IdentityProviderModel model) {
+ return new FacebookIdentityProvider(session, new OAuth2IdentityProviderConfig(model));
}
@Override
diff --git a/services/src/main/java/org/keycloak/social/github/GitHubIdentityProvider.java b/services/src/main/java/org/keycloak/social/github/GitHubIdentityProvider.java
index c10af75..cf2a53e 100755
--- a/services/src/main/java/org/keycloak/social/github/GitHubIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/social/github/GitHubIdentityProvider.java
@@ -26,6 +26,7 @@ import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.broker.social.SocialIdentityProvider;
+import org.keycloak.models.KeycloakSession;
/**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@@ -37,8 +38,8 @@ public class GitHubIdentityProvider extends AbstractOAuth2IdentityProvider imple
public static final String PROFILE_URL = "https://api.github.com/user";
public static final String DEFAULT_SCOPE = "user:email";
- public GitHubIdentityProvider(OAuth2IdentityProviderConfig config) {
- super(config);
+ public GitHubIdentityProvider(KeycloakSession session, OAuth2IdentityProviderConfig config) {
+ super(session, config);
config.setAuthorizationUrl(AUTH_URL);
config.setTokenUrl(TOKEN_URL);
config.setUserInfoUrl(PROFILE_URL);
diff --git a/services/src/main/java/org/keycloak/social/github/GitHubIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/github/GitHubIdentityProviderFactory.java
index fd21036..e1c05b8 100755
--- a/services/src/main/java/org/keycloak/social/github/GitHubIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/github/GitHubIdentityProviderFactory.java
@@ -20,6 +20,7 @@ import org.keycloak.broker.oidc.OAuth2IdentityProviderConfig;
import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.broker.social.SocialIdentityProviderFactory;
+import org.keycloak.models.KeycloakSession;
/**
* @author Pedro Igor
@@ -34,8 +35,8 @@ public class GitHubIdentityProviderFactory extends AbstractIdentityProviderFacto
}
@Override
- public GitHubIdentityProvider create(IdentityProviderModel model) {
- return new GitHubIdentityProvider(new OAuth2IdentityProviderConfig(model));
+ public GitHubIdentityProvider create(KeycloakSession session, IdentityProviderModel model) {
+ return new GitHubIdentityProvider(session, new OAuth2IdentityProviderConfig(model));
}
@Override
diff --git a/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java b/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java
index 81b349e..060f51a 100755
--- a/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java
@@ -19,6 +19,7 @@ package org.keycloak.social.google;
import org.keycloak.broker.oidc.OIDCIdentityProvider;
import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
import org.keycloak.broker.social.SocialIdentityProvider;
+import org.keycloak.models.KeycloakSession;
/**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@@ -30,8 +31,8 @@ public class GoogleIdentityProvider extends OIDCIdentityProvider implements Soci
public static final String PROFILE_URL = "https://www.googleapis.com/plus/v1/people/me/openIdConnect";
public static final String DEFAULT_SCOPE = "openid profile email";
- public GoogleIdentityProvider(OIDCIdentityProviderConfig config) {
- super(config);
+ public GoogleIdentityProvider(KeycloakSession session, OIDCIdentityProviderConfig config) {
+ super(session, config);
config.setAuthorizationUrl(AUTH_URL);
config.setTokenUrl(TOKEN_URL);
config.setUserInfoUrl(PROFILE_URL);
diff --git a/services/src/main/java/org/keycloak/social/google/GoogleIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/google/GoogleIdentityProviderFactory.java
index aac25f8..6db6219 100755
--- a/services/src/main/java/org/keycloak/social/google/GoogleIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/google/GoogleIdentityProviderFactory.java
@@ -20,6 +20,7 @@ import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.broker.social.SocialIdentityProviderFactory;
+import org.keycloak.models.KeycloakSession;
/**
* @author Pedro Igor
@@ -34,8 +35,8 @@ public class GoogleIdentityProviderFactory extends AbstractIdentityProviderFacto
}
@Override
- public GoogleIdentityProvider create(IdentityProviderModel model) {
- return new GoogleIdentityProvider(new OIDCIdentityProviderConfig(model));
+ public GoogleIdentityProvider create(KeycloakSession session, IdentityProviderModel model) {
+ return new GoogleIdentityProvider(session, new OIDCIdentityProviderConfig(model));
}
@Override
diff --git a/services/src/main/java/org/keycloak/social/linkedin/LinkedInIdentityProvider.java b/services/src/main/java/org/keycloak/social/linkedin/LinkedInIdentityProvider.java
index 2fc075c..2c9304e 100755
--- a/services/src/main/java/org/keycloak/social/linkedin/LinkedInIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/social/linkedin/LinkedInIdentityProvider.java
@@ -30,6 +30,7 @@ import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.broker.social.SocialIdentityProvider;
+import org.keycloak.models.KeycloakSession;
/**
* LinkedIn social provider. See https://developer.linkedin.com/docs/oauth2
@@ -45,8 +46,8 @@ public class LinkedInIdentityProvider extends AbstractOAuth2IdentityProvider imp
public static final String PROFILE_URL = "https://api.linkedin.com/v1/people/~:(id,formatted-name,email-address,public-profile-url)?format=json";
public static final String DEFAULT_SCOPE = "r_basicprofile r_emailaddress";
- public LinkedInIdentityProvider(OAuth2IdentityProviderConfig config) {
- super(config);
+ public LinkedInIdentityProvider(KeycloakSession session, OAuth2IdentityProviderConfig config) {
+ super(session, config);
config.setAuthorizationUrl(AUTH_URL);
config.setTokenUrl(TOKEN_URL);
config.setUserInfoUrl(PROFILE_URL);
diff --git a/services/src/main/java/org/keycloak/social/linkedin/LinkedInIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/linkedin/LinkedInIdentityProviderFactory.java
index a80db20..10b94b4 100755
--- a/services/src/main/java/org/keycloak/social/linkedin/LinkedInIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/linkedin/LinkedInIdentityProviderFactory.java
@@ -20,6 +20,7 @@ import org.keycloak.broker.oidc.OAuth2IdentityProviderConfig;
import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.broker.social.SocialIdentityProviderFactory;
+import org.keycloak.models.KeycloakSession;
/**
* @author Vlastimil Elias (velias at redhat dot com)
@@ -35,8 +36,8 @@ public class LinkedInIdentityProviderFactory extends AbstractIdentityProviderFac
}
@Override
- public LinkedInIdentityProvider create(IdentityProviderModel model) {
- return new LinkedInIdentityProvider(new OAuth2IdentityProviderConfig(model));
+ public LinkedInIdentityProvider create(KeycloakSession session, IdentityProviderModel model) {
+ return new LinkedInIdentityProvider(session, new OAuth2IdentityProviderConfig(model));
}
@Override
diff --git a/services/src/main/java/org/keycloak/social/microsoft/MicrosoftIdentityProvider.java b/services/src/main/java/org/keycloak/social/microsoft/MicrosoftIdentityProvider.java
index ed58da1..ef8777a 100755
--- a/services/src/main/java/org/keycloak/social/microsoft/MicrosoftIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/social/microsoft/MicrosoftIdentityProvider.java
@@ -30,6 +30,7 @@ import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.broker.social.SocialIdentityProvider;
import com.fasterxml.jackson.databind.JsonNode;
+import org.keycloak.models.KeycloakSession;
/**
*
@@ -46,8 +47,8 @@ public class MicrosoftIdentityProvider extends AbstractOAuth2IdentityProvider im
public static final String PROFILE_URL = "https://apis.live.net/v5.0/me";
public static final String DEFAULT_SCOPE = "wl.basic,wl.emails";
- public MicrosoftIdentityProvider(OAuth2IdentityProviderConfig config) {
- super(config);
+ public MicrosoftIdentityProvider(KeycloakSession session, OAuth2IdentityProviderConfig config) {
+ super(session, config);
config.setAuthorizationUrl(AUTH_URL);
config.setTokenUrl(TOKEN_URL);
config.setUserInfoUrl(PROFILE_URL);
diff --git a/services/src/main/java/org/keycloak/social/microsoft/MicrosoftIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/microsoft/MicrosoftIdentityProviderFactory.java
index 15cd91d..eee3e87 100644
--- a/services/src/main/java/org/keycloak/social/microsoft/MicrosoftIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/microsoft/MicrosoftIdentityProviderFactory.java
@@ -20,6 +20,7 @@ import org.keycloak.broker.oidc.OAuth2IdentityProviderConfig;
import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
import org.keycloak.broker.social.SocialIdentityProviderFactory;
import org.keycloak.models.IdentityProviderModel;
+import org.keycloak.models.KeycloakSession;
/**
* @author Vlastimil Elias (velias at redhat dot com)
@@ -34,8 +35,8 @@ public class MicrosoftIdentityProviderFactory extends AbstractIdentityProviderFa
}
@Override
- public MicrosoftIdentityProvider create(IdentityProviderModel model) {
- return new MicrosoftIdentityProvider(new OAuth2IdentityProviderConfig(model));
+ public MicrosoftIdentityProvider create(KeycloakSession session, IdentityProviderModel model) {
+ return new MicrosoftIdentityProvider(session, new OAuth2IdentityProviderConfig(model));
}
@Override
diff --git a/services/src/main/java/org/keycloak/social/stackoverflow/StackoverflowIdentityProvider.java b/services/src/main/java/org/keycloak/social/stackoverflow/StackoverflowIdentityProvider.java
index 53f620c..6b25b59 100755
--- a/services/src/main/java/org/keycloak/social/stackoverflow/StackoverflowIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/social/stackoverflow/StackoverflowIdentityProvider.java
@@ -31,6 +31,7 @@ import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.broker.social.SocialIdentityProvider;
+import org.keycloak.models.KeycloakSession;
/**
* Stackoverflow social provider. See https://api.stackexchange.com/docs/authentication
@@ -46,8 +47,8 @@ public class StackoverflowIdentityProvider extends AbstractOAuth2IdentityProvide
public static final String PROFILE_URL = "https://api.stackexchange.com/2.2/me?order=desc&sort=name&site=stackoverflow";
public static final String DEFAULT_SCOPE = "";
- public StackoverflowIdentityProvider(StackOverflowIdentityProviderConfig config) {
- super(config);
+ public StackoverflowIdentityProvider(KeycloakSession session, StackOverflowIdentityProviderConfig config) {
+ super(session, config);
config.setAuthorizationUrl(AUTH_URL);
config.setTokenUrl(TOKEN_URL);
config.setUserInfoUrl(PROFILE_URL);
diff --git a/services/src/main/java/org/keycloak/social/stackoverflow/StackoverflowIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/stackoverflow/StackoverflowIdentityProviderFactory.java
index 60a0a66..4c8deb9 100755
--- a/services/src/main/java/org/keycloak/social/stackoverflow/StackoverflowIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/stackoverflow/StackoverflowIdentityProviderFactory.java
@@ -19,6 +19,7 @@ package org.keycloak.social.stackoverflow;
import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.broker.social.SocialIdentityProviderFactory;
+import org.keycloak.models.KeycloakSession;
/**
* @author Vlastimil Elias (velias at redhat dot com)
@@ -35,8 +36,8 @@ public class StackoverflowIdentityProviderFactory extends
}
@Override
- public StackoverflowIdentityProvider create(IdentityProviderModel model) {
- return new StackoverflowIdentityProvider(new StackOverflowIdentityProviderConfig(model));
+ public StackoverflowIdentityProvider create(KeycloakSession session, IdentityProviderModel model) {
+ return new StackoverflowIdentityProvider(session, new StackOverflowIdentityProviderConfig(model));
}
@Override
diff --git a/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java b/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java
index d4f74cd..a114cbc 100755
--- a/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java
@@ -57,8 +57,8 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
SocialIdentityProvider<OAuth2IdentityProviderConfig> {
protected static final Logger logger = Logger.getLogger(TwitterIdentityProvider.class);
- public TwitterIdentityProvider(OAuth2IdentityProviderConfig config) {
- super(config);
+ public TwitterIdentityProvider(KeycloakSession session, OAuth2IdentityProviderConfig config) {
+ super(session, config);
}
@Override
diff --git a/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProviderFactory.java b/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProviderFactory.java
index 0916a8c..74e1a3d 100755
--- a/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProviderFactory.java
+++ b/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProviderFactory.java
@@ -20,6 +20,7 @@ import org.keycloak.broker.oidc.OAuth2IdentityProviderConfig;
import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.broker.social.SocialIdentityProviderFactory;
+import org.keycloak.models.KeycloakSession;
/**
* @author Pedro Igor
@@ -34,8 +35,8 @@ public class TwitterIdentityProviderFactory extends AbstractIdentityProviderFact
}
@Override
- public TwitterIdentityProvider create(IdentityProviderModel model) {
- return new TwitterIdentityProvider(new OAuth2IdentityProviderConfig(model));
+ public TwitterIdentityProvider create(KeycloakSession session, IdentityProviderModel model) {
+ return new TwitterIdentityProvider(session, new OAuth2IdentityProviderConfig(model));
}
@Override
diff --git a/services/src/test/java/org/keycloak/test/broker/oidc/AbstractOAuth2IdentityProviderTest.java b/services/src/test/java/org/keycloak/test/broker/oidc/AbstractOAuth2IdentityProviderTest.java
index 4b97d2b..e706f54 100755
--- a/services/src/test/java/org/keycloak/test/broker/oidc/AbstractOAuth2IdentityProviderTest.java
+++ b/services/src/test/java/org/keycloak/test/broker/oidc/AbstractOAuth2IdentityProviderTest.java
@@ -24,6 +24,7 @@ import org.keycloak.broker.oidc.OAuth2IdentityProviderConfig;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.models.IdentityProviderModel;
+import org.keycloak.models.KeycloakSession;
import java.io.IOException;
import java.util.HashMap;
@@ -129,7 +130,7 @@ public class AbstractOAuth2IdentityProviderTest {
private static class TestProvider extends AbstractOAuth2IdentityProvider<OAuth2IdentityProviderConfig> {
public TestProvider(OAuth2IdentityProviderConfig config) {
- super(config);
+ super(null, config);
}
@Override
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/IdentityProviderRegistrationTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/IdentityProviderRegistrationTest.java
index a366222..83326dd 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/IdentityProviderRegistrationTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/IdentityProviderRegistrationTest.java
@@ -64,7 +64,7 @@ public class IdentityProviderRegistrationTest extends AbstractIdentityProviderMo
identityProviderModel.setAlias("custom-provider");
- CustomSocialProvider customSocialProvider = providerFactory.create(identityProviderModel);
+ CustomSocialProvider customSocialProvider = providerFactory.create(this.session, identityProviderModel);
assertNotNull(customSocialProvider);
IdentityProviderModel config = customSocialProvider.getConfig();
@@ -87,7 +87,7 @@ public class IdentityProviderRegistrationTest extends AbstractIdentityProviderMo
identityProviderModel.setAlias("custom-provider");
- CustomIdentityProvider provider = providerFactory.create(identityProviderModel);
+ CustomIdentityProvider provider = providerFactory.create(this.session, identityProviderModel);
assertNotNull(provider);
IdentityProviderModel config = provider.getConfig();
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/ImportIdentityProviderTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/ImportIdentityProviderTest.java
index d4ad05f..4118a34 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/ImportIdentityProviderTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/ImportIdentityProviderTest.java
@@ -158,7 +158,7 @@ public class ImportIdentityProviderTest extends AbstractIdentityProviderModelTes
}
private void assertGoogleIdentityProviderConfig(IdentityProviderModel identityProvider) {
- GoogleIdentityProvider googleIdentityProvider = new GoogleIdentityProviderFactory().create(identityProvider);
+ GoogleIdentityProvider googleIdentityProvider = new GoogleIdentityProviderFactory().create(session, identityProvider);
OIDCIdentityProviderConfig config = googleIdentityProvider.getConfig();
assertEquals("model-google", config.getAlias());
@@ -176,7 +176,7 @@ public class ImportIdentityProviderTest extends AbstractIdentityProviderModelTes
}
private void assertSamlIdentityProviderConfig(IdentityProviderModel identityProvider) {
- SAMLIdentityProvider samlIdentityProvider = new SAMLIdentityProviderFactory().create(identityProvider);
+ SAMLIdentityProvider samlIdentityProvider = new SAMLIdentityProviderFactory().create(session, identityProvider);
SAMLIdentityProviderConfig config = samlIdentityProvider.getConfig();
assertEquals("model-saml-signed-idp", config.getAlias());
@@ -196,7 +196,7 @@ public class ImportIdentityProviderTest extends AbstractIdentityProviderModelTes
}
private void assertOidcIdentityProviderConfig(IdentityProviderModel identityProvider) {
- OIDCIdentityProvider googleIdentityProvider = new OIDCIdentityProviderFactory().create(identityProvider);
+ OIDCIdentityProvider googleIdentityProvider = new OIDCIdentityProviderFactory().create(session, identityProvider);
OIDCIdentityProviderConfig config = googleIdentityProvider.getConfig();
assertEquals("model-oidc-idp", config.getAlias());
@@ -210,7 +210,7 @@ public class ImportIdentityProviderTest extends AbstractIdentityProviderModelTes
}
private void assertFacebookIdentityProviderConfig(RealmModel realm, IdentityProviderModel identityProvider) {
- FacebookIdentityProvider facebookIdentityProvider = new FacebookIdentityProviderFactory().create(identityProvider);
+ FacebookIdentityProvider facebookIdentityProvider = new FacebookIdentityProviderFactory().create(session, identityProvider);
OAuth2IdentityProviderConfig config = facebookIdentityProvider.getConfig();
assertEquals("model-facebook", config.getAlias());
@@ -229,7 +229,7 @@ public class ImportIdentityProviderTest extends AbstractIdentityProviderModelTes
}
private void assertGitHubIdentityProviderConfig(RealmModel realm, IdentityProviderModel identityProvider) {
- GitHubIdentityProvider gitHubIdentityProvider = new GitHubIdentityProviderFactory().create(identityProvider);
+ GitHubIdentityProvider gitHubIdentityProvider = new GitHubIdentityProviderFactory().create(session, identityProvider);
OAuth2IdentityProviderConfig config = gitHubIdentityProvider.getConfig();
assertEquals("model-github", config.getAlias());
@@ -248,7 +248,7 @@ public class ImportIdentityProviderTest extends AbstractIdentityProviderModelTes
}
private void assertLinkedInIdentityProviderConfig(IdentityProviderModel identityProvider) {
- LinkedInIdentityProvider liIdentityProvider = new LinkedInIdentityProviderFactory().create(identityProvider);
+ LinkedInIdentityProvider liIdentityProvider = new LinkedInIdentityProviderFactory().create(session, identityProvider);
OAuth2IdentityProviderConfig config = liIdentityProvider.getConfig();
assertEquals("model-linkedin", config.getAlias());
@@ -265,7 +265,7 @@ public class ImportIdentityProviderTest extends AbstractIdentityProviderModelTes
}
private void assertStackoverflowIdentityProviderConfig(IdentityProviderModel identityProvider) {
- StackoverflowIdentityProvider soIdentityProvider = new StackoverflowIdentityProviderFactory().create(identityProvider);
+ StackoverflowIdentityProvider soIdentityProvider = new StackoverflowIdentityProviderFactory().create(session, identityProvider);
StackOverflowIdentityProviderConfig config = soIdentityProvider.getConfig();
assertEquals("model-stackoverflow", config.getAlias());
@@ -283,7 +283,7 @@ public class ImportIdentityProviderTest extends AbstractIdentityProviderModelTes
}
private void assertTwitterIdentityProviderConfig(IdentityProviderModel identityProvider) {
- TwitterIdentityProvider twitterIdentityProvider = new TwitterIdentityProviderFactory().create(identityProvider);
+ TwitterIdentityProvider twitterIdentityProvider = new TwitterIdentityProviderFactory().create(session, identityProvider);
OAuth2IdentityProviderConfig config = twitterIdentityProvider.getConfig();
assertEquals("model-twitter", config.getAlias());
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeyCloakServerBrokerBasicTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeyCloakServerBrokerBasicTest.java
index d79d85f..8b4d677 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeyCloakServerBrokerBasicTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeyCloakServerBrokerBasicTest.java
@@ -180,4 +180,5 @@ public class OIDCKeyCloakServerBrokerBasicTest extends AbstractKeycloakIdentityP
public void testAccountManagementLinkedIdentityAlreadyExists() {
super.testAccountManagementLinkedIdentityAlreadyExists();
}
+
}
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeycloakServerBrokerWithSignatureTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeycloakServerBrokerWithSignatureTest.java
new file mode 100644
index 0000000..910356d
--- /dev/null
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/OIDCKeycloakServerBrokerWithSignatureTest.java
@@ -0,0 +1,174 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.testsuite.broker;
+
+
+import javax.ws.rs.core.UriBuilder;
+
+import org.junit.BeforeClass;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.keycloak.admin.client.Keycloak;
+import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
+import org.keycloak.common.util.Time;
+import org.keycloak.models.IdentityProviderModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
+import org.keycloak.representations.idm.RealmRepresentation;
+import org.keycloak.services.managers.RealmManager;
+import org.keycloak.testsuite.Constants;
+import org.keycloak.testsuite.KeycloakServer;
+import org.keycloak.testsuite.rule.AbstractKeycloakRule;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OIDCKeycloakServerBrokerWithSignatureTest extends AbstractIdentityProviderTest {
+
+ private static final int PORT = 8082;
+
+ private static Keycloak keycloak1;
+ private static Keycloak keycloak2;
+
+ @ClassRule
+ public static AbstractKeycloakRule samlServerRule = new AbstractKeycloakRule() {
+
+ @Override
+ protected void configureServer(KeycloakServer server) {
+ server.getConfig().setPort(PORT);
+ }
+
+ @Override
+ protected void configure(KeycloakSession session, RealmManager manager, RealmModel adminRealm) {
+ server.importRealm(getClass().getResourceAsStream("/broker-test/test-broker-realm-with-kc-oidc.json"));
+ }
+
+ @Override
+ protected String[] getTestRealms() {
+ return new String[] { "realm-with-oidc-identity-provider" };
+ }
+ };
+
+ @BeforeClass
+ public static void beforeClazz() {
+ keycloak1 = Keycloak.getInstance("http://localhost:8081/auth", "master", "admin", "admin", org.keycloak.models.Constants.ADMIN_CLI_CLIENT_ID);
+ keycloak2 = Keycloak.getInstance("http://localhost:8082/auth", "master", "admin", "admin", org.keycloak.models.Constants.ADMIN_CLI_CLIENT_ID);
+ }
+
+ @Override
+ public void onBefore() {
+ super.onBefore();
+
+ // Enable validate signatures
+ IdentityProviderModel idpModel = getIdentityProviderModel();
+ OIDCIdentityProviderConfig cfg = new OIDCIdentityProviderConfig(idpModel);
+ cfg.setValidateSignature(true);
+ getRealm().updateIdentityProvider(cfg);
+
+ brokerServerRule.stopSession(this.session, true);
+ this.session = brokerServerRule.startSession();
+ }
+
+ @Override
+ protected String getProviderId() {
+ return "kc-oidc-idp";
+ }
+
+ @Test
+ public void testSignatureVerificationJwksUrl() throws Exception {
+ // Configure OIDC identity provider with JWKS URL
+ IdentityProviderModel idpModel = getIdentityProviderModel();
+ OIDCIdentityProviderConfig cfg = new OIDCIdentityProviderConfig(idpModel);
+ cfg.setUseJwksUrl(true);
+
+ UriBuilder b = OIDCLoginProtocolService.certsUrl(UriBuilder.fromUri(Constants.AUTH_SERVER_ROOT).port(PORT));
+ String jwksUrl = b.build("realm-with-oidc-identity-provider").toString();
+ cfg.setJwksUrl(jwksUrl);
+ getRealm().updateIdentityProvider(cfg);
+
+ brokerServerRule.stopSession(this.session, true);
+ this.session = brokerServerRule.startSession();
+
+ // Check that user is able to login
+ assertSuccessfulAuthentication(getIdentityProviderModel(), "test-user", "test-user@localhost", false);
+
+ // Rotate public keys on the parent broker
+ RealmRepresentation realm = keycloak2.realm("realm-with-oidc-identity-provider").toRepresentation();
+ realm.setPublicKey(org.keycloak.models.Constants.GENERATE);
+ keycloak2.realm("realm-with-oidc-identity-provider").update(realm);
+
+ // User not able to login now as new keys can't be yet downloaded (10s timeout)
+ loginIDP("test-user");
+ assertTrue(errorPage.isCurrent());
+ assertEquals("Unexpected error when authenticating with identity provider", errorPage.getError());
+
+ keycloak2.realm("realm-with-oidc-identity-provider").logoutAll();
+
+ // Set time offset. New keys can be downloaded. Check that user is able to login.
+ Time.setOffset(20);
+
+ assertSuccessfulAuthentication(getIdentityProviderModel(), "test-user", "test-user@localhost", false);
+
+ Time.setOffset(0);
+ }
+
+ @Test
+ public void testSignatureVerificationHardcodedPublicKey() throws Exception {
+ // Configure OIDC identity provider with publicKeySignatureVerifier
+ IdentityProviderModel idpModel = getIdentityProviderModel();
+ OIDCIdentityProviderConfig cfg = new OIDCIdentityProviderConfig(idpModel);
+ cfg.setUseJwksUrl(false);
+
+ RealmRepresentation realm = keycloak2.realm("realm-with-oidc-identity-provider").toRepresentation();
+ cfg.setPublicKeySignatureVerifier(realm.getPublicKey());
+ getRealm().updateIdentityProvider(cfg);
+
+ brokerServerRule.stopSession(this.session, true);
+ this.session = brokerServerRule.startSession();
+
+ // Check that user is able to login
+ assertSuccessfulAuthentication(getIdentityProviderModel(), "test-user", "test-user@localhost", false);
+
+ // Rotate public keys on the parent broker
+ realm.setPublicKey(org.keycloak.models.Constants.GENERATE);
+ keycloak2.realm("realm-with-oidc-identity-provider").update(realm);
+
+ // User not able to login now as new keys can't be yet downloaded (10s timeout)
+ loginIDP("test-user");
+ assertTrue(errorPage.isCurrent());
+ assertEquals("Unexpected error when authenticating with identity provider", errorPage.getError());
+
+ keycloak2.realm("realm-with-oidc-identity-provider").logoutAll();
+
+ // Even after time offset is user not able to login, because it uses old key hardcoded in identityProvider config
+ Time.setOffset(20);
+
+ loginIDP("test-user");
+ assertTrue(errorPage.isCurrent());
+ assertEquals("Unexpected error when authenticating with identity provider", errorPage.getError());
+
+ keycloak2.realm("realm-with-oidc-identity-provider").logoutAll();
+
+ Time.setOffset(0);
+
+ }
+}
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/CustomIdentityProvider.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/CustomIdentityProvider.java
index 058f101..7b70924 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/CustomIdentityProvider.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/CustomIdentityProvider.java
@@ -29,8 +29,8 @@ import javax.ws.rs.core.Response;
*/
public class CustomIdentityProvider extends AbstractIdentityProvider<IdentityProviderModel> {
- public CustomIdentityProvider(IdentityProviderModel config) {
- super(config);
+ public CustomIdentityProvider(KeycloakSession session, IdentityProviderModel config) {
+ super(session, config);
}
@Override
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/CustomIdentityProviderFactory.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/CustomIdentityProviderFactory.java
index 60c7da6..88dab79 100644
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/CustomIdentityProviderFactory.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/CustomIdentityProviderFactory.java
@@ -18,6 +18,7 @@ package org.keycloak.testsuite.broker.provider;
import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
import org.keycloak.models.IdentityProviderModel;
+import org.keycloak.models.KeycloakSession;
/**
* @author pedroigor
@@ -32,8 +33,8 @@ public class CustomIdentityProviderFactory extends AbstractIdentityProviderFacto
}
@Override
- public CustomIdentityProvider create(IdentityProviderModel model) {
- return new CustomIdentityProvider(model);
+ public CustomIdentityProvider create(KeycloakSession session, IdentityProviderModel model) {
+ return new CustomIdentityProvider(session, model);
}
@Override
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/social/CustomSocialProvider.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/social/CustomSocialProvider.java
index b473be1..1928117 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/social/CustomSocialProvider.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/social/CustomSocialProvider.java
@@ -30,8 +30,8 @@ import javax.ws.rs.core.Response;
*/
public class CustomSocialProvider extends AbstractIdentityProvider<IdentityProviderModel> implements SocialIdentityProvider<IdentityProviderModel> {
- public CustomSocialProvider(IdentityProviderModel config) {
- super(config);
+ public CustomSocialProvider(KeycloakSession session, IdentityProviderModel config) {
+ super(session, config);
}
@Override
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/social/CustomSocialProviderFactory.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/social/CustomSocialProviderFactory.java
index 85273d5..58699cc 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/social/CustomSocialProviderFactory.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/provider/social/CustomSocialProviderFactory.java
@@ -19,6 +19,7 @@ package org.keycloak.testsuite.broker.provider.social;
import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.broker.social.SocialIdentityProviderFactory;
+import org.keycloak.models.KeycloakSession;
/**
* @author pedroigor
@@ -33,8 +34,8 @@ public class CustomSocialProviderFactory extends AbstractIdentityProviderFactory
}
@Override
- public CustomSocialProvider create(IdentityProviderModel model) {
- return new CustomSocialProvider(model);
+ public CustomSocialProvider create(KeycloakSession session, IdentityProviderModel model) {
+ return new CustomSocialProvider(session, model);
}
@Override
diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/resource/TestingOIDCEndpointsApplicationResource.java b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/resource/TestingOIDCEndpointsApplicationResource.java
index 8b5df6c..6daa6b1 100644
--- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/resource/TestingOIDCEndpointsApplicationResource.java
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/resource/TestingOIDCEndpointsApplicationResource.java
@@ -120,7 +120,8 @@ public class TestingOIDCEndpointsApplicationResource {
}
PrivateKey privateKey = clientData.getSigningKeyPair().getPrivate();
- clientData.setOidcRequest(new JWSBuilder().jsonContent(oidcRequest).rsa256(privateKey));
+ String kid = JWKBuilder.createKeyId(clientData.getSigningKeyPair().getPublic());
+ clientData.setOidcRequest(new JWSBuilder().kid(kid).jsonContent(oidcRequest).rsa256(privateKey));
} else {
throw new BadRequestException("Unknown argument: " + jwaAlgorithm);
}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractDemoServletsAdapterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractDemoServletsAdapterTest.java
index 065de77..d2415e8 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractDemoServletsAdapterTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractDemoServletsAdapterTest.java
@@ -31,6 +31,7 @@ import org.keycloak.common.Version;
import org.keycloak.common.util.Time;
import org.keycloak.constants.AdapterConstants;
import org.keycloak.models.Constants;
+import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.representations.AccessToken;
@@ -73,6 +74,7 @@ import java.util.regex.Pattern;
import static org.junit.Assert.*;
import static org.keycloak.testsuite.auth.page.AuthRealm.DEMO;
import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlEquals;
+import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWith;
import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWithLoginUrlOf;
import static org.keycloak.testsuite.util.WaitUtils.pause;
import static org.keycloak.testsuite.util.WaitUtils.waitUntilElement;
@@ -265,6 +267,43 @@ public abstract class AbstractDemoServletsAdapterTest extends AbstractServletsAd
}
@Test
+ public void testClientWithJwksUri() throws Exception {
+ // Set client to bad JWKS URI
+ ClientResource clientResource = ApiUtil.findClientResourceByClientId(testRealmResource(), "secure-portal");
+ ClientRepresentation client = clientResource.toRepresentation();
+ OIDCAdvancedConfigWrapper wrapper = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
+ wrapper.setUseJwksUrl(true);
+ wrapper.setJwksUrl(securePortal + "/bad-jwks-url");
+ clientResource.update(client);
+
+ // Login should fail at the code-to-token
+ securePortal.navigateTo();
+ assertCurrentUrlStartsWithLoginUrlOf(testRealmPage);
+ testRealmLoginPage.form().login("bburke@redhat.com", "password");
+ String pageSource = driver.getPageSource();
+ assertCurrentUrlStartsWith(securePortal);
+ assertFalse(pageSource.contains("Bill Burke") && pageSource.contains("Stian Thorgersen"));
+
+ // Set client to correct JWKS URI
+ client = clientResource.toRepresentation();
+ wrapper = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
+ wrapper.setUseJwksUrl(true);
+ wrapper.setJwksUrl(securePortal + "/" + AdapterConstants.K_JWKS);
+ clientResource.update(client);
+
+ // Login to secure-portal should be fine now. Client keys downloaded from JWKS URI
+ securePortal.navigateTo();
+ assertCurrentUrlEquals(securePortal);
+ pageSource = driver.getPageSource();
+ assertTrue(pageSource.contains("Bill Burke") && pageSource.contains("Stian Thorgersen"));
+
+ // Logout
+ String logoutUri = OIDCLoginProtocolService.logoutUrl(authServerPage.createUriBuilder())
+ .queryParam(OAuth2Constants.REDIRECT_URI, securePortal.toString()).build("demo").toString();
+ driver.navigate().to(logoutUri);
+ }
+
+ @Test
public void testLoginSSOAndLogout() {
// test login to customer-portal which does a bearer request to customer-db
customerPortal.navigateTo();
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java
index e88c538..ce39792 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java
@@ -17,32 +17,18 @@
package org.keycloak.testsuite.client;
-import org.apache.http.HttpResponse;
-import org.apache.http.NameValuePair;
-import org.apache.http.client.entity.UrlEncodedFormEntity;
-import org.apache.http.client.methods.HttpPost;
-import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.DefaultHttpClient;
-import org.apache.http.message.BasicNameValuePair;
+
import org.junit.Before;
import org.junit.Test;
import org.keycloak.OAuth2Constants;
-import org.keycloak.adapters.authentication.JWTClientCredentialsProvider;
import org.keycloak.client.registration.Auth;
import org.keycloak.client.registration.ClientRegistrationException;
import org.keycloak.client.registration.HttpErrorException;
import org.keycloak.common.util.CollectionUtil;
-import org.keycloak.common.util.KeycloakUriBuilder;
-import org.keycloak.constants.ServiceUrlConstants;
-import org.keycloak.jose.jwk.JSONWebKeySet;
import org.keycloak.jose.jws.Algorithm;
-import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
-import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
-import org.keycloak.representations.AccessToken;
-import org.keycloak.representations.JsonWebToken;
import org.keycloak.representations.idm.ClientInitialAccessCreatePresentation;
import org.keycloak.representations.idm.ClientInitialAccessPresentation;
import org.keycloak.representations.idm.ClientRegistrationTrustedHostRepresentation;
@@ -50,15 +36,10 @@ import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.oidc.OIDCClientRepresentation;
import org.keycloak.testsuite.Assert;
-import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
-import org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource;
-import org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource;
-import org.keycloak.testsuite.util.OAuthClient;
-import java.security.PrivateKey;
+
import java.util.*;
import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriBuilder;
import static org.junit.Assert.*;
@@ -229,59 +210,6 @@ public class OIDCClientRegistrationTest extends AbstractClientRegistrationTest {
}
@Test
- public void createClientWithJWKS() throws Exception {
- OIDCClientRepresentation clientRep = createRep();
-
- clientRep.setGrantTypes(Collections.singletonList(OAuth2Constants.CLIENT_CREDENTIALS));
- clientRep.setTokenEndpointAuthMethod(OIDCLoginProtocol.PRIVATE_KEY_JWT);
-
- // Generate keys for client
- TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
- Map<String, String> generatedKeys = oidcClientEndpointsResource.generateKeys();
-
- JSONWebKeySet keySet = oidcClientEndpointsResource.getJwks();
- clientRep.setJwks(keySet);
-
- OIDCClientRepresentation response = reg.oidc().create(clientRep);
- Assert.assertEquals(OIDCLoginProtocol.PRIVATE_KEY_JWT, response.getTokenEndpointAuthMethod());
- Assert.assertNull(response.getClientSecret());
- Assert.assertNull(response.getClientSecretExpiresAt());
-
- // Tries to authenticate client with privateKey JWT
- String signedJwt = getClientSignedJWT(response.getClientId(), generatedKeys.get(TestingOIDCEndpointsApplicationResource.PRIVATE_KEY));
- OAuthClient.AccessTokenResponse accessTokenResponse = doClientCredentialsGrantRequest(signedJwt);
- Assert.assertEquals(200, accessTokenResponse.getStatusCode());
- AccessToken accessToken = oauth.verifyToken(accessTokenResponse.getAccessToken());
- Assert.assertEquals(response.getClientId(), accessToken.getAudience()[0]);
- }
-
- @Test
- public void createClientWithJWKSURI() throws Exception {
- OIDCClientRepresentation clientRep = createRep();
-
- clientRep.setGrantTypes(Collections.singletonList(OAuth2Constants.CLIENT_CREDENTIALS));
- clientRep.setTokenEndpointAuthMethod(OIDCLoginProtocol.PRIVATE_KEY_JWT);
-
- // Generate keys for client
- TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
- Map<String, String> generatedKeys = oidcClientEndpointsResource.generateKeys();
-
- clientRep.setJwksUri(TestApplicationResourceUrls.clientJwksUri());
-
- OIDCClientRepresentation response = reg.oidc().create(clientRep);
- Assert.assertEquals(OIDCLoginProtocol.PRIVATE_KEY_JWT, response.getTokenEndpointAuthMethod());
- Assert.assertNull(response.getClientSecret());
- Assert.assertNull(response.getClientSecretExpiresAt());
-
- // Tries to authenticate client with privateKey JWT
- String signedJwt = getClientSignedJWT(response.getClientId(), generatedKeys.get(TestingOIDCEndpointsApplicationResource.PRIVATE_KEY));
- OAuthClient.AccessTokenResponse accessTokenResponse = doClientCredentialsGrantRequest(signedJwt);
- Assert.assertEquals(200, accessTokenResponse.getStatusCode());
- AccessToken accessToken = oauth.verifyToken(accessTokenResponse.getAccessToken());
- Assert.assertEquals(response.getClientId(), accessToken.getAudience()[0]);
- }
-
- @Test
public void testSignaturesRequired() throws Exception {
OIDCClientRepresentation clientRep = createRep();
clientRep.setUserinfoSignedResponseAlg(Algorithm.RS256.toString());
@@ -299,55 +227,6 @@ public class OIDCClientRegistrationTest extends AbstractClientRegistrationTest {
Assert.assertEquals(config.getRequestObjectSignatureAlg(), Algorithm.RS256);
}
-
- // Client auth with signedJWT - helper methods
-
- private String getClientSignedJWT(String clientId, String privateKeyPem) {
- String realmInfoUrl = KeycloakUriBuilder.fromUri(getAuthServerRoot()).path(ServiceUrlConstants.REALM_INFO_PATH).build(REALM_NAME).toString();
-
- PrivateKey privateKey = KeycloakModelUtils.getPrivateKey(privateKeyPem);
-
- // Use token-endpoint as audience as OIDC conformance testsuite is using it too.
- JWTClientCredentialsProvider jwtProvider = new JWTClientCredentialsProvider() {
-
- @Override
- protected JsonWebToken createRequestToken(String clientId, String realmInfoUrl) {
- JsonWebToken jwt = super.createRequestToken(clientId, realmInfoUrl);
- String tokenEndpointUrl = OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(getAuthServerRoot())).build(REALM_NAME).toString();
- jwt.audience(tokenEndpointUrl);
- return jwt;
- }
-
- };
- jwtProvider.setPrivateKey(privateKey);
- jwtProvider.setTokenTimeout(10);
- return jwtProvider.createSignedRequestToken(clientId, realmInfoUrl);
-
- }
-
-
- private OAuthClient.AccessTokenResponse doClientCredentialsGrantRequest(String signedJwt) throws Exception {
- List<NameValuePair> parameters = new LinkedList<NameValuePair>();
- parameters.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE, OAuth2Constants.CLIENT_CREDENTIALS));
- parameters.add(new BasicNameValuePair(OAuth2Constants.CLIENT_ASSERTION_TYPE, OAuth2Constants.CLIENT_ASSERTION_TYPE_JWT));
- parameters.add(new BasicNameValuePair(OAuth2Constants.CLIENT_ASSERTION, signedJwt));
-
- HttpResponse response = sendRequest(oauth.getServiceAccountUrl(), parameters);
- return new OAuthClient.AccessTokenResponse(response);
- }
-
- private HttpResponse sendRequest(String requestUrl, List<NameValuePair> parameters) throws Exception {
- CloseableHttpClient client = new DefaultHttpClient();
- try {
- HttpPost post = new HttpPost(requestUrl);
- UrlEncodedFormEntity formEntity = new UrlEncodedFormEntity(parameters, "UTF-8");
- post.setEntity(formEntity);
- return client.execute(post);
- } finally {
- oauth.closeClient(client);
- }
- }
-
private void createTrustedHost(String name, int count) {
Response response = adminClient.realm(REALM_NAME).clientRegistrationTrustedHost().create(ClientRegistrationTrustedHostRepresentation.create(name, count, count));
Assert.assertEquals(201, response.getStatus());
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCJwksClientRegistrationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCJwksClientRegistrationTest.java
new file mode 100644
index 0000000..5a86d59
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCJwksClientRegistrationTest.java
@@ -0,0 +1,308 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.testsuite.client;
+
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+
+import javax.ws.rs.core.UriBuilder;
+
+import org.apache.http.HttpResponse;
+import org.apache.http.NameValuePair;
+import org.apache.http.client.entity.UrlEncodedFormEntity;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.DefaultHttpClient;
+import org.apache.http.message.BasicNameValuePair;
+import org.junit.Before;
+import org.junit.Test;
+import org.keycloak.OAuth2Constants;
+import org.keycloak.adapters.authentication.JWTClientCredentialsProvider;
+import org.keycloak.client.registration.Auth;
+import org.keycloak.common.util.KeycloakUriBuilder;
+import org.keycloak.constants.ServiceUrlConstants;
+import org.keycloak.jose.jwk.JSONWebKeySet;
+import org.keycloak.jose.jws.JWSBuilder;
+import org.keycloak.models.utils.KeycloakModelUtils;
+import org.keycloak.protocol.oidc.OIDCLoginProtocol;
+import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
+import org.keycloak.representations.AccessToken;
+import org.keycloak.representations.JsonWebToken;
+import org.keycloak.representations.idm.ClientInitialAccessCreatePresentation;
+import org.keycloak.representations.idm.ClientInitialAccessPresentation;
+import org.keycloak.representations.idm.RealmRepresentation;
+import org.keycloak.representations.oidc.OIDCClientRepresentation;
+import org.keycloak.testsuite.Assert;
+import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
+import org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource;
+import org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource;
+import org.keycloak.testsuite.util.OAuthClient;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class OIDCJwksClientRegistrationTest extends AbstractClientRegistrationTest {
+
+ private static final String PRIVATE_KEY = "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=";
+ private static final String PUBLIC_KEY = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB";
+
+ @Override
+ public void addTestRealms(List<RealmRepresentation> testRealms) {
+ super.addTestRealms(testRealms);
+ testRealms.get(0).setPrivateKey(PRIVATE_KEY);
+ testRealms.get(0).setPublicKey(PUBLIC_KEY);
+ }
+
+ @Before
+ public void before() throws Exception {
+ super.before();
+
+ ClientInitialAccessPresentation token = adminClient.realm(REALM_NAME).clientInitialAccess().create(new ClientInitialAccessCreatePresentation(0, 10));
+ reg.auth(Auth.token(token));
+ }
+
+ private OIDCClientRepresentation createRep() {
+ OIDCClientRepresentation client = new OIDCClientRepresentation();
+ client.setClientName("RegistrationAccessTokenTest");
+ client.setClientUri(OAuthClient.APP_ROOT);
+ client.setRedirectUris(Collections.singletonList(oauth.getRedirectUri()));
+ return client;
+ }
+
+
+ @Test
+ public void createClientWithJWKS_generatedKid() throws Exception {
+ OIDCClientRepresentation clientRep = createRep();
+
+ clientRep.setGrantTypes(Collections.singletonList(OAuth2Constants.CLIENT_CREDENTIALS));
+ clientRep.setTokenEndpointAuthMethod(OIDCLoginProtocol.PRIVATE_KEY_JWT);
+
+ // Generate keys for client
+ TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
+ Map<String, String> generatedKeys = oidcClientEndpointsResource.generateKeys();
+
+ JSONWebKeySet keySet = oidcClientEndpointsResource.getJwks();
+ clientRep.setJwks(keySet);
+
+ OIDCClientRepresentation response = reg.oidc().create(clientRep);
+ Assert.assertEquals(OIDCLoginProtocol.PRIVATE_KEY_JWT, response.getTokenEndpointAuthMethod());
+ Assert.assertNull(response.getClientSecret());
+ Assert.assertNull(response.getClientSecretExpiresAt());
+
+ // Tries to authenticate client with privateKey JWT
+ assertAuthenticateClientSuccess(generatedKeys, response, KEEP_GENERATED_KID);
+ }
+
+
+ // The "kid" is null in the signed JWT. This is backwards compatibility test as in versions prior to 2.3.0, the "kid" wasn't set by JWTClientCredentialsProvider
+ @Test
+ public void createClientWithJWKS_nullKid() throws Exception {
+ OIDCClientRepresentation clientRep = createRep();
+
+ clientRep.setGrantTypes(Collections.singletonList(OAuth2Constants.CLIENT_CREDENTIALS));
+ clientRep.setTokenEndpointAuthMethod(OIDCLoginProtocol.PRIVATE_KEY_JWT);
+
+ // Generate keys for client
+ TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
+ Map<String, String> generatedKeys = oidcClientEndpointsResource.generateKeys();
+
+ JSONWebKeySet keySet = oidcClientEndpointsResource.getJwks();
+ clientRep.setJwks(keySet);
+
+ OIDCClientRepresentation response = reg.oidc().create(clientRep);
+
+ // Tries to authenticate client with privateKey JWT
+ assertAuthenticateClientSuccess(generatedKeys, response, null);
+ }
+
+
+ // The "kid" is set manually to some custom value
+ @Test
+ public void createClientWithJWKS_customKid() throws Exception {
+ OIDCClientRepresentation clientRep = createRep();
+
+ clientRep.setGrantTypes(Collections.singletonList(OAuth2Constants.CLIENT_CREDENTIALS));
+ clientRep.setTokenEndpointAuthMethod(OIDCLoginProtocol.PRIVATE_KEY_JWT);
+
+ // Generate keys for client
+ TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
+ Map<String, String> generatedKeys = oidcClientEndpointsResource.generateKeys();
+
+ JSONWebKeySet keySet = oidcClientEndpointsResource.getJwks();
+
+ // Override kid with custom value
+ keySet.getKeys()[0].setKeyId("a1");
+ clientRep.setJwks(keySet);
+
+ OIDCClientRepresentation response = reg.oidc().create(clientRep);
+
+ // Tries to authenticate client with privateKey JWT
+ assertAuthenticateClientSuccess(generatedKeys, response, "a1");
+ }
+
+ @Test
+ public void createClientWithJWKSURI() throws Exception {
+ OIDCClientRepresentation clientRep = createRep();
+
+ clientRep.setGrantTypes(Collections.singletonList(OAuth2Constants.CLIENT_CREDENTIALS));
+ clientRep.setTokenEndpointAuthMethod(OIDCLoginProtocol.PRIVATE_KEY_JWT);
+
+ // Generate keys for client
+ TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
+ Map<String, String> generatedKeys = oidcClientEndpointsResource.generateKeys();
+
+ clientRep.setJwksUri(TestApplicationResourceUrls.clientJwksUri());
+
+ OIDCClientRepresentation response = reg.oidc().create(clientRep);
+ Assert.assertEquals(OIDCLoginProtocol.PRIVATE_KEY_JWT, response.getTokenEndpointAuthMethod());
+ Assert.assertNull(response.getClientSecret());
+ Assert.assertNull(response.getClientSecretExpiresAt());
+ Assert.assertEquals(response.getJwksUri(), TestApplicationResourceUrls.clientJwksUri());
+
+ // Tries to authenticate client with privateKey JWT
+ assertAuthenticateClientSuccess(generatedKeys, response, KEEP_GENERATED_KID);
+ }
+
+ @Test
+ public void createClientWithJWKSURI_rotateClientKeys() throws Exception {
+ OIDCClientRepresentation clientRep = createRep();
+
+ clientRep.setGrantTypes(Collections.singletonList(OAuth2Constants.CLIENT_CREDENTIALS));
+ clientRep.setTokenEndpointAuthMethod(OIDCLoginProtocol.PRIVATE_KEY_JWT);
+
+ // Generate keys for client
+ TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
+ Map<String, String> generatedKeys = oidcClientEndpointsResource.generateKeys();
+
+ clientRep.setJwksUri(TestApplicationResourceUrls.clientJwksUri());
+
+ OIDCClientRepresentation response = reg.oidc().create(clientRep);
+ Assert.assertEquals(OIDCLoginProtocol.PRIVATE_KEY_JWT, response.getTokenEndpointAuthMethod());
+ Assert.assertNull(response.getClientSecret());
+ Assert.assertNull(response.getClientSecretExpiresAt());
+ Assert.assertEquals(response.getJwksUri(), TestApplicationResourceUrls.clientJwksUri());
+
+ // Tries to authenticate client with privateKey JWT
+ assertAuthenticateClientSuccess(generatedKeys, response, KEEP_GENERATED_KID);
+
+ // Add new key to the jwks
+ Map<String, String> generatedKeys2 = oidcClientEndpointsResource.generateKeys();
+
+ // Error should happen. KeyStorageProvider won't yet download new keys because of timeout
+ assertAuthenticateClientError(generatedKeys2, response, KEEP_GENERATED_KID);
+
+ setTimeOffset(20);
+
+ // Now new keys should be successfully downloaded
+ assertAuthenticateClientSuccess(generatedKeys2, response, KEEP_GENERATED_KID);
+ }
+
+
+ // Client auth with signedJWT - helper methods
+
+ private void assertAuthenticateClientSuccess(Map<String, String> generatedKeys, OIDCClientRepresentation response, String kid) throws Exception {
+ KeyPair keyPair = getKeyPairFromGeneratedPems(generatedKeys);
+ String signedJwt = getClientSignedJWT(response.getClientId(), keyPair, kid);
+ OAuthClient.AccessTokenResponse accessTokenResponse = doClientCredentialsGrantRequest(signedJwt);
+ Assert.assertEquals(200, accessTokenResponse.getStatusCode());
+ AccessToken accessToken = oauth.verifyToken(accessTokenResponse.getAccessToken());
+ Assert.assertEquals(response.getClientId(), accessToken.getAudience()[0]);
+ }
+
+ private void assertAuthenticateClientError(Map<String, String> generatedKeys, OIDCClientRepresentation response, String kid) throws Exception {
+ KeyPair keyPair = getKeyPairFromGeneratedPems(generatedKeys);
+ String signedJwt = getClientSignedJWT(response.getClientId(), keyPair, kid);
+ OAuthClient.AccessTokenResponse accessTokenResponse = doClientCredentialsGrantRequest(signedJwt);
+ Assert.assertEquals(400, accessTokenResponse.getStatusCode());
+ Assert.assertNull(accessTokenResponse.getAccessToken());
+ Assert.assertNotNull(accessTokenResponse.getError());
+ }
+
+ private KeyPair getKeyPairFromGeneratedPems(Map<String, String> generatedKeys) {
+ String privateKeyPem = generatedKeys.get(TestingOIDCEndpointsApplicationResource.PRIVATE_KEY);
+ String publicKeyPem = generatedKeys.get(TestingOIDCEndpointsApplicationResource.PUBLIC_KEY);
+ PrivateKey privateKey = KeycloakModelUtils.getPrivateKey(privateKeyPem);
+ PublicKey publicKey = KeycloakModelUtils.getPublicKey(publicKeyPem);
+ return new KeyPair(publicKey, privateKey);
+ }
+
+ private static final String KEEP_GENERATED_KID = "KEEP_GENERATED_KID";
+
+ private String getClientSignedJWT(String clientId, KeyPair keyPair, final String kid) {
+ String realmInfoUrl = KeycloakUriBuilder.fromUri(getAuthServerRoot()).path(ServiceUrlConstants.REALM_INFO_PATH).build(REALM_NAME).toString();
+
+ // Use token-endpoint as audience as OIDC conformance testsuite is using it too.
+ JWTClientCredentialsProvider jwtProvider = new JWTClientCredentialsProvider() {
+
+ @Override
+ public String createSignedRequestToken(String clientId, String realmInfoUrl) {
+ if (KEEP_GENERATED_KID.equals(kid)) {
+ return super.createSignedRequestToken(clientId, realmInfoUrl);
+ } else {
+ JsonWebToken jwt = createRequestToken(clientId, realmInfoUrl);
+ return new JWSBuilder()
+ .kid(kid)
+ .jsonContent(jwt)
+ .rsa256(keyPair.getPrivate());
+ }
+ }
+
+ @Override
+ protected JsonWebToken createRequestToken(String clientId, String realmInfoUrl) {
+ JsonWebToken jwt = super.createRequestToken(clientId, realmInfoUrl);
+ String tokenEndpointUrl = OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(getAuthServerRoot())).build(REALM_NAME).toString();
+ jwt.audience(tokenEndpointUrl);
+ return jwt;
+ }
+
+ };
+ jwtProvider.setupKeyPair(keyPair);
+ jwtProvider.setTokenTimeout(10);
+ return jwtProvider.createSignedRequestToken(clientId, realmInfoUrl);
+
+ }
+
+
+ private OAuthClient.AccessTokenResponse doClientCredentialsGrantRequest(String signedJwt) throws Exception {
+ List<NameValuePair> parameters = new LinkedList<NameValuePair>();
+ parameters.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE, OAuth2Constants.CLIENT_CREDENTIALS));
+ parameters.add(new BasicNameValuePair(OAuth2Constants.CLIENT_ASSERTION_TYPE, OAuth2Constants.CLIENT_ASSERTION_TYPE_JWT));
+ parameters.add(new BasicNameValuePair(OAuth2Constants.CLIENT_ASSERTION, signedJwt));
+
+ HttpResponse response = sendRequest(oauth.getServiceAccountUrl(), parameters);
+ return new OAuthClient.AccessTokenResponse(response);
+ }
+
+
+ private HttpResponse sendRequest(String requestUrl, List<NameValuePair> parameters) throws Exception {
+ CloseableHttpClient client = new DefaultHttpClient();
+ try {
+ HttpPost post = new HttpPost(requestUrl);
+ UrlEncodedFormEntity formEntity = new UrlEncodedFormEntity(parameters, "UTF-8");
+ post.setEntity(formEntity);
+ return client.execute(post);
+ } finally {
+ oauth.closeClient(client);
+ }
+ }
+}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java
index c1cbdea..717c311 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java
@@ -24,7 +24,6 @@ import org.apache.http.NameValuePair;
import org.apache.http.client.HttpClient;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
-import org.apache.http.entity.ContentType;
import org.apache.http.entity.mime.MultipartEntityBuilder;
import org.apache.http.entity.mime.content.FileBody;
import org.apache.http.impl.client.CloseableHttpClient;
@@ -32,7 +31,6 @@ import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.message.BasicNameValuePair;
import org.junit.BeforeClass;
-import org.junit.Ignore;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.OAuth2Constants;
@@ -40,6 +38,7 @@ import org.keycloak.adapters.AdapterUtils;
import org.keycloak.adapters.authentication.JWTClientCredentialsProvider;
import org.keycloak.admin.client.resource.ClientAttributeCertificateResource;
import org.keycloak.admin.client.resource.ClientResource;
+import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.authenticators.client.JWTClientAuthenticator;
import org.keycloak.common.constants.ServiceAccountConstants;
import org.keycloak.common.util.*;
@@ -70,6 +69,7 @@ import org.keycloak.testsuite.util.UserBuilder;
import java.io.*;
import java.net.URL;
import java.nio.file.Files;
+import java.security.KeyPair;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
@@ -308,18 +308,21 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
keyStoreIs.close();
client = getClient(testRealm.getRealm(), client.getId()).toRepresentation();
+ X509Certificate x509Cert = (X509Certificate) keyStore.getCertificate(keyAlias);
assertCertificate(client, certOld,
- KeycloakModelUtils.getPemFromCertificate((X509Certificate) keyStore.getCertificate(keyAlias)));
+ KeycloakModelUtils.getPemFromCertificate(x509Cert));
// Try to login with the new keys
oauth.clientId(client.getClientId());
PrivateKey privateKey = (PrivateKey) keyStore.getKey(keyAlias, keyPassword.toCharArray());
+ KeyPair keyPair = new KeyPair(x509Cert.getPublicKey(), privateKey);
+
OAuthClient.AccessTokenResponse response = doGrantAccessTokenRequest(user.getUsername(),
user.getCredentials().get(0).getValue(),
- getClientSignedJWT(privateKey, client.getClientId()));
+ getClientSignedJWT(keyPair, client.getClientId()));
assertEquals(200, response.getStatusCode());
@@ -469,7 +472,7 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
@Test
public void testAssertionMissingIssuer() throws Exception {
- String invalidJwt = getClientSignedJWT(getClient1PrivateKey(), null);
+ String invalidJwt = getClientSignedJWT(getClient1KeyPair(), null);
List<NameValuePair> parameters = new LinkedList<NameValuePair>();
parameters.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE, OAuth2Constants.CLIENT_CREDENTIALS));
@@ -484,7 +487,7 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
@Test
public void testAssertionUnknownClient() throws Exception {
- String invalidJwt = getClientSignedJWT(getClient1PrivateKey(), "unknown-client");
+ String invalidJwt = getClientSignedJWT(getClient1KeyPair(), "unknown-client");
List<NameValuePair> parameters = new LinkedList<NameValuePair>();
parameters.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE, OAuth2Constants.CLIENT_CREDENTIALS));
@@ -549,7 +552,7 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
@Test
public void testAssertionInvalidSignature() throws Exception {
// JWT for client1, but signed by privateKey of client2
- String invalidJwt = getClientSignedJWT(getClient2PrivateKey(), "client1");
+ String invalidJwt = getClientSignedJWT(getClient2KeyPair(), "client1");
List<NameValuePair> parameters = new LinkedList<NameValuePair>();
parameters.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE, OAuth2Constants.CLIENT_CREDENTIALS));
@@ -559,7 +562,7 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
HttpResponse resp = sendRequest(oauth.getServiceAccountUrl(), parameters);
OAuthClient.AccessTokenResponse response = new OAuthClient.AccessTokenResponse(resp);
- assertError(response, "client1", "unauthorized_client", Errors.INVALID_CLIENT_CREDENTIALS);
+ assertError(response, "client1", "unauthorized_client", AuthenticationFlowError.CLIENT_CREDENTIALS_SETUP_REQUIRED.toString().toLowerCase());
}
@@ -659,7 +662,7 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
private OAuthClient.AccessTokenResponse testMissingClaim(int tokenTimeOffset, String... claims) throws Exception {
CustomJWTClientCredentialsProvider jwtProvider = new CustomJWTClientCredentialsProvider();
- jwtProvider.setPrivateKey(getClient1PrivateKey());
+ jwtProvider.setupKeyPair(getClient1KeyPair());
jwtProvider.setTokenTimeout(10);
for (String claim : claims) {
@@ -778,26 +781,26 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
}
private String getClient1SignedJWT() {
- return getClientSignedJWT(getClient1PrivateKey(), "client1");
+ return getClientSignedJWT(getClient1KeyPair(), "client1");
}
private String getClient2SignedJWT() {
- return getClientSignedJWT(getClient2PrivateKey(), "client2");
+ return getClientSignedJWT(getClient2KeyPair(), "client2");
}
- private PrivateKey getClient1PrivateKey() {
- return KeystoreUtil.loadPrivateKeyFromKeystore("classpath:client-auth-test/keystore-client1.jks",
+ private KeyPair getClient1KeyPair() {
+ return KeystoreUtil.loadKeyPairFromKeystore("classpath:client-auth-test/keystore-client1.jks",
"storepass", "keypass", "clientkey", KeystoreUtil.KeystoreFormat.JKS);
}
- private PrivateKey getClient2PrivateKey() {
- return KeystoreUtil.loadPrivateKeyFromKeystore("classpath:client-auth-test/keystore-client2.jks",
+ private KeyPair getClient2KeyPair() {
+ return KeystoreUtil.loadKeyPairFromKeystore("classpath:client-auth-test/keystore-client2.jks",
"storepass", "keypass", "clientkey", KeystoreUtil.KeystoreFormat.JKS);
}
- private String getClientSignedJWT(PrivateKey privateKey, String clientId) {
+ private String getClientSignedJWT(KeyPair keyPair, String clientId) {
JWTClientCredentialsProvider jwtProvider = new JWTClientCredentialsProvider();
- jwtProvider.setPrivateKey(privateKey);
+ jwtProvider.setupKeyPair(keyPair);
jwtProvider.setTokenTimeout(10);
return jwtProvider.createSignedRequestToken(clientId, getRealmInfoUrl());
}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
index e01057d..ef9c0a3 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
@@ -406,6 +406,9 @@ public class OIDCAdvancedRequestParamsTest extends TestRealmKeycloakTest {
CertificateInfoHelper.updateClientRepresentationCertificateInfo(clientRep, cert, JWTClientAuthenticator.ATTR_PREFIX);
clientResource.update(clientRep);
+ // set time offset, so that new keys are downloaded
+ setTimeOffset(20);
+
// Check signed request_uri will pass
OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
Assert.assertNotNull(response.getCode());
diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/log4j.properties b/testsuite/integration-arquillian/tests/base/src/test/resources/log4j.properties
index ce33acf..6a891c3 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/resources/log4j.properties
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/log4j.properties
@@ -62,4 +62,5 @@ log4j.logger.org.jboss.resteasy=warn
log4j.logger.org.apache.directory.api=warn
log4j.logger.org.apache.directory.server.core=warn
-log4j.logger.org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator=trace
\ No newline at end of file
+# log4j.logger.org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator=trace
+# log4j.logger.org.keycloak.keys.infinispan=trace
\ No newline at end of file
diff --git a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
index 4857924..e9f3449 100644
--- a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
+++ b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
@@ -293,6 +293,12 @@ gen-new-keys-and-cert=Generate new keys and certificate
import-certificate=Import Certificate
gen-client-private-key=Generate Client Private Key
generate-private-key=Generate Private Key
+kid=Kid
+kid.tooltip=KID (Key ID) of the client public key from imported JWKS.
+use-jwks-url=Use JWKS URL
+use-jwks-url.tooltip=If the switch is on, then client public keys will be downloaded from given JWKS URL. This allows great flexibility because new keys will be always re-downloaded again when client generates new keypair. If the switch is off, then public key (or certificate) from the Keycloak DB is used, so when client keypair changes, you always need to import new key (or certificate) to the Keycloak DB as well.
+jwks-url=JWKS URL
+jwks-url.tooltip=URL where client keys in JWK format are stored. See JWK specification for more details. If you use keycloak client adapter with "jwt" credential, then you can use URL of your app with '/k_jwks' suffix. For example 'http://www.myhost.com/myapp/k_jwks' .
archive-format=Archive Format
archive-format.tooltip=Java keystore or PKCS12 archive format.
key-alias=Key Alias
@@ -468,6 +474,8 @@ select-account.option=select_account
prompt.tooltip=Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
validate-signatures=Validate Signatures
identity-provider.validate-signatures.tooltip=Enable/disable signature validation of external IDP signatures.
+identity-provider.use-jwks-url.tooltip=If the switch is on, then identity provider public keys will be downloaded from given JWKS URL. This allows great flexibility because new keys will be always re-downloaded again when identity provider generates new keypair. If the switch is off, then public key (or certificate) from the Keycloak DB is used, so when identity provider keypair changes, you always need to import new key to the Keycloak DB as well.
+identity-provider.jwks-url.tooltip=URL where identity provider keys in JWK format are stored. See JWK specification for more details. If you use external keycloak identity provider, then you can use URL like 'http://broker-keycloak:8180/auth/realms/test/protocol/openid-connect/certs' assuming your brokered keycloak is running on 'http://broker-keycloak:8180' and it's realm is 'test' .
validating-public-key=Validating Public Key
identity-provider.validating-public-key.tooltip=The public key in PEM format that must be used to verify external IDP signatures.
import-external-idp-config=Import External IDP Config
diff --git a/themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js b/themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js
index f46f2d8..4b33b14 100755
--- a/themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js
+++ b/themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js
@@ -124,13 +124,54 @@ module.controller('ClientSecretCtrl', function($scope, $location, ClientSecret,
};
});
-module.controller('ClientSignedJWTCtrl', function($scope, $location, ClientCertificate) {
+module.controller('ClientSignedJWTCtrl', function($scope, $location, Client, ClientCertificate, Notifications, $route) {
var signingKeyInfo = ClientCertificate.get({ realm : $scope.realm.realm, client : $scope.client.id, attribute: 'jwt.credential' },
function() {
$scope.signingKeyInfo = signingKeyInfo;
}
);
+ console.log('ClientSignedJWTCtrl invoked');
+
+ $scope.clientCopy = angular.copy($scope.client);
+ $scope.changed = false;
+
+ $scope.$watch('client', function() {
+ if (!angular.equals($scope.client, $scope.clientCopy)) {
+ $scope.changed = true;
+ }
+ }, true);
+
+ if ($scope.client.attributes["use.jwks.url"]) {
+ if ($scope.client.attributes["use.jwks.url"] == "true") {
+ $scope.useJwksUrl = true;
+ } else {
+ $scope.useJwksUrl = false;
+ }
+ }
+
+ $scope.switchChange = function() {
+ $scope.changed = true;
+ }
+
+ $scope.save = function() {
+
+ if ($scope.useJwksUrl == true) {
+ $scope.client.attributes["use.jwks.url"] = "true";
+ } else {
+ $scope.client.attributes["use.jwks.url"] = "false";
+ }
+
+ Client.update({
+ realm : $scope.realm.realm,
+ client : $scope.client.id
+ }, $scope.client, function() {
+ $scope.changed = false;
+ $scope.clientCopy = angular.copy($scope.client);
+ Notifications.success("Client authentication configuration has been saved to the client.");
+ });
+ };
+
$scope.importCertificate = function() {
$location.url("/realms/" + $scope.realm.realm + "/clients/" + $scope.client.id + "/credentials/client-jwt/Signing/import/jwt.credential");
};
@@ -139,8 +180,8 @@ module.controller('ClientSignedJWTCtrl', function($scope, $location, ClientCerti
$location.url("/realms/" + $scope.realm.realm + "/clients/" + $scope.client.id + "/credentials/client-jwt/Signing/export/jwt.credential");
};
- $scope.cancel = function() {
- $location.url("/realms/" + $scope.realm.realm + "/clients/" + $scope.client.id + "/credentials");
+ $scope.reset = function() {
+ $route.reload();
};
});
diff --git a/themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js b/themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js
index deb90a7..bce6b9d 100644
--- a/themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js
+++ b/themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js
@@ -784,6 +784,7 @@ module.controller('RealmIdentityProviderCtrl', function($scope, $filter, $upload
$scope.identityProvider.enabled = true;
$scope.identityProvider.authenticateByDefault = false;
$scope.identityProvider.firstBrokerLoginFlowAlias = 'first broker login';
+ $scope.identityProvider.config.useJwksUrl = 'true';
$scope.newIdentityProvider = true;
}
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt.html
index 0cb1999..29f6524 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt.html
@@ -1,34 +1,74 @@
-<div>
- <form class="form-horizontal no-margin-top" name="keyForm" novalidate kc-read-only="!access.manageClients" data-ng-controller="ClientSignedJWTCtrl">
- <div class="form-group">
-
- <div data-ng-show="signingKeyInfo.certificate">
- <label class="col-md-2 control-label" for="signingCert">{{:: 'certificate' | translate}}</label>
- <kc-tooltip>{{:: 'certificate.tooltip' | translate}}</kc-tooltip>
-
- <div class="col-sm-10" data-ng-show="signingKeyInfo.certificate">
- <textarea type="text" id="signingCert" name="signingCert" class="form-control" rows="5" kc-select-action="click" readonly>{{signingKeyInfo.certificate}}</textarea>
- </div>
- </div>
-
- <div data-ng-show="signingKeyInfo.publicKey">
- <label class="col-md-2 control-label" for="publicKey">{{:: 'publicKey' | translate}}</label>
- <kc-tooltip>{{:: 'publicKey.tooltip' | translate}}</kc-tooltip>
-
- <div class="col-sm-10" data-ng-show="signingKeyInfo.publicKey">
- <textarea type="text" id="publicKey" name="publicKey" class="form-control" rows="5" kc-select-action="click" readonly>{{signingKeyInfo.publicKey}}</textarea>
- </div>
- </div>
-
- <div class="col-sm-10" data-ng-hide="signingKeyInfo.certificate || signingKeyInfo.publicKey">
- {{:: 'no-client-certificate-configured' | translate}}
- </div>
- </div>
- <div class="form-group">
- <div class="col-md-10 col-md-offset-2" data-ng-show="access.manageClients">
- <button class="btn btn-default" type="submit" data-ng-click="generateSigningKey()">{{:: 'gen-new-keys-and-cert' | translate}}</button>
- <button class="btn btn-default" type="submit" data-ng-click="importCertificate()">{{:: 'import-certificate' | translate}}</button>
- </div>
- </div>
- </form>
+ <div class="form-horizontal no-margin-top" name="keyForm" novalidate kc-read-only="!access.manageClients" data-ng-controller="ClientSignedJWTCtrl">
+
+ <div class="form-group">
+ <label class="col-md-2 control-label" for="useJwksUrl">{{:: 'use-jwks-url' | translate}}</label>
+ <div class="col-sm-6">
+ <input ng-model="useJwksUrl" name="useJwksUrl" id="useJwksUrl" ng-click="switchChange()" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
+ </div>
+ <kc-tooltip>{{:: 'use-jwks-url.tooltip' | translate}}</kc-tooltip>
+ </div>
+
+ <div class="form-group" data-ng-show="useJwksUrl">
+ <label class="col-md-2 control-label" for="jwksUrl">{{:: 'jwks-url' | translate}}</label>
+ <div class="col-sm-6">
+ <input class="form-control" type="text" name="jwksUrl" id="jwksUrl" data-ng-model="client.attributes['jwks.url']">
+ </div>
+ <kc-tooltip>{{:: 'jwks-url.tooltip' | translate}}</kc-tooltip>
+ </div>
+
+ <div data-ng-show="!useJwksUrl">
+
+ <div class="form-group" data-ng-show="signingKeyInfo.certificate">
+ <label class="col-md-2 control-label" for="signingCert">{{:: 'certificate' | translate}}</label>
+ <kc-tooltip>{{:: 'certificate.tooltip' | translate}}</kc-tooltip>
+
+ <div class="col-sm-10" data-ng-show="signingKeyInfo.certificate">
+ <textarea type="text" id="signingCert" name="signingCert" class="form-control" rows="5" kc-select-action="click" readonly>{{signingKeyInfo.certificate}}</textarea>
+ </div>
+ </div>
+
+ <div class="form-group" data-ng-show="signingKeyInfo.publicKey">
+ <label class="col-md-2 control-label" for="publicKey">{{:: 'publicKey' | translate}}</label>
+ <kc-tooltip>{{:: 'publicKey.tooltip' | translate}}</kc-tooltip>
+
+ <div class="col-sm-10" data-ng-show="signingKeyInfo.publicKey">
+ <textarea type="text" id="publicKey" name="publicKey" class="form-control" rows="5" kc-select-action="click" readonly>{{signingKeyInfo.publicKey}}</textarea>
+ </div>
+ </div>
+
+ <div class="form-group" data-ng-show="signingKeyInfo.kid">
+ <label class="col-md-2 control-label" for="kid">{{:: 'kid' | translate}}</label>
+ <kc-tooltip>{{:: 'kid.tooltip' | translate}}</kc-tooltip>
+
+ <div class="col-sm-6">
+ <div class="row">
+ <div class="col-sm-6">
+ <input readonly kc-select-action="click" class="form-control" type="text" id="kid" name="kid" data-ng-model="signingKeyInfo.kid">
+ </div>
+ </div>
+ </div>
+ </div>
+
+ <div class="form-group" data-ng-hide="signingKeyInfo.certificate || signingKeyInfo.publicKey">
+ <label class="col-md-2 control-label"></label>
+ <div class="col-sm-6">
+ <div class="row">
+ <div class="col-sm-6">
+ {{:: 'no-client-certificate-configured' | translate}}
+ </div>
+ </div>
+ </div>
+ </div>
+
+ </div>
+
+ <div class="form-group">
+ <div class="col-md-10 col-md-offset-2" data-ng-show="access.manageClients">
+ <button class="btn btn-default" type="submit" data-ng-click="generateSigningKey()">{{:: 'gen-new-keys-and-cert' | translate}}</button>
+ <button data-ng-disabled="useJwksUrl" class="btn btn-default" type="submit" data-ng-click="importCertificate()">{{:: 'import-certificate' | translate}}</button>
+ <button kc-save data-ng-disabled="!changed" data-ng-click="save()">{{:: 'save' | translate}}</button>
+ <button kc-reset data-ng-disabled="!changed" data-ng-click="reset()">{{:: 'cancel' | translate}}</button>
+ </div>
+ </div>
+
</div>
\ No newline at end of file
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-oidc.html b/themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-oidc.html
index aceae0a..80b4074 100755
--- a/themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-oidc.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-oidc.html
@@ -184,13 +184,35 @@
</div>
<kc-tooltip>{{:: 'identity-provider.validate-signatures.tooltip' | translate}}</kc-tooltip>
</div>
- <div class="form-group clearfix" data-ng-show="identityProvider.config.validateSignature == 'true'">
- <label class="col-md-2 control-label" for="publicKeySignatureVerifier">{{:: 'validating-public-key' | translate}}</label>
- <div class="col-md-6">
- <textarea class="form-control" id="publicKeySignatureVerifier" ng-model="identityProvider.config.publicKeySignatureVerifier"/>
+
+ <div data-ng-show="identityProvider.config.validateSignature == 'true'">
+
+ <div class="form-group">
+ <label class="col-md-2 control-label" for="useJwksUrl">{{:: 'use-jwks-url' | translate}}</label>
+ <div class="col-md-6">
+ <input ng-model="identityProvider.config.useJwksUrl" id="useJwksUrl" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
+ </div>
+ <kc-tooltip>{{:: 'identity-provider.use-jwks-url.tooltip' | translate}}</kc-tooltip>
+ </div>
+
+ <div class="form-group clearfix" data-ng-show="identityProvider.config.useJwksUrl == 'true'">
+ <label class="col-md-2 control-label" for="jwksUrl">{{:: 'jwks-url' | translate}} </label>
+ <div class="col-md-6">
+ <input class="form-control" id="jwksUrl" type="text" ng-model="identityProvider.config.jwksUrl">
+ </div>
+ <kc-tooltip>{{:: 'identity-provider.jwks-url.tooltip' | translate}}</kc-tooltip>
+ </div>
+
+ <div class="form-group clearfix" data-ng-hide="identityProvider.config.useJwksUrl == 'true'">
+ <label class="col-md-2 control-label" for="publicKeySignatureVerifier">{{:: 'validating-public-key' | translate}}</label>
+ <div class="col-md-6">
+ <textarea class="form-control" id="publicKeySignatureVerifier" ng-model="identityProvider.config.publicKeySignatureVerifier"/>
+ </div>
+ <kc-tooltip>{{:: 'identity-provider.validating-public-key.tooltip' | translate}}</kc-tooltip>
</div>
- <kc-tooltip>{{:: 'identity-provider.validating-public-key.tooltip' | translate}}</kc-tooltip>
+
</div>
+
</fieldset>
<fieldset data-ng-show="newIdentityProvider">
<legend uncollapsed><span class="text">{{:: 'import-external-idp-config' | translate}}</span> <kc-tooltip>{{:: 'import-external-idp-config.tooltip' | translate}}</kc-tooltip></legend>
diff --git a/wildfly/server-subsystem/src/main/config/default-server-subsys-config.properties b/wildfly/server-subsystem/src/main/config/default-server-subsys-config.properties
index e29d1bd..bb4b18c 100644
--- a/wildfly/server-subsystem/src/main/config/default-server-subsys-config.properties
+++ b/wildfly/server-subsystem/src/main/config/default-server-subsys-config.properties
@@ -73,4 +73,11 @@ keycloak.server.subsys.default.config=\
<default-provider>${keycloak.jta.lookup.provider:jboss}</default-provider>\
<provider name="jboss" enabled="true"/>\
</spi>\
+ <spi name="keyStorage">\
+ <provider name="infinispan" enabled="true">\
+ <properties>\
+ <property name="minTimeBetweenRequests" value="10"/>\
+ </properties>\
+ </provider>\
+ </spi>\
</subsystem>\
\ No newline at end of file
diff --git a/wildfly/server-subsystem/src/main/java/org/keycloak/subsystem/server/extension/KeycloakServerDeploymentProcessor.java b/wildfly/server-subsystem/src/main/java/org/keycloak/subsystem/server/extension/KeycloakServerDeploymentProcessor.java
index 1bc2211..e48ff55 100755
--- a/wildfly/server-subsystem/src/main/java/org/keycloak/subsystem/server/extension/KeycloakServerDeploymentProcessor.java
+++ b/wildfly/server-subsystem/src/main/java/org/keycloak/subsystem/server/extension/KeycloakServerDeploymentProcessor.java
@@ -100,7 +100,8 @@ public class KeycloakServerDeploymentProcessor implements DeploymentUnitProcesso
st.addDependency(cacheContainerService.append("offlineSessions"));
st.addDependency(cacheContainerService.append("loginFailures"));
st.addDependency(cacheContainerService.append("work"));
- st.addDependency(cacheContainerService.append("authorization"));;
+ st.addDependency(cacheContainerService.append("authorization"));
+ st.addDependency(cacheContainerService.append("keys"));
}
}
diff --git a/wildfly/server-subsystem/src/main/resources/cli/default-keycloak-subsys-config.cli b/wildfly/server-subsystem/src/main/resources/cli/default-keycloak-subsys-config.cli
index 6adef01..cbfdd53 100644
--- a/wildfly/server-subsystem/src/main/resources/cli/default-keycloak-subsys-config.cli
+++ b/wildfly/server-subsystem/src/main/resources/cli/default-keycloak-subsys-config.cli
@@ -18,4 +18,6 @@
/subsystem=keycloak-server/spi=connectionsInfinispan/:add(default-provider=default)
/subsystem=keycloak-server/spi=connectionsInfinispan/provider=default/:add(properties={cacheContainer => "java:comp/env/infinispan/Keycloak"},enabled=true)
/subsystem=keycloak-server/spi=jta-lookup/:add(default-provider=${keycloak.jta.lookup.provider:jboss})
-/subsystem=keycloak-server/spi=jta-lookup/provider=jboss/:add(enabled=true)
\ No newline at end of file
+/subsystem=keycloak-server/spi=jta-lookup/provider=jboss/:add(enabled=true)
+/subsystem=keycloak-server/spi=keyStorage/:add
+/subsystem=keycloak-server/spi=keyStorage/provider=infinispan/:add(properties={minTimeBetweenRequests => "10"},enabled=true)
\ No newline at end of file
diff --git a/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan.xml b/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan.xml
index bbc1a83..840fa2c 100755
--- a/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan.xml
+++ b/wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-infinispan.xml
@@ -36,6 +36,10 @@
<local-cache name="authorization">
<eviction max-entries="100" strategy="LRU"/>
</local-cache>
+ <local-cache name="keys">
+ <eviction max-entries="1000" strategy="LRU"/>
+ <expiration max-idle="3600000" />
+ </local-cache>
</cache-container>
<cache-container name="server" default-cache="default" module="org.wildfly.clustering.server">
<local-cache name="default">
@@ -97,6 +101,10 @@
<distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
<distributed-cache name="authorization" mode="SYNC" owners="1"/>
<replicated-cache name="work" mode="SYNC" />
+ <local-cache name="keys">
+ <eviction max-entries="1000" strategy="LRU"/>
+ <expiration max-idle="3600000" />
+ </local-cache>
</cache-container>
<cache-container name="server" aliases="singleton cluster" default-cache="default" module="org.wildfly.clustering.server">
<transport lock-timeout="60000"/>