if (deployment.getClient() != null) .socketTimeout(socketTimeout, TimeUnit.MILLISECONDS) .build(this.identityServiceConfig); deployment.setClient(client); logger.info("Keycloak JWKS URL: " + deployment.getJwksUrl()); logger.info("Keycloak Realm: " + deployment.getRealm()); logger.info("Keycloak Client ID: " + deployment.getResourceName());
@Override public TokenStore getTokenStore() { return delegate.getTokenStore(); }
@Override public boolean isAlwaysRefreshToken() { return delegate.isAlwaysRefreshToken(); }
public boolean isConfigured() { return getRealm() != null && getPublicKeyLocator() != null && (isBearerOnly() || getAuthServerBaseUrl() != null); }
@Override public void setClientCredentials(KeycloakDeployment deployment, Map<String, String> requestHeaders, Map<String, String> formParams) { String signedToken = createSignedRequestToken(deployment.getResourceName(), deployment.getRealmInfoUrl()); formParams.put(OAuth2Constants.CLIENT_ASSERTION_TYPE, OAuth2Constants.CLIENT_ASSERTION_TYPE_JWT); formParams.put(OAuth2Constants.CLIENT_ASSERTION, signedToken); }
@Override public void setClientCredentials(KeycloakDeployment deployment, Map<String, String> requestHeaders, Map<String, String> formParams) { String clientId = deployment.getResourceName(); if (!deployment.isPublicClient()) { if (clientSecret != null) { String authorization = BasicAuthHelper.createHeader(clientId, clientSecret); requestHeaders.put("Authorization", authorization); } else { logger.warnf("Client '%s' doesn't have secret available", clientId); } } else { formParams.put(OAuth2Constants.CLIENT_ID, clientId); } } }
protected KeycloakDeployment internalBuild(AdapterConfig adapterConfig) { if (adapterConfig.getRealm() == null) throw new RuntimeException("Must set 'realm' in config"); deployment.setRealm(adapterConfig.getRealm()); String resource = adapterConfig.getResource(); if (resource == null) throw new RuntimeException("Must set 'resource' in config"); deployment.setResourceName(resource); realmKey = PemUtils.decodePublicKey(realmKeyPem); HardcodedPublicKeyLocator pkLocator = new HardcodedPublicKeyLocator(realmKey); deployment.setPublicKeyLocator(pkLocator); } catch (Exception e) { throw new RuntimeException(e); deployment.setPublicKeyLocator(pkLocator); deployment.setSslRequired(SslRequired.valueOf(adapterConfig.getSslRequired().toUpperCase())); } else { deployment.setSslRequired(SslRequired.EXTERNAL); deployment.setConfidentialPort(adapterConfig.getConfidentialPort()); deployment.setTokenStore(TokenStore.valueOf(adapterConfig.getTokenStore().toUpperCase())); } else { deployment.setTokenStore(TokenStore.SESSION); deployment.setAdapterStateCookiePath(adapterConfig.getTokenCookiePath()); if (adapterConfig.getPrincipalAttribute() != null) deployment.setPrincipalAttribute(adapterConfig.getPrincipalAttribute()); deployment.setResourceCredentials(adapterConfig.getCredentials());
protected boolean resolveDeployment() { deployment = deploymentContext.resolveDeployment(facade); if (!deployment.isConfigured()) { log.warn("can't take request, adapter not configured"); facade.getResponse().sendError(403, "adapter not configured"); return false; } return true; }
@Override public String getRealm() { return delegate.getRealm(); }
protected AccessTokenResponse getToken(String username, String password) throws Exception { AccessTokenResponse tokenResponse=null; HttpClient client = deployment.getClient(); KeycloakUriBuilder.fromUri(deployment.getAuthServerBaseUrl()) .path(ServiceUrlConstants.TOKEN_PATH).build(deployment.getRealm())); java.util.List <NameValuePair> formparams = new java.util.ArrayList <NameValuePair>(); formparams.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE, OAuth2Constants.PASSWORD));
private KeycloakDeployment createKeycloakDeploymentFrom(InputStream is) { if (is == null) { log.fine("No adapter configuration. Keycloak is unconfigured and will deny all requests."); return new KeycloakDeployment(); } return KeycloakDeploymentBuilder.build(is); }
if (!isRequestSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { log.error("Adapter requires SSL. Request: " + facade.getRequest().getURI()); return challenge(403, OIDCAuthenticationError.Reason.SSL_REQUIRED, null); String httpSessionId = deployment.getTokenStore() == TokenStore.SESSION ? reqAuthenticator.changeHttpSessionId(true) : null; tokenResponse = ServerRequest.invokeAccessCodeToToken(deployment, code, rewrittenRedirectUri(strippedOauthParametersRequestUri), httpSessionId); } catch (ServerRequest.HttpFailure failure) { return challenge(403, OIDCAuthenticationError.Reason.INVALID_TOKEN, null); if (tokenResponse.getNotBeforePolicy() > deployment.getNotBefore()) { deployment.updateNotBefore(tokenResponse.getNotBeforePolicy()); if (token.getIssuedAt() < deployment.getNotBefore()) { log.error("Stale token"); return challenge(403, OIDCAuthenticationError.Reason.STALE_TOKEN, null);
@Override public boolean isTurnOffChangeSessionIdOnLogin() { return delegate.isTurnOffChangeSessionIdOnLogin(); }
log.debugf("callback uri: %s", url); if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { int port = sslRedirectPort(); if (port < 0) { url = UriUtils.stripQueryParam(url, OAuth2Constants.UI_LOCALES_PARAM); KeycloakUriBuilder redirectUriBuilder = deployment.getAuthUrl().clone() .queryParam(OAuth2Constants.RESPONSE_TYPE, OAuth2Constants.CODE) .queryParam(OAuth2Constants.CLIENT_ID, deployment.getResourceName()) .queryParam(OAuth2Constants.REDIRECT_URI, rewrittenRedirectUri(url)) .queryParam(OAuth2Constants.STATE, state)
@Override public String getResourceName() { return delegate.getResourceName(); }
@Override public boolean isBearerOnly() { return delegate.isBearerOnly(); }
private void parseAccessToken(AccessTokenResponse tokenResponse) throws VerificationException { tokenString = tokenResponse.getToken(); refreshToken = tokenResponse.getRefreshToken(); idTokenString = tokenResponse.getIdToken(); token = RSATokenVerifier.verifyToken(tokenString, deployment.getRealmKey(), deployment.getRealm()); if (idTokenString != null) { JWSInput input = new JWSInput(idTokenString); try { idToken = input.readJsonContent(IDToken.class); } catch (IOException e) { throw new VerificationException(); } } }
public static void invokeClientManagementRequest(KeycloakDeployment deployment, String host, String endpointUrl) throws HttpFailure, IOException { if (endpointUrl == null) { throw new IOException("You need to configure URI for register/unregister node for application " + deployment.getResourceName()); } List<NameValuePair> formparams = new ArrayList<NameValuePair>(); formparams.add(new BasicNameValuePair(AdapterConstants.CLIENT_CLUSTER_HOST, host)); HttpPost post = new HttpPost(endpointUrl); ClientCredentialsProviderUtils.setClientCredentials(deployment, post, formparams); UrlEncodedFormEntity form = new UrlEncodedFormEntity(formparams, "UTF-8"); post.setEntity(form); HttpResponse response = deployment.getClient().execute(post); int status = response.getStatusLine().getStatusCode(); if (status != 204) { HttpEntity entity = response.getEntity(); error(status, entity); } }
@Override public SslRequired getSslRequired() { return delegate.getSslRequired(); }
private HttpHandler sessionHandling(HttpHandler toWrap) { SessionCookieConfig sessionConfig = new SessionCookieConfig(); sessionConfig.setCookieName("keycloak." + deployment.getResourceName() + ".session"); sessionConfig.setPath(base); if (deployment.getSslRequired() == SslRequired.ALL) sessionConfig.setSecure(true); toWrap = new SessionAttachmentHandler( toWrap, sessionManager, sessionConfig); return toWrap; }