protected void setRoles(RefreshableKeycloakSecurityContext session) { Set<String> roles = AdapterUtils.getRolesFromSecurityContext(session); this.accountRoles = roles; }
public static KeycloakPrincipal<RefreshableKeycloakSecurityContext> createPrincipal(KeycloakDeployment deployment, RefreshableKeycloakSecurityContext securityContext) { return new KeycloakPrincipal<RefreshableKeycloakSecurityContext>(getPrincipalName(deployment, securityContext.getToken()), securityContext); } }
protected String getStateCode() { return AdapterUtils.generateId(); }
/** * Called after accessToken was verified (including signature, expiration etc) * */ protected Auth postTokenVerification(String tokenString, AccessToken token) { boolean verifyCaller; if (deployment.isUseResourceRoleMappings()) { verifyCaller = token.isVerifyCaller(deployment.getResourceName()); } else { verifyCaller = token.isVerifyCaller(); } if (verifyCaller) { throw new IllegalStateException("VerifyCaller not supported yet in login module"); } RefreshableKeycloakSecurityContext skSession = new RefreshableKeycloakSecurityContext(deployment, null, tokenString, token, null, null, null); String principalName = AdapterUtils.getPrincipalName(deployment, token); final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = new KeycloakPrincipal<RefreshableKeycloakSecurityContext>(principalName, skSession); final Set<String> roles = AdapterUtils.getRolesFromSecurityContext(skSession); return new Auth(principal, roles, tokenString); }
@Override public boolean isCached(RequestAuthenticator authenticator) { if (request.getSession(false) == null || request.getSession().getAttribute(KeycloakSecurityContext.class.getName()) == null) return false; log.debug("remote logged in already. Establish state from session"); RefreshableKeycloakSecurityContext securityContext = (RefreshableKeycloakSecurityContext) request.getSession().getAttribute(KeycloakSecurityContext.class.getName()); if (!deployment.getRealm().equals(securityContext.getRealm())) { log.debug("Account from cookie is from a different realm than for the request."); return false; } securityContext.setCurrentRequestInfo(deployment, this); request.setAttribute(KeycloakSecurityContext.class.getName(), securityContext); JettyRequestAuthenticator jettyAuthenticator = (JettyRequestAuthenticator) authenticator; KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = AdapterUtils.createPrincipal(deployment, securityContext); jettyAuthenticator.principal = principal; restoreRequest(); return true; }
private void propagateSecurityContext(JaxrsHttpFacade facade, ContainerRequestContext request, KeycloakDeployment resolvedDeployment, BearerTokenRequestAuthenticator bearer) { final RefreshableKeycloakSecurityContext skSession = new RefreshableKeycloakSecurityContext(resolvedDeployment, null, bearer.getTokenString(), bearer.getToken(), null, null, null); facade.setSecurityContext(skSession); final String principalName = AdapterUtils.getPrincipalName(resolvedDeployment, bearer.getToken()); final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = new KeycloakPrincipal<>(principalName, skSession); final Set<String> roles = AdapterUtils.getRolesFromSecurityContext(skSession); request.setSecurityContext(new HammockSecurityContext(principal, roles, request.getSecurityContext().isSecure())); }
@Override public boolean isCached(RequestAuthenticator authenticator) { if (request.getSession(false) == null || request.getSession().getAttribute(KeycloakSecurityContext.class.getName()) == null) return false; log.debug("remote logged in already. Establish state from session"); RefreshableKeycloakSecurityContext securityContext = (RefreshableKeycloakSecurityContext) request.getSession().getAttribute(KeycloakSecurityContext.class.getName()); if (!deployment.getRealm().equals(securityContext.getRealm())) { log.debug("Account from cookie is from a different realm than for the request."); return false; } securityContext.setCurrentRequestInfo(deployment, this); request.setAttribute(KeycloakSecurityContext.class.getName(), securityContext); JettyRequestAuthenticator jettyAuthenticator = (JettyRequestAuthenticator) authenticator; KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = AdapterUtils.createPrincipal(deployment, securityContext); jettyAuthenticator.principal = principal; restoreRequest(); return true; }
protected void setRoles(RefreshableKeycloakSecurityContext session) { Set<String> roles = AdapterUtils.getRolesFromSecurityContext(session); this.accountRoles = roles; }
protected void propagateSecurityContext(JaxrsHttpFacade facade, ContainerRequestContext request, KeycloakDeployment resolvedDeployment, BearerTokenRequestAuthenticator bearer) { RefreshableKeycloakSecurityContext skSession = new RefreshableKeycloakSecurityContext(resolvedDeployment, null, bearer.getTokenString(), bearer.getToken(), null, null, null); // Not needed to do resteasy specifics as KeycloakSecurityContext can be always retrieved from SecurityContext by typecast SecurityContext.getUserPrincipal to KeycloakPrincipal // ResteasyProviderFactory.pushContext(KeycloakSecurityContext.class, skSession); facade.setSecurityContext(skSession); String principalName = AdapterUtils.getPrincipalName(resolvedDeployment, bearer.getToken()); final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = new KeycloakPrincipal<RefreshableKeycloakSecurityContext>(principalName, skSession); SecurityContext anonymousSecurityContext = getRequestSecurityContext(request); final boolean isSecure = anonymousSecurityContext.isSecure(); final Set<String> roles = AdapterUtils.getRolesFromSecurityContext(skSession); SecurityContext ctx = new SecurityContext() { @Override public Principal getUserPrincipal() { return principal; } @Override public boolean isUserInRole(String role) { return roles.contains(role); } @Override public boolean isSecure() { return isSecure; } @Override public String getAuthenticationScheme() { return "OAUTH_BEARER"; } }; request.setSecurityContext(ctx); }
return new KeycloakPrincipal<RefreshableKeycloakSecurityContext>(AdapterUtils.getPrincipalName(deployment, accessToken), secContext); } catch (VerificationException ve) { log.warn("Failed verify token", ve);
protected JsonWebToken createRequestToken(String clientId, String realmInfoUrl) { JsonWebToken reqToken = new JsonWebToken(); reqToken.id(AdapterUtils.generateId()); reqToken.issuer(clientId); reqToken.subject(clientId); reqToken.audience(realmInfoUrl); int now = Time.currentTime(); reqToken.issuedAt(now); reqToken.expiration(now + this.tokenTimeout); reqToken.notBefore(now); return reqToken; } }
public static UserIdentity createIdentity(KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal) { Set<String> roles = AdapterUtils.getRolesFromSecurityContext(principal.getKeycloakSecurityContext()); if (roles == null) { roles = new HashSet<String>(); } Subject theSubject = new Subject(); String[] theRoles = new String[roles.size()]; roles.toArray(theRoles); return new DefaultUserIdentity(theSubject, principal, theRoles); }
protected void completeAuthentication(BearerTokenRequestAuthenticator bearer, String method) { RefreshableKeycloakSecurityContext session = new RefreshableKeycloakSecurityContext(deployment, null, bearer.getTokenString(), bearer.getToken(), null, null, null); final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = new KeycloakPrincipal<RefreshableKeycloakSecurityContext>(AdapterUtils.getPrincipalName(deployment, bearer.getToken()), session); completeBearerAuthentication(principal, method); log.debugv("User ''{0}'' invoking ''{1}'' on client ''{2}''", principal.getName(), facade.getRequest().getURI(), deployment.getResourceName()); }
private JsonWebToken createRequestToken(String clientId, String realmInfoUrl) { // According to <a href="http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication">OIDC's client authentication spec</a>, // JWT claims is the same as one by private_key_jwt JsonWebToken reqToken = new JsonWebToken(); reqToken.id(AdapterUtils.generateId()); reqToken.issuer(clientId); reqToken.subject(clientId); reqToken.audience(realmInfoUrl); int now = Time.currentTime(); reqToken.issuedAt(now); // the same as in KEYCLOAK-2986, JWTClientCredentialsProvider's timeout field reqToken.expiration(now + 10); reqToken.notBefore(now); return reqToken; }
public static UserIdentity createIdentity(KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal) { Set<String> roles = AdapterUtils.getRolesFromSecurityContext(principal.getKeycloakSecurityContext()); if (roles == null) { roles = new HashSet<String>(); } Subject theSubject = new Subject(); String[] theRoles = new String[roles.size()]; roles.toArray(theRoles); return new DefaultUserIdentity(theSubject, principal, theRoles); }
protected void completeAuthentication(OAuthRequestAuthenticator oauth) { RefreshableKeycloakSecurityContext session = new RefreshableKeycloakSecurityContext(deployment, tokenStore, oauth.getTokenString(), oauth.getToken(), oauth.getIdTokenString(), oauth.getIdToken(), oauth.getRefreshToken()); final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = new KeycloakPrincipal<RefreshableKeycloakSecurityContext>(AdapterUtils.getPrincipalName(deployment, oauth.getToken()), session); completeOAuthAuthentication(principal); log.debugv("User ''{0}'' invoking ''{1}'' on client ''{2}''", principal.getName(), facade.getRequest().getURI(), deployment.getResourceName()); }
@Override protected void completeBearerAuthentication(KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal, String method) { RefreshableKeycloakSecurityContext securityContext = principal.getKeycloakSecurityContext(); Set<String> roles = AdapterUtils.getRolesFromSecurityContext(securityContext); final KeycloakAccount account = new SimpleKeycloakAccount(principal, roles, securityContext); logger.debug("Completing bearer authentication. Bearer roles: {} ",roles); SecurityContextHolder.getContext().setAuthentication(new KeycloakAuthenticationToken(account, false)); request.setAttribute(KeycloakSecurityContext.class.getName(), securityContext); }
@Override protected void completeBearerAuthentication(final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal, String method) { final RefreshableKeycloakSecurityContext securityContext = principal.getKeycloakSecurityContext(); final Set<String> roles = AdapterUtils.getRolesFromSecurityContext(securityContext); if (log.isLoggable(Level.FINE)) { log.fine("Completing bearer authentication. Bearer roles: " + roles); } request.setAttribute(KeycloakSecurityContext.class.getName(), securityContext); OidcKeycloakAccount account = new OidcKeycloakAccount() { @Override public Principal getPrincipal() { return principal; } @Override public Set<String> getRoles() { return roles; } @Override public KeycloakSecurityContext getKeycloakSecurityContext() { return securityContext; } }; // need this here to obtain UserPrincipal request.setAttribute(KeycloakAccount.class.getName(), account); }
@Override protected void completeBearerAuthentication(KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal, String method) { this.principal = principal; RefreshableKeycloakSecurityContext securityContext = principal.getKeycloakSecurityContext(); Set<String> roles = AdapterUtils.getRolesFromSecurityContext(securityContext); if (log.isDebugEnabled()) { log.debug("Completing bearer authentication. Bearer roles: " + roles); } request.setAttribute(KeycloakSecurityContext.class.getName(), securityContext); }
@Override protected void completeOAuthAuthentication(final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal) { final RefreshableKeycloakSecurityContext securityContext = principal.getKeycloakSecurityContext(); final Set<String> roles = AdapterUtils.getRolesFromSecurityContext(securityContext); final OidcKeycloakAccount account = new SimpleKeycloakAccount(principal, roles, securityContext); request.setAttribute(KeycloakSecurityContext.class.getName(), securityContext); this.tokenStore.saveAccountInfo(account); }