284 lines
10 KiB
Java
284 lines
10 KiB
Java
/*
|
|
* Copyright 2016 Red Hat, Inc. and/or its affiliates
|
|
* and other contributors as indicated by the @author tags.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package org.keycloak.protocol.oidc;
|
|
|
|
import java.security.cert.X509Certificate;
|
|
import java.util.Collections;
|
|
import java.util.List;
|
|
import java.util.Optional;
|
|
import org.jboss.resteasy.annotations.cache.NoCache;
|
|
import org.keycloak.http.HttpRequest;
|
|
import org.keycloak.OAuthErrorException;
|
|
import org.keycloak.common.ClientConnection;
|
|
import org.keycloak.crypto.KeyType;
|
|
import org.keycloak.events.EventBuilder;
|
|
import org.keycloak.forms.login.LoginFormsProvider;
|
|
import org.keycloak.jose.jwk.JSONWebKeySet;
|
|
import org.keycloak.jose.jwk.JWK;
|
|
import org.keycloak.jose.jwk.JWKBuilder;
|
|
import org.keycloak.models.KeycloakSession;
|
|
import org.keycloak.models.RealmModel;
|
|
import org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint;
|
|
import org.keycloak.protocol.oidc.endpoints.LoginStatusIframeEndpoint;
|
|
import org.keycloak.protocol.oidc.endpoints.LogoutEndpoint;
|
|
import org.keycloak.protocol.oidc.endpoints.ThirdPartyCookiesIframeEndpoint;
|
|
import org.keycloak.protocol.oidc.endpoints.TokenEndpoint;
|
|
import org.keycloak.protocol.oidc.endpoints.TokenRevocationEndpoint;
|
|
import org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint;
|
|
import org.keycloak.protocol.oidc.ext.OIDCExtProvider;
|
|
import org.keycloak.services.CorsErrorResponseException;
|
|
import org.keycloak.services.resources.Cors;
|
|
import org.keycloak.services.resources.RealmsResource;
|
|
import org.keycloak.services.util.CacheControlUtil;
|
|
|
|
import java.util.Objects;
|
|
|
|
import javax.ws.rs.GET;
|
|
import javax.ws.rs.NotFoundException;
|
|
import javax.ws.rs.OPTIONS;
|
|
import javax.ws.rs.Path;
|
|
import javax.ws.rs.PathParam;
|
|
import javax.ws.rs.Produces;
|
|
import javax.ws.rs.QueryParam;
|
|
import javax.ws.rs.core.HttpHeaders;
|
|
import javax.ws.rs.core.MediaType;
|
|
import javax.ws.rs.core.Response;
|
|
import javax.ws.rs.core.UriBuilder;
|
|
import javax.ws.rs.core.UriInfo;
|
|
|
|
/**
|
|
* Resource class for the oauth/openid connect token service
|
|
*
|
|
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
|
* @version $Revision: 1 $
|
|
*/
|
|
public class OIDCLoginProtocolService {
|
|
|
|
private final RealmModel realm;
|
|
private final TokenManager tokenManager;
|
|
private final EventBuilder event;
|
|
private final OIDCProviderConfig providerConfig;
|
|
|
|
private final KeycloakSession session;
|
|
|
|
private final HttpHeaders headers;
|
|
|
|
private final HttpRequest request;
|
|
|
|
private final ClientConnection clientConnection;
|
|
|
|
public OIDCLoginProtocolService(KeycloakSession session, EventBuilder event, OIDCProviderConfig providerConfig) {
|
|
this.session = session;
|
|
this.clientConnection = session.getContext().getConnection();
|
|
this.realm = session.getContext().getRealm();
|
|
this.tokenManager = new TokenManager();
|
|
this.event = event;
|
|
this.providerConfig = providerConfig;
|
|
this.request = session.getContext().getHttpRequest();
|
|
this.headers = session.getContext().getRequestHeaders();
|
|
}
|
|
|
|
public static UriBuilder tokenServiceBaseUrl(UriInfo uriInfo) {
|
|
UriBuilder baseUriBuilder = uriInfo.getBaseUriBuilder();
|
|
return tokenServiceBaseUrl(baseUriBuilder);
|
|
}
|
|
|
|
public static UriBuilder tokenServiceBaseUrl(UriBuilder baseUriBuilder) {
|
|
return baseUriBuilder.path(RealmsResource.class).path("{realm}/protocol/" + OIDCLoginProtocol.LOGIN_PROTOCOL);
|
|
}
|
|
|
|
public static UriBuilder authUrl(UriInfo uriInfo) {
|
|
UriBuilder baseUriBuilder = uriInfo.getBaseUriBuilder();
|
|
return authUrl(baseUriBuilder);
|
|
}
|
|
|
|
public static UriBuilder authUrl(UriBuilder baseUriBuilder) {
|
|
UriBuilder uriBuilder = tokenServiceBaseUrl(baseUriBuilder);
|
|
return uriBuilder.path(OIDCLoginProtocolService.class, "auth");
|
|
}
|
|
|
|
public static UriBuilder registrationsUrl(UriBuilder baseUriBuilder) {
|
|
UriBuilder uriBuilder = tokenServiceBaseUrl(baseUriBuilder);
|
|
return uriBuilder.path(OIDCLoginProtocolService.class, "registrations");
|
|
}
|
|
|
|
public static UriBuilder tokenUrl(UriBuilder baseUriBuilder) {
|
|
UriBuilder uriBuilder = tokenServiceBaseUrl(baseUriBuilder);
|
|
return uriBuilder.path(OIDCLoginProtocolService.class, "token");
|
|
}
|
|
|
|
public static UriBuilder certsUrl(UriBuilder baseUriBuilder) {
|
|
UriBuilder uriBuilder = tokenServiceBaseUrl(baseUriBuilder);
|
|
return uriBuilder.path(OIDCLoginProtocolService.class, "certs");
|
|
}
|
|
|
|
public static UriBuilder userInfoUrl(UriBuilder baseUriBuilder) {
|
|
UriBuilder uriBuilder = tokenServiceBaseUrl(baseUriBuilder);
|
|
return uriBuilder.path(OIDCLoginProtocolService.class, "issueUserInfo");
|
|
}
|
|
|
|
public static UriBuilder tokenIntrospectionUrl(UriBuilder baseUriBuilder) {
|
|
return tokenUrl(baseUriBuilder).path(TokenEndpoint.class, "introspect");
|
|
}
|
|
|
|
public static UriBuilder logoutUrl(UriInfo uriInfo) {
|
|
UriBuilder baseUriBuilder = uriInfo.getBaseUriBuilder();
|
|
return logoutUrl(baseUriBuilder);
|
|
}
|
|
|
|
public static UriBuilder logoutUrl(UriBuilder baseUriBuilder) {
|
|
UriBuilder uriBuilder = tokenServiceBaseUrl(baseUriBuilder);
|
|
return uriBuilder.path(OIDCLoginProtocolService.class, "logout");
|
|
}
|
|
|
|
public static UriBuilder tokenRevocationUrl(UriBuilder baseUriBuilder) {
|
|
UriBuilder uriBuilder = tokenServiceBaseUrl(baseUriBuilder);
|
|
return uriBuilder.path(OIDCLoginProtocolService.class, "revoke");
|
|
}
|
|
|
|
/**
|
|
* Authorization endpoint
|
|
*/
|
|
@Path("auth")
|
|
public Object auth() {
|
|
return new AuthorizationEndpoint(session, event);
|
|
}
|
|
|
|
/**
|
|
* Registration endpoint
|
|
*/
|
|
@Path("registrations")
|
|
public Object registrations() {
|
|
AuthorizationEndpoint endpoint = new AuthorizationEndpoint(session, event);
|
|
return endpoint.register();
|
|
}
|
|
|
|
/**
|
|
* Forgot-Credentials endpoint
|
|
*/
|
|
@Path("forgot-credentials")
|
|
public Object forgotCredentialsPage() {
|
|
AuthorizationEndpoint endpoint = new AuthorizationEndpoint(session, event);
|
|
return endpoint.forgotCredentials();
|
|
}
|
|
|
|
/**
|
|
* Token endpoint
|
|
*/
|
|
@Path("token")
|
|
public Object token() {
|
|
return new TokenEndpoint(session, tokenManager, event);
|
|
}
|
|
|
|
@Path("login-status-iframe.html")
|
|
public Object getLoginStatusIframe() {
|
|
return new LoginStatusIframeEndpoint(session);
|
|
}
|
|
|
|
@Path("3p-cookies")
|
|
public Object thirdPartyCookiesCheck() {
|
|
return new ThirdPartyCookiesIframeEndpoint(session);
|
|
}
|
|
|
|
@OPTIONS
|
|
@Path("certs")
|
|
@Produces(MediaType.APPLICATION_JSON)
|
|
public Response getVersionPreflight() {
|
|
return Cors.add(request, Response.ok()).allowedMethods("GET").preflight().auth().build();
|
|
}
|
|
|
|
@GET
|
|
@Path("certs")
|
|
@Produces(MediaType.APPLICATION_JSON)
|
|
@NoCache
|
|
public Response certs() {
|
|
checkSsl();
|
|
|
|
JWK[] jwks = session.keys().getKeysStream(realm)
|
|
.filter(k -> k.getStatus().isEnabled() && k.getPublicKey() != null)
|
|
.map(k -> {
|
|
JWKBuilder b = JWKBuilder.create().kid(k.getKid()).algorithm(k.getAlgorithmOrDefault());
|
|
List<X509Certificate> certificates = Optional.ofNullable(k.getCertificateChain())
|
|
.filter(certs -> !certs.isEmpty())
|
|
.orElseGet(() -> Collections.singletonList(k.getCertificate()));
|
|
if (k.getType().equals(KeyType.RSA)) {
|
|
return b.rsa(k.getPublicKey(), certificates, k.getUse());
|
|
} else if (k.getType().equals(KeyType.EC)) {
|
|
return b.ec(k.getPublicKey(), k.getUse());
|
|
}
|
|
return null;
|
|
})
|
|
.filter(Objects::nonNull)
|
|
.toArray(JWK[]::new);
|
|
|
|
JSONWebKeySet keySet = new JSONWebKeySet();
|
|
keySet.setKeys(jwks);
|
|
|
|
Response.ResponseBuilder responseBuilder = Response.ok(keySet).cacheControl(CacheControlUtil.getDefaultCacheControl());
|
|
return Cors.add(request, responseBuilder).allowedOrigins("*").auth().build();
|
|
}
|
|
|
|
@Path("userinfo")
|
|
public Object issueUserInfo() {
|
|
return new UserInfoEndpoint(session, tokenManager);
|
|
}
|
|
|
|
/* old deprecated logout endpoint needs to be removed in the future
|
|
* https://issues.redhat.com/browse/KEYCLOAK-2940 */
|
|
@Path("logout")
|
|
public Object logout() {
|
|
return new LogoutEndpoint(session, tokenManager, event, providerConfig);
|
|
}
|
|
|
|
@Path("revoke")
|
|
public Object revoke() {
|
|
return new TokenRevocationEndpoint(session, event);
|
|
}
|
|
|
|
@Path("oauth/oob")
|
|
@GET
|
|
public Response installedAppUrnCallback(final @QueryParam("code") String code, final @QueryParam("error") String error, final @QueryParam("error_description") String errorDescription) {
|
|
LoginFormsProvider forms = session.getProvider(LoginFormsProvider.class);
|
|
if (code != null) {
|
|
return forms.setClientSessionCode(code).createCode();
|
|
} else {
|
|
return forms.setError(error).createCode();
|
|
}
|
|
}
|
|
|
|
@Path("ext/{extension}")
|
|
public Object resolveExtension(@PathParam("extension") String extension) {
|
|
OIDCExtProvider provider = session.getProvider(OIDCExtProvider.class, extension);
|
|
if (provider != null) {
|
|
provider.setEvent(event);
|
|
return provider;
|
|
}
|
|
throw new NotFoundException();
|
|
}
|
|
|
|
private void checkSsl() {
|
|
if (!session.getContext().getUri().getBaseUri().getScheme().equals("https")
|
|
&& realm.getSslRequired().isRequired(clientConnection)) {
|
|
Cors cors = Cors.add(request).auth().allowedMethods(request.getHttpMethod()).auth().exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS);
|
|
throw new CorsErrorResponseException(cors.allowAllOrigins(), OAuthErrorException.INVALID_REQUEST, "HTTPS required",
|
|
Response.Status.FORBIDDEN);
|
|
}
|
|
}
|
|
|
|
}
|