Pedro Igor
parent
021189f190
commit
13b39cf48a
4 changed files with 45 additions and 31 deletions
|
|
@ -121,7 +121,7 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
|
|||
|
||||
@Override
|
||||
public Object callback(RealmModel realm, AuthenticationCallback callback, EventBuilder event) {
|
||||
return new Endpoint(callback, realm, event);
|
||||
return new Endpoint(callback, realm, event, this);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
@ -450,10 +450,11 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
|
|||
return new AsymmetricSignatureProvider(session, alg).signer();
|
||||
}
|
||||
|
||||
protected class Endpoint {
|
||||
protected static class Endpoint {
|
||||
protected AuthenticationCallback callback;
|
||||
protected RealmModel realm;
|
||||
protected EventBuilder event;
|
||||
private AbstractOAuth2IdentityProvider provider;
|
||||
|
||||
@Context
|
||||
protected KeycloakSession session;
|
||||
|
|
@ -467,10 +468,11 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
|
|||
@Context
|
||||
protected HttpRequest httpRequest;
|
||||
|
||||
public Endpoint(AuthenticationCallback callback, RealmModel realm, EventBuilder event) {
|
||||
public Endpoint(AuthenticationCallback callback, RealmModel realm, EventBuilder event, AbstractOAuth2IdentityProvider provider) {
|
||||
this.callback = callback;
|
||||
this.realm = realm;
|
||||
this.event = event;
|
||||
this.provider = provider;
|
||||
}
|
||||
|
||||
@GET
|
||||
|
|
@ -485,8 +487,10 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
|
|||
AuthenticationSessionModel authSession = this.callback.getAndVerifyAuthenticationSession(state);
|
||||
session.getContext().setAuthenticationSession(authSession);
|
||||
|
||||
OAuth2IdentityProviderConfig providerConfig = provider.getConfig();
|
||||
|
||||
if (error != null) {
|
||||
logger.error(error + " for broker login " + getConfig().getProviderId());
|
||||
logger.error(error + " for broker login " + providerConfig.getProviderId());
|
||||
if (error.equals(ACCESS_DENIED)) {
|
||||
return callback.cancelled();
|
||||
} else if (error.equals(OAuthErrorException.LOGIN_REQUIRED) || error.equals(OAuthErrorException.INTERACTION_REQUIRED)) {
|
||||
|
|
@ -499,16 +503,16 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
|
|||
if (authorizationCode != null) {
|
||||
String response = generateTokenRequest(authorizationCode).asString();
|
||||
|
||||
BrokeredIdentityContext federatedIdentity = getFederatedIdentity(response);
|
||||
BrokeredIdentityContext federatedIdentity = provider.getFederatedIdentity(response);
|
||||
|
||||
if (getConfig().isStoreToken()) {
|
||||
if (providerConfig.isStoreToken()) {
|
||||
// make sure that token wasn't already set by getFederatedIdentity();
|
||||
// want to be able to allow provider to set the token itself.
|
||||
if (federatedIdentity.getToken() == null)federatedIdentity.setToken(response);
|
||||
}
|
||||
|
||||
federatedIdentity.setIdpConfig(getConfig());
|
||||
federatedIdentity.setIdp(AbstractOAuth2IdentityProvider.this);
|
||||
federatedIdentity.setIdpConfig(providerConfig);
|
||||
federatedIdentity.setIdp(provider);
|
||||
federatedIdentity.setAuthenticationSession(authSession);
|
||||
|
||||
return callback.authenticated(federatedIdentity);
|
||||
|
|
@ -529,13 +533,14 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
|
|||
|
||||
public SimpleHttp generateTokenRequest(String authorizationCode) {
|
||||
KeycloakContext context = session.getContext();
|
||||
SimpleHttp tokenRequest = SimpleHttp.doPost(getConfig().getTokenUrl(), session)
|
||||
OAuth2IdentityProviderConfig providerConfig = provider.getConfig();
|
||||
SimpleHttp tokenRequest = SimpleHttp.doPost(providerConfig.getTokenUrl(), session)
|
||||
.param(OAUTH2_PARAMETER_CODE, authorizationCode)
|
||||
.param(OAUTH2_PARAMETER_REDIRECT_URI, Urls.identityProviderAuthnResponse(context.getUri().getBaseUri(),
|
||||
getConfig().getAlias(), context.getRealm().getName()).toString())
|
||||
providerConfig.getAlias(), context.getRealm().getName()).toString())
|
||||
.param(OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE);
|
||||
|
||||
if (getConfig().isPkceEnabled()) {
|
||||
if (providerConfig.isPkceEnabled()) {
|
||||
|
||||
// reconstruct the original code verifier that was used to generate the code challenge from the HttpRequest.
|
||||
String stateParam = session.getContext().getUri().getQueryParameters().getFirst(OAuth2Constants.STATE);
|
||||
|
|
@ -571,7 +576,7 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
|
|||
tokenRequest.param(OAuth2Constants.CODE_VERIFIER, brokerCodeChallenge);
|
||||
}
|
||||
|
||||
return authenticateTokenRequest(tokenRequest);
|
||||
return provider.authenticateTokenRequest(tokenRequest);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ public class KeycloakOIDCIdentityProvider extends OIDCIdentityProvider {
|
|||
|
||||
@Override
|
||||
public Object callback(RealmModel realm, AuthenticationCallback callback, EventBuilder event) {
|
||||
return new KeycloakEndpoint(callback, realm, event);
|
||||
return new KeycloakEndpoint(callback, realm, event, this);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
@ -71,9 +71,14 @@ public class KeycloakOIDCIdentityProvider extends OIDCIdentityProvider {
|
|||
context.getContextData().put(VALIDATED_ACCESS_TOKEN, access);
|
||||
}
|
||||
|
||||
protected class KeycloakEndpoint extends OIDCEndpoint {
|
||||
public KeycloakEndpoint(AuthenticationCallback callback, RealmModel realm, EventBuilder event) {
|
||||
super(callback, realm, event);
|
||||
protected static class KeycloakEndpoint extends OIDCEndpoint {
|
||||
|
||||
private KeycloakOIDCIdentityProvider provider;
|
||||
|
||||
public KeycloakEndpoint(AuthenticationCallback callback, RealmModel realm, EventBuilder event,
|
||||
KeycloakOIDCIdentityProvider provider) {
|
||||
super(callback, realm, event, provider);
|
||||
this.provider = provider;
|
||||
}
|
||||
|
||||
@POST
|
||||
|
|
@ -87,7 +92,7 @@ public class KeycloakOIDCIdentityProvider extends OIDCIdentityProvider {
|
|||
return Response.status(400).build();
|
||||
}
|
||||
|
||||
if (!verify(token)) {
|
||||
if (!provider.verify(token)) {
|
||||
logger.warn("Failed to verify logout request");
|
||||
return Response.status(400).build();
|
||||
}
|
||||
|
|
@ -101,7 +106,7 @@ public class KeycloakOIDCIdentityProvider extends OIDCIdentityProvider {
|
|||
if (!validateAction(action)) return Response.status(400).build();
|
||||
if (action.getKeycloakSessionIds() != null) {
|
||||
for (String sessionId : action.getKeycloakSessionIds()) {
|
||||
String brokerSessionId = getConfig().getAlias() + "." + sessionId;
|
||||
String brokerSessionId = provider.getConfig().getAlias() + "." + sessionId;
|
||||
UserSessionModel userSession = lockUserSessionsForModification(session, () -> session.sessions().getUserSessionByBrokerSessionId(realm, brokerSessionId));
|
||||
if (userSession != null
|
||||
&& userSession.getState() != UserSessionModel.State.LOGGING_OUT
|
||||
|
|
@ -127,7 +132,7 @@ public class KeycloakOIDCIdentityProvider extends OIDCIdentityProvider {
|
|||
logger.warn("admin request failed, expired token");
|
||||
return false;
|
||||
}
|
||||
if (!getConfig().getClientId().equals(action.getResource())) {
|
||||
if (!provider.getConfig().getClientId().equals(action.getResource())) {
|
||||
logger.warn("Resource name does not match");
|
||||
return false;
|
||||
|
||||
|
|
|
|||
|
|
@ -104,7 +104,7 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
|
|||
|
||||
@Override
|
||||
public Object callback(RealmModel realm, AuthenticationCallback callback, EventBuilder event) {
|
||||
return new OIDCEndpoint(callback, realm, event);
|
||||
return new OIDCEndpoint(callback, realm, event, this);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -331,9 +331,9 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
|
|||
}
|
||||
}
|
||||
|
||||
protected class OIDCEndpoint extends Endpoint {
|
||||
public OIDCEndpoint(AuthenticationCallback callback, RealmModel realm, EventBuilder event) {
|
||||
super(callback, realm, event);
|
||||
protected static class OIDCEndpoint extends Endpoint {
|
||||
public OIDCEndpoint(AuthenticationCallback callback, RealmModel realm, EventBuilder event, OIDCIdentityProvider provider) {
|
||||
super(callback, realm, event, provider);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
|||
|
|
@ -80,7 +80,7 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
|
|||
|
||||
@Override
|
||||
public Object callback(RealmModel realm, AuthenticationCallback callback, EventBuilder event) {
|
||||
return new Endpoint(realm, callback, event);
|
||||
return new Endpoint(realm, callback, event, this);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
@ -161,10 +161,11 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
|
|||
}
|
||||
|
||||
|
||||
protected class Endpoint {
|
||||
protected static class Endpoint {
|
||||
protected RealmModel realm;
|
||||
protected AuthenticationCallback callback;
|
||||
protected EventBuilder event;
|
||||
private TwitterIdentityProvider provider;
|
||||
|
||||
@Context
|
||||
protected KeycloakSession session;
|
||||
|
|
@ -175,10 +176,11 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
|
|||
@Context
|
||||
protected HttpHeaders headers;
|
||||
|
||||
public Endpoint(RealmModel realm, AuthenticationCallback callback, EventBuilder event) {
|
||||
public Endpoint(RealmModel realm, AuthenticationCallback callback, EventBuilder event, TwitterIdentityProvider provider) {
|
||||
this.realm = realm;
|
||||
this.callback = callback;
|
||||
this.event = event;
|
||||
this.provider = provider;
|
||||
}
|
||||
|
||||
@GET
|
||||
|
|
@ -201,9 +203,11 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
|
|||
return callback.cancelled();
|
||||
}
|
||||
|
||||
try (VaultStringSecret vaultStringSecret = session.vault().getStringSecret(getConfig().getClientSecret())) {
|
||||
OAuth2IdentityProviderConfig providerConfig = provider.getConfig();
|
||||
|
||||
try (VaultStringSecret vaultStringSecret = session.vault().getStringSecret(providerConfig.getClientSecret())) {
|
||||
Twitter twitter = new TwitterFactory(new ConfigurationBuilder().setIncludeEmailEnabled(true).build()).getInstance();
|
||||
twitter.setOAuthConsumer(getConfig().getClientId(), vaultStringSecret.get().orElse(getConfig().getClientSecret()));
|
||||
twitter.setOAuthConsumer(providerConfig.getClientId(), vaultStringSecret.get().orElse(providerConfig.getClientSecret()));
|
||||
|
||||
String twitterToken = authSession.getAuthNote(TWITTER_TOKEN);
|
||||
String twitterSecret = authSession.getAuthNote(TWITTER_TOKENSECRET);
|
||||
|
|
@ -214,7 +218,7 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
|
|||
twitter4j.User twitterUser = twitter.verifyCredentials();
|
||||
|
||||
BrokeredIdentityContext identity = new BrokeredIdentityContext(Long.toString(twitterUser.getId()));
|
||||
identity.setIdp(TwitterIdentityProvider.this);
|
||||
identity.setIdp(provider);
|
||||
|
||||
identity.setUsername(twitterUser.getScreenName());
|
||||
identity.setEmail(twitterUser.getEmail());
|
||||
|
|
@ -230,12 +234,12 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
|
|||
tokenBuilder.append("\"user_id\":").append("\"").append(oAuthAccessToken.getUserId()).append("\"");
|
||||
tokenBuilder.append("}");
|
||||
String token = tokenBuilder.toString();
|
||||
if (getConfig().isStoreToken()) {
|
||||
if (providerConfig.isStoreToken()) {
|
||||
identity.setToken(token);
|
||||
}
|
||||
identity.getContextData().put(IdentityProvider.FEDERATED_ACCESS_TOKEN, token);
|
||||
|
||||
identity.setIdpConfig(getConfig());
|
||||
identity.setIdpConfig(providerConfig);
|
||||
identity.setAuthenticationSession(authSession);
|
||||
|
||||
return callback.authenticated(identity);
|
||||
|
|
|
|||
Loading…
Reference in a new issue