protected BearerTokenRequestAuthenticator createBearerTokenAuthenticator() { return new BearerTokenRequestAuthenticator(deployment); }
@Override protected AuthChallenge challengeResponse(HttpFacade facade, Reason reason, String error, String description) { this.validationFailureDescription = description; return super.challengeResponse(facade, reason, error, description); } }
protected void bearerAuthentication(JaxrsHttpFacade facade, ContainerRequestContext request, KeycloakDeployment resolvedDeployment) { BearerTokenRequestAuthenticator authenticator = new BearerTokenRequestAuthenticator(resolvedDeployment); AuthOutcome outcome = authenticator.authenticate(facade); if (outcome == AuthOutcome.NOT_ATTEMPTED && resolvedDeployment.isEnableBasicAuth()) { authenticator = new BasicAuthRequestAuthenticator(resolvedDeployment); outcome = authenticator.authenticate(facade); } if (outcome == AuthOutcome.FAILED || outcome == AuthOutcome.NOT_ATTEMPTED) { AuthChallenge challenge = authenticator.getChallenge(); log.fine("Authentication outcome: " + outcome); boolean challengeSent = challenge.challenge(facade); if (!challengeSent) { // Use some default status code facade.getResponse().setStatus(Response.Status.UNAUTHORIZED.getStatusCode()); } // Send response now (if not already sent) if (!facade.isResponseFinished()) { facade.getResponse().end(); } return; } else { if (verifySslFailed(facade, resolvedDeployment)) { return; } } propagateSecurityContext(facade, request, resolvedDeployment, authenticator); handleAuthActions(facade, resolvedDeployment); }
private void propagateSecurityContext(JaxrsHttpFacade facade, ContainerRequestContext request, KeycloakDeployment resolvedDeployment, BearerTokenRequestAuthenticator bearer) { final RefreshableKeycloakSecurityContext skSession = new RefreshableKeycloakSecurityContext(resolvedDeployment, null, bearer.getTokenString(), bearer.getToken(), null, null, null); facade.setSecurityContext(skSession); final String principalName = AdapterUtils.getPrincipalName(resolvedDeployment, bearer.getToken()); final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = new KeycloakPrincipal<>(principalName, skSession); final Set<String> roles = AdapterUtils.getRolesFromSecurityContext(skSession); request.setSecurityContext(new HammockSecurityContext(principal, roles, request.getSecurityContext().isSecure())); }
AuthOutcome outcome = bearer.authenticate(facade); if (outcome == AuthOutcome.FAILED) { challenge = bearer.getChallenge(); log.debug("Bearer FAILED"); return AuthOutcome.FAILED; challenge = bearer.getChallenge(); log.debug("NOT_ATTEMPTED: bearer only"); return AuthOutcome.NOT_ATTEMPTED; challenge = bearer.getChallenge(); log.debug("NOT_ATTEMPTED: Treating as bearer only"); return AuthOutcome.NOT_ATTEMPTED;
public AuthOutcome authenticate(HttpFacade exchange) { List<String> authHeaders = exchange.getRequest().getHeaders("Authorization"); if (authHeaders == null || authHeaders.size() == 0) { challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.NO_BEARER_TOKEN, null, null); return AuthOutcome.NOT_ATTEMPTED; } tokenString = null; for (String authHeader : authHeaders) { String[] split = authHeader.trim().split("\\s+"); if (split == null || split.length != 2) continue; if (split[0].equalsIgnoreCase("Bearer")) { tokenString = split[1]; log.debugf("Found [%d] values in authorization header, selecting the first value for Bearer.", (Integer) authHeaders.size()); break; }; } if (tokenString == null) { challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.NO_BEARER_TOKEN, null, null); return AuthOutcome.NOT_ATTEMPTED; } return (authenticateToken(exchange, tokenString)); }
} catch (VerificationException e) { log.debug("Failed to verify token"); challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.INVALID_TOKEN, "invalid_token", e.getMessage()); return AuthOutcome.FAILED; challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.STALE_TOKEN, "invalid_token", "Stale token"); return AuthOutcome.FAILED; if (token.getTrustedCertificates() == null || token.getTrustedCertificates().size() == 0) { log.warn("No trusted certificates in token"); challenge = clientCertChallenge(); return AuthOutcome.FAILED; challenge = clientCertChallenge(); return AuthOutcome.FAILED;
private void bearerAuthentication(JaxrsHttpFacade facade, ContainerRequestContext request, KeycloakDeployment resolvedDeployment) { BearerTokenRequestAuthenticator authenticator = new BearerTokenRequestAuthenticator(resolvedDeployment); AuthOutcome outcome = authenticator.authenticate(facade); outcome = authenticator.authenticate(facade); outcome = authenticator.authenticate(facade); AuthChallenge challenge = authenticator.getChallenge(); boolean challengeSent = challenge.challenge(facade); if (!challengeSent) {
protected void completeAuthentication(BearerTokenRequestAuthenticator bearer, String method) { RefreshableKeycloakSecurityContext session = new RefreshableKeycloakSecurityContext(deployment, null, bearer.getTokenString(), bearer.getToken(), null, null, null); final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = new KeycloakPrincipal<RefreshableKeycloakSecurityContext>(AdapterUtils.getPrincipalName(deployment, bearer.getToken()), session); completeBearerAuthentication(principal, method); log.debugv("User ''{0}'' invoking ''{1}'' on client ''{2}''", principal.getName(), facade.getRequest().getURI(), deployment.getResourceName()); }
protected void propagateSecurityContext(JaxrsHttpFacade facade, ContainerRequestContext request, KeycloakDeployment resolvedDeployment, BearerTokenRequestAuthenticator bearer) { RefreshableKeycloakSecurityContext skSession = new RefreshableKeycloakSecurityContext(resolvedDeployment, null, bearer.getTokenString(), bearer.getToken(), null, null, null); // Not needed to do resteasy specifics as KeycloakSecurityContext can be always retrieved from SecurityContext by typecast SecurityContext.getUserPrincipal to KeycloakPrincipal // ResteasyProviderFactory.pushContext(KeycloakSecurityContext.class, skSession); facade.setSecurityContext(skSession); String principalName = AdapterUtils.getPrincipalName(resolvedDeployment, bearer.getToken()); final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal = new KeycloakPrincipal<RefreshableKeycloakSecurityContext>(principalName, skSession); SecurityContext anonymousSecurityContext = getRequestSecurityContext(request); final boolean isSecure = anonymousSecurityContext.isSecure(); final Set<String> roles = AdapterUtils.getRolesFromSecurityContext(skSession); SecurityContext ctx = new SecurityContext() { @Override public Principal getUserPrincipal() { return principal; } @Override public boolean isUserInRole(String role) { return roles.contains(role); } @Override public boolean isSecure() { return isSecure; } @Override public String getAuthenticationScheme() { return "OAUTH_BEARER"; } }; request.setSecurityContext(ctx); }
@Override protected AuthChallenge challengeResponse(HttpFacade facade, Reason reason, String error, String description) { this.validationFailureDescription = description; return super.challengeResponse(facade, reason, error, description); } }