libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Merge pull request #1115 from mposolda/master

Browse source 
Fix clustering when auth-server-url-for-backend-requests is used
This commit is contained in:
Stian Thorgersen 2015-04-02 13:13:56 +02:00
commit 148b466ce4
8 changed files with 18 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
core/src/main/java/org/keycloak/RSATokenVerifier.java
View file

@ -39,7 +39,7 @@ public class RSATokenVerifier {
throw new VerificationException("Realm URL is null. Make sure to add auth-server-url to the configuration of your adapter!"); throw new VerificationException("Realm URL is null. Make sure to add auth-server-url to the configuration of your adapter!");
} }
if (!realmUrl.equals(token.getIssuer())) { if (!realmUrl.equals(token.getIssuer())) {
throw new VerificationException("Token audience doesn't match domain."); throw new VerificationException("Token audience doesn't match domain. Token issuer is " + token.getIssuer() + ", but URL from configuration is " + realmUrl);
} }
if (checkActive && !token.isActive()) { if (checkActive && !token.isActive()) {

10
examples/demo-template/testrealm.json
View file

@ -146,16 +146,6 @@
"adminUrl": "/database", "adminUrl": "/database",
"baseUrl": "/database", "baseUrl": "/database",
"bearerOnly": true "bearerOnly": true
},
{
"name": "rest-resources",
"enabled": true,
"publicClient": true,
"adminUrl": "/rest-resources",
"baseUrl": "/rest-resources",
"redirectUris": [
"/rest-resources/*"
]
} }
], ],
"oauthClients": [ "oauthClients": [

1
examples/fuse/camel/src/main/java/org/keycloak/example/CamelHelloProcessor.java
View file

@ -20,7 +20,6 @@ public class CamelHelloProcessor implements Processor {
String username = accessToken.getPreferredUsername(); String username = accessToken.getPreferredUsername();
String fullName = accessToken.getName(); String fullName = accessToken.getName();
// send a html response with fullName from LDAP
exchange.getOut().setBody("Hello " + username + "! Your full name is " + fullName + "."); exchange.getOut().setBody("Hello " + username + "! Your full name is " + fullName + ".");
} }
} }

4
examples/fuse/fuse-admin/README.md
View file

@ -29,10 +29,10 @@ This file contains configuration of the client application, which is used by JAA
4) Start Fuse and install `keycloak` JAAS realm into Fuse. This could be done easily by installing `keycloak-jaas` feature, which has JAAS realm predefined 4) Start Fuse and install `keycloak` JAAS realm into Fuse. This could be done easily by installing `keycloak-jaas` feature, which has JAAS realm predefined
(you are able to override it by using your own `keycloak` JAAS realm with higher ranking). As long as you already installed `keycloak-fuse-example` feature as mentioned (you are able to override it by using your own `keycloak` JAAS realm with higher ranking). As long as you already installed `keycloak-fuse-example` feature as mentioned
in [examples readme](../README.md), you can skip this step as `keycloak-jaas` is installed already. Otherwise use those commands (replace Keycloak version with current one): in [examples readme](../README.md), you can skip this step as `keycloak-jaas` is installed already. Otherwise use those commands (replace Keycloak version in this command with the current version):
``` ```
features:addurl mvn:org.keycloak/keycloak-osgi-features/1.1.0.Final/xml/features features:addurl mvn:org.keycloak/keycloak-osgi-features/1.2.0.Beta1/xml/features
features:install keycloak-jaas features:install keycloak-jaas
``` ```

12
integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java
View file

@ -90,7 +90,8 @@ public class KeycloakDeployment {
public void setAuthServerBaseUrl(AdapterConfig config) { public void setAuthServerBaseUrl(AdapterConfig config) {
this.authServerBaseUrl = config.getAuthServerUrl(); this.authServerBaseUrl = config.getAuthServerUrl();
if (authServerBaseUrl == null && config.getAuthServerUrlForBackendRequests() == null) return; String authServerURLForBackendReqs = config.getAuthServerUrlForBackendRequests();
if (authServerBaseUrl == null && authServerURLForBackendReqs == null) return;
URI authServerUri = null; URI authServerUri = null;
if (authServerBaseUrl != null) { if (authServerBaseUrl != null) {
@ -98,7 +99,6 @@ public class KeycloakDeployment {
} }
if (authServerUri == null || authServerUri.getHost() == null) { if (authServerUri == null || authServerUri.getHost() == null) {
String authServerURLForBackendReqs = config.getAuthServerUrlForBackendRequests();
if (authServerURLForBackendReqs != null) { if (authServerURLForBackendReqs != null) {
relativeUrls = RelativeUrlsUsed.BROWSER_ONLY; relativeUrls = RelativeUrlsUsed.BROWSER_ONLY;
@ -116,7 +116,13 @@ public class KeycloakDeployment {
relativeUrls = RelativeUrlsUsed.NEVER; relativeUrls = RelativeUrlsUsed.NEVER;
KeycloakUriBuilder serverBuilder = KeycloakUriBuilder.fromUri(authServerBaseUrl); KeycloakUriBuilder serverBuilder = KeycloakUriBuilder.fromUri(authServerBaseUrl);
resolveBrowserUrls(serverBuilder); resolveBrowserUrls(serverBuilder);
if (authServerURLForBackendReqs == null) {
resolveNonBrowserUrls(serverBuilder); resolveNonBrowserUrls(serverBuilder);
} else {
serverBuilder = KeycloakUriBuilder.fromUri(authServerURLForBackendReqs);
resolveNonBrowserUrls(serverBuilder);
}
} }
} }
@ -132,6 +138,7 @@ public class KeycloakDeployment {
String login = authUrlBuilder.clone().path(ServiceUrlConstants.AUTH_PATH).build(getRealm()).toString(); String login = authUrlBuilder.clone().path(ServiceUrlConstants.AUTH_PATH).build(getRealm()).toString();
authUrl = KeycloakUriBuilder.fromUri(login); authUrl = KeycloakUriBuilder.fromUri(login);
realmInfoUrl = authUrlBuilder.clone().path(ServiceUrlConstants.REALM_INFO_PATH).build(getRealm()).toString();
} }
/** /**
@ -145,7 +152,6 @@ public class KeycloakDeployment {
tokenUrl = authUrlBuilder.clone().path(ServiceUrlConstants.TOKEN_PATH).build(getRealm()).toString(); tokenUrl = authUrlBuilder.clone().path(ServiceUrlConstants.TOKEN_PATH).build(getRealm()).toString();
logoutUrl = KeycloakUriBuilder.fromUri(authUrlBuilder.clone().path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH).build(getRealm()).toString()); logoutUrl = KeycloakUriBuilder.fromUri(authUrlBuilder.clone().path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH).build(getRealm()).toString());
accountUrl = authUrlBuilder.clone().path(ServiceUrlConstants.ACCOUNT_SERVICE_PATH).build(getRealm()).toString(); accountUrl = authUrlBuilder.clone().path(ServiceUrlConstants.ACCOUNT_SERVICE_PATH).build(getRealm()).toString();
realmInfoUrl = authUrlBuilder.clone().path(ServiceUrlConstants.REALM_INFO_PATH).build(getRealm()).toString();
registerNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_REGISTER_NODE_PATH).build(getRealm()).toString(); registerNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_REGISTER_NODE_PATH).build(getRealm()).toString();
unregisterNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH).build(getRealm()).toString(); unregisterNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH).build(getRealm()).toString();
} }

2
integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
View file

@ -322,7 +322,7 @@ public class OAuthRequestAuthenticator {
} }
log.debug("Token Verification succeeded!"); log.debug("Token Verification succeeded!");
} catch (VerificationException e) { } catch (VerificationException e) {
log.error("failed verification of token"); log.error("failed verification of token: " + e.getMessage());
return challenge(403); return challenge(403);
} }
if (tokenResponse.getNotBeforePolicy() > deployment.getNotBefore()) { if (tokenResponse.getNotBeforePolicy() > deployment.getNotBefore()) {

2
integration/adapter-core/src/test/java/org/keycloak/adapters/KeycloakDeploymentBuilderTest.java
View file

@ -33,7 +33,7 @@ public class KeycloakDeploymentBuilderTest {
assertTrue(deployment.isExposeToken()); assertTrue(deployment.isExposeToken());
assertEquals("234234-234234-234234", deployment.getResourceCredentials().get("secret")); assertEquals("234234-234234-234234", deployment.getResourceCredentials().get("secret"));
assertEquals(20, ((ThreadSafeClientConnManager) deployment.getClient().getConnectionManager()).getMaxTotal()); assertEquals(20, ((ThreadSafeClientConnManager) deployment.getClient().getConnectionManager()).getMaxTotal());
assertEquals("https://localhost:8443/auth/realms/demo/protocol/openid-connect/token", deployment.getTokenUrl()); assertEquals("https://backend:8443/auth/realms/demo/protocol/openid-connect/token", deployment.getTokenUrl());
assertTrue(deployment.isAlwaysRefreshToken()); assertTrue(deployment.isAlwaysRefreshToken());
assertTrue(deployment.isRegisterNodeAtStartup()); assertTrue(deployment.isRegisterNodeAtStartup());
assertEquals(1000, deployment.getRegisterNodePeriod()); assertEquals(1000, deployment.getRegisterNodePeriod());

3
testsuite/docker-cluster/shared-files/deploy-examples.sh
View file

@ -33,6 +33,9 @@ for I in *.war/WEB-INF/keycloak.json; do
sed -i -e 's/\"bearer-only\" : true,/&\n \"credentials\" : \{ \"secret\": \"password\" \},/' $I; sed -i -e 's/\"bearer-only\" : true,/&\n \"credentials\" : \{ \"secret\": \"password\" \},/' $I;
done; done;
# Configure database.war
sed -i -e 's/\"auth-server-url\": \"\/auth\",/\"auth-server-url\": \"http:\/\/localhost:8000\/auth\",/' database.war/WEB-INF/keycloak.json;
# Enable distributable for customer-portal # Enable distributable for customer-portal
sed -i -e 's/<\/module-name>/&\n <distributable \/>/' customer-portal.war/WEB-INF/web.xml sed -i -e 's/<\/module-name>/&\n <distributable \/>/' customer-portal.war/WEB-INF/web.xml