KEYCLOAK-6980 Check if client_assertion was already used during signed JWT client authentication
This commit is contained in:
parent
f090b39e85
commit
1b5a83c4f1
11 changed files with 408 additions and 4 deletions
|
@ -0,0 +1,74 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.models.sessions.infinispan;
|
||||||
|
|
||||||
|
import java.util.concurrent.TimeUnit;
|
||||||
|
import java.util.function.Supplier;
|
||||||
|
|
||||||
|
import org.infinispan.client.hotrod.exceptions.HotRodClientException;
|
||||||
|
import org.infinispan.commons.api.BasicCache;
|
||||||
|
import org.jboss.logging.Logger;
|
||||||
|
import org.keycloak.models.KeycloakSession;
|
||||||
|
import org.keycloak.models.SingleUseTokenStoreProvider;
|
||||||
|
import org.keycloak.models.sessions.infinispan.entities.ActionTokenValueEntity;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* TODO: Check if Boolean can be used as single-use cache argument instead of ActionTokenValueEntity. With respect to other single-use cache usecases like "Revoke Refresh Token" .
|
||||||
|
* Also with respect to the usage of streams iterating over "actionTokens" cache (check there are no ClassCastExceptions when casting values directly to ActionTokenValueEntity)
|
||||||
|
*
|
||||||
|
*
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class InfinispanSingleUseTokenStoreProvider implements SingleUseTokenStoreProvider {
|
||||||
|
|
||||||
|
public static final Logger logger = Logger.getLogger(InfinispanSingleUseTokenStoreProvider.class);
|
||||||
|
|
||||||
|
private final Supplier<BasicCache<String, ActionTokenValueEntity>> tokenCache;
|
||||||
|
private final KeycloakSession session;
|
||||||
|
|
||||||
|
public InfinispanSingleUseTokenStoreProvider(KeycloakSession session, Supplier<BasicCache<String, ActionTokenValueEntity>> actionKeyCache) {
|
||||||
|
this.session = session;
|
||||||
|
this.tokenCache = actionKeyCache;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean putIfAbsent(String tokenId, int lifespanInSeconds) {
|
||||||
|
ActionTokenValueEntity tokenValue = new ActionTokenValueEntity(null);
|
||||||
|
|
||||||
|
// Rather keep the items in the cache for a bit longer
|
||||||
|
lifespanInSeconds = lifespanInSeconds + 10;
|
||||||
|
|
||||||
|
try {
|
||||||
|
BasicCache<String, ActionTokenValueEntity> cache = tokenCache.get();
|
||||||
|
ActionTokenValueEntity existing = cache.putIfAbsent(tokenId, tokenValue, lifespanInSeconds, TimeUnit.SECONDS);
|
||||||
|
return existing == null;
|
||||||
|
} catch (HotRodClientException re) {
|
||||||
|
// No need to retry. The hotrod (remoteCache) has some retries in itself in case of some random network error happened.
|
||||||
|
// In case of lock conflict, we don't want to retry anyway as there was likely an attempt to use the token from different place.
|
||||||
|
logger.debugf(re, "Failed when adding token %s", tokenId);
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void close() {
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,96 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.models.sessions.infinispan;
|
||||||
|
|
||||||
|
import java.util.function.Supplier;
|
||||||
|
|
||||||
|
import org.infinispan.Cache;
|
||||||
|
import org.infinispan.client.hotrod.Flag;
|
||||||
|
import org.infinispan.client.hotrod.RemoteCache;
|
||||||
|
import org.infinispan.commons.api.BasicCache;
|
||||||
|
import org.jboss.logging.Logger;
|
||||||
|
import org.keycloak.Config;
|
||||||
|
import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
|
||||||
|
import org.keycloak.models.KeycloakSession;
|
||||||
|
import org.keycloak.models.KeycloakSessionFactory;
|
||||||
|
import org.keycloak.models.SingleUseTokenStoreProviderFactory;
|
||||||
|
import org.keycloak.models.sessions.infinispan.entities.ActionTokenValueEntity;
|
||||||
|
import org.keycloak.models.sessions.infinispan.util.InfinispanUtil;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class InfinispanSingleUseTokenStoreProviderFactory implements SingleUseTokenStoreProviderFactory {
|
||||||
|
|
||||||
|
private static final Logger LOG = Logger.getLogger(InfinispanSingleUseTokenStoreProviderFactory.class);
|
||||||
|
|
||||||
|
// Reuse "actionTokens" infinispan cache for now
|
||||||
|
private volatile Supplier<BasicCache<String, ActionTokenValueEntity>> tokenCache;
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public InfinispanSingleUseTokenStoreProvider create(KeycloakSession session) {
|
||||||
|
lazyInit(session);
|
||||||
|
return new InfinispanSingleUseTokenStoreProvider(session, tokenCache);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void lazyInit(KeycloakSession session) {
|
||||||
|
if (tokenCache == null) {
|
||||||
|
synchronized (this) {
|
||||||
|
if (tokenCache == null) {
|
||||||
|
InfinispanConnectionProvider connections = session.getProvider(InfinispanConnectionProvider.class);
|
||||||
|
Cache cache = connections.getCache(InfinispanConnectionProvider.ACTION_TOKEN_CACHE);
|
||||||
|
|
||||||
|
RemoteCache remoteCache = InfinispanUtil.getRemoteCache(cache);
|
||||||
|
|
||||||
|
if (remoteCache != null) {
|
||||||
|
LOG.debugf("Having remote stores. Using remote cache '%s' for single-use cache of token", remoteCache.getName());
|
||||||
|
this.tokenCache = () -> {
|
||||||
|
// Doing this way as flag is per invocation
|
||||||
|
return remoteCache.withFlags(Flag.FORCE_RETURN_VALUE);
|
||||||
|
};
|
||||||
|
} else {
|
||||||
|
LOG.debugf("Not having remote stores. Using normal cache '%s' for single-use cache of token", cache.getName());
|
||||||
|
this.tokenCache = () -> {
|
||||||
|
return cache;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void init(Config.Scope config) {
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void postInit(KeycloakSessionFactory factory) {
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void close() {
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getId() {
|
||||||
|
return "infinispan";
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,18 @@
|
||||||
|
#
|
||||||
|
# Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
# and other contributors as indicated by the @author tags.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
org.keycloak.models.sessions.infinispan.InfinispanSingleUseTokenStoreProviderFactory
|
|
@ -0,0 +1,41 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.models;
|
||||||
|
|
||||||
|
import org.keycloak.provider.Provider;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Provides single-use cache for OAuth2 code parameter. Used to ensure that particular value of code parameter is used once.
|
||||||
|
*
|
||||||
|
* TODO: For now, it is separate provider as {@link CodeToTokenStoreProvider}, however will be good to merge those 2 providers to "SingleUseCacheProvider"
|
||||||
|
* in the future as they provide very similar thing
|
||||||
|
*
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public interface SingleUseTokenStoreProvider extends Provider {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Will try to put the token into the cache. It will success just if token is not already there.
|
||||||
|
*
|
||||||
|
* @param tokenId
|
||||||
|
* @param lifespanInSeconds Minimum lifespan for which successfully added token will be kept in the cache.
|
||||||
|
* @return true if token was successfully put into the cache. This means that same token wasn't in the cache before
|
||||||
|
*/
|
||||||
|
boolean putIfAbsent(String tokenId, int lifespanInSeconds);
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,26 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.models;
|
||||||
|
|
||||||
|
import org.keycloak.provider.ProviderFactory;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public interface SingleUseTokenStoreProviderFactory extends ProviderFactory<SingleUseTokenStoreProvider> {
|
||||||
|
}
|
|
@ -0,0 +1,50 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.models;
|
||||||
|
|
||||||
|
import org.keycloak.provider.Provider;
|
||||||
|
import org.keycloak.provider.ProviderFactory;
|
||||||
|
import org.keycloak.provider.Spi;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class SingleUseTokenStoreSpi implements Spi {
|
||||||
|
|
||||||
|
public static final String NAME = "singleUseTokenStore";
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isInternal() {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getName() {
|
||||||
|
return NAME;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Class<? extends Provider> getProviderClass() {
|
||||||
|
return SingleUseTokenStoreProvider.class;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Class<? extends ProviderFactory> getProviderFactoryClass() {
|
||||||
|
return SingleUseTokenStoreProviderFactory.class;
|
||||||
|
}
|
||||||
|
}
|
|
@ -21,6 +21,7 @@ org.keycloak.storage.federated.UserFederatedStorageProviderSpi
|
||||||
org.keycloak.models.RealmSpi
|
org.keycloak.models.RealmSpi
|
||||||
org.keycloak.models.ActionTokenStoreSpi
|
org.keycloak.models.ActionTokenStoreSpi
|
||||||
org.keycloak.models.CodeToTokenStoreSpi
|
org.keycloak.models.CodeToTokenStoreSpi
|
||||||
|
org.keycloak.models.SingleUseTokenStoreSpi
|
||||||
org.keycloak.models.UserSessionSpi
|
org.keycloak.models.UserSessionSpi
|
||||||
org.keycloak.models.UserSpi
|
org.keycloak.models.UserSpi
|
||||||
org.keycloak.models.session.UserSessionPersisterSpi
|
org.keycloak.models.session.UserSessionPersisterSpi
|
||||||
|
|
|
@ -31,6 +31,7 @@ import java.util.Set;
|
||||||
import javax.ws.rs.core.MultivaluedMap;
|
import javax.ws.rs.core.MultivaluedMap;
|
||||||
import javax.ws.rs.core.Response;
|
import javax.ws.rs.core.Response;
|
||||||
|
|
||||||
|
import org.jboss.logging.Logger;
|
||||||
import org.keycloak.OAuth2Constants;
|
import org.keycloak.OAuth2Constants;
|
||||||
import org.keycloak.authentication.AuthenticationFlowError;
|
import org.keycloak.authentication.AuthenticationFlowError;
|
||||||
import org.keycloak.authentication.ClientAuthenticationFlowContext;
|
import org.keycloak.authentication.ClientAuthenticationFlowContext;
|
||||||
|
@ -41,6 +42,7 @@ import org.keycloak.keys.loader.PublicKeyStorageManager;
|
||||||
import org.keycloak.models.AuthenticationExecutionModel;
|
import org.keycloak.models.AuthenticationExecutionModel;
|
||||||
import org.keycloak.models.ClientModel;
|
import org.keycloak.models.ClientModel;
|
||||||
import org.keycloak.models.RealmModel;
|
import org.keycloak.models.RealmModel;
|
||||||
|
import org.keycloak.models.SingleUseTokenStoreProvider;
|
||||||
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
|
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
|
||||||
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
|
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
|
||||||
import org.keycloak.provider.ProviderConfigProperty;
|
import org.keycloak.provider.ProviderConfigProperty;
|
||||||
|
@ -59,6 +61,8 @@ import org.keycloak.services.Urls;
|
||||||
*/
|
*/
|
||||||
public class JWTClientAuthenticator extends AbstractClientAuthenticator {
|
public class JWTClientAuthenticator extends AbstractClientAuthenticator {
|
||||||
|
|
||||||
|
private static final Logger logger = Logger.getLogger(JWTClientAuthenticator.class);
|
||||||
|
|
||||||
public static final String PROVIDER_ID = "client-jwt";
|
public static final String PROVIDER_ID = "client-jwt";
|
||||||
public static final String ATTR_PREFIX = "jwt.credential";
|
public static final String ATTR_PREFIX = "jwt.credential";
|
||||||
public static final String CERTIFICATE_ATTR = "jwt.credential.certificate";
|
public static final String CERTIFICATE_ATTR = "jwt.credential.certificate";
|
||||||
|
@ -148,10 +152,25 @@ public class JWTClientAuthenticator extends AbstractClientAuthenticator {
|
||||||
}
|
}
|
||||||
|
|
||||||
// KEYCLOAK-2986
|
// KEYCLOAK-2986
|
||||||
if (token.getExpiration() == 0 && token.getIssuedAt() + 10 < Time.currentTime()) {
|
int currentTime = Time.currentTime();
|
||||||
|
if (token.getExpiration() == 0 && token.getIssuedAt() + 10 < currentTime) {
|
||||||
throw new RuntimeException("Token is not active");
|
throw new RuntimeException("Token is not active");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (token.getId() == null) {
|
||||||
|
throw new RuntimeException("Missing ID on the token");
|
||||||
|
}
|
||||||
|
|
||||||
|
SingleUseTokenStoreProvider singleUseCache = context.getSession().getProvider(SingleUseTokenStoreProvider.class);
|
||||||
|
int lifespanInSecs = Math.max(token.getExpiration() - currentTime, 10);
|
||||||
|
if (singleUseCache.putIfAbsent(token.getId(), lifespanInSecs)) {
|
||||||
|
logger.tracef("Added token '%s' to single-use cache. Lifespan: %d seconds, client: %s", token.getId(), lifespanInSecs, clientId);
|
||||||
|
|
||||||
|
} else {
|
||||||
|
logger.warnf("Token '%s' already used when authenticating client '%s'.", token.getId(), clientId);
|
||||||
|
throw new RuntimeException("Token reuse detected");
|
||||||
|
}
|
||||||
|
|
||||||
context.success();
|
context.success();
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
ServicesLogger.LOGGER.errorValidatingAssertion(e);
|
ServicesLogger.LOGGER.errorValidatingAssertion(e);
|
||||||
|
|
|
@ -23,6 +23,7 @@ import org.keycloak.jose.jws.JWSInput;
|
||||||
import org.keycloak.jose.jws.crypto.HMACProvider;
|
import org.keycloak.jose.jws.crypto.HMACProvider;
|
||||||
import org.keycloak.models.AuthenticationExecutionModel;
|
import org.keycloak.models.AuthenticationExecutionModel;
|
||||||
import org.keycloak.models.AuthenticationExecutionModel.Requirement;
|
import org.keycloak.models.AuthenticationExecutionModel.Requirement;
|
||||||
|
import org.keycloak.models.SingleUseTokenStoreProvider;
|
||||||
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
|
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
|
||||||
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
|
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
|
||||||
import org.keycloak.models.ClientModel;
|
import org.keycloak.models.ClientModel;
|
||||||
|
@ -39,6 +40,8 @@ import org.keycloak.services.Urls;
|
||||||
* This is server side, which verifies JWT from client_assertion parameter, where the assertion was created on adapter side by
|
* This is server side, which verifies JWT from client_assertion parameter, where the assertion was created on adapter side by
|
||||||
* org.keycloak.adapters.authentication.JWTClientSecretCredentialsProvider
|
* org.keycloak.adapters.authentication.JWTClientSecretCredentialsProvider
|
||||||
*
|
*
|
||||||
|
* TODO: Try to create abstract superclass to be shared with {@link JWTClientAuthenticator}. Most of the code can be reused
|
||||||
|
*
|
||||||
* @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a>
|
* @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a>
|
||||||
*/
|
*/
|
||||||
public class JWTClientSecretAuthenticator extends AbstractClientAuthenticator {
|
public class JWTClientSecretAuthenticator extends AbstractClientAuthenticator {
|
||||||
|
@ -138,10 +141,25 @@ public class JWTClientSecretAuthenticator extends AbstractClientAuthenticator {
|
||||||
}
|
}
|
||||||
|
|
||||||
// KEYCLOAK-2986, token-timeout or token-expiration in keycloak.json might not be used
|
// KEYCLOAK-2986, token-timeout or token-expiration in keycloak.json might not be used
|
||||||
if (token.getExpiration() == 0 && token.getIssuedAt() + 10 < Time.currentTime()) {
|
int currentTime = Time.currentTime();
|
||||||
|
if (token.getExpiration() == 0 && token.getIssuedAt() + 10 < currentTime) {
|
||||||
throw new RuntimeException("Token is not active");
|
throw new RuntimeException("Token is not active");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (token.getId() == null) {
|
||||||
|
throw new RuntimeException("Missing ID on the token");
|
||||||
|
}
|
||||||
|
|
||||||
|
SingleUseTokenStoreProvider singleUseCache = context.getSession().getProvider(SingleUseTokenStoreProvider.class);
|
||||||
|
int lifespanInSecs = Math.max(token.getExpiration() - currentTime, 10);
|
||||||
|
if (singleUseCache.putIfAbsent(token.getId(), lifespanInSecs)) {
|
||||||
|
|
||||||
|
logger.tracef("Added token '%s' to single-use cache. Lifespan: %d seconds, client: %s", token.getId(), lifespanInSecs, clientId);
|
||||||
|
} else {
|
||||||
|
logger.warnf("Token '%s' already used when authenticating client '%s'.", token.getId(), clientId);
|
||||||
|
throw new RuntimeException("Token reuse detected");
|
||||||
|
}
|
||||||
|
|
||||||
context.success();
|
context.success();
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
ServicesLogger.LOGGER.errorValidatingAssertion(e);
|
ServicesLogger.LOGGER.errorValidatingAssertion(e);
|
||||||
|
|
|
@ -89,6 +89,47 @@ public class ClientAuthSecretSignedJWTTest extends AbstractKeycloakTest {
|
||||||
assertEquals("unauthorized_client", response.getError());
|
assertEquals("unauthorized_client", response.getError());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testAssertionReuse() throws Exception {
|
||||||
|
oauth.clientId("test-app");
|
||||||
|
oauth.doLogin("test-user@localhost", "password");
|
||||||
|
EventRepresentation loginEvent = events.expectLogin()
|
||||||
|
.client("test-app")
|
||||||
|
.assertEvent();
|
||||||
|
|
||||||
|
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
|
||||||
|
String clientSignedJWT = getClientSignedJWT("password", 20);
|
||||||
|
|
||||||
|
OAuthClient.AccessTokenResponse response = doAccessTokenRequest(code, clientSignedJWT);
|
||||||
|
assertEquals(200, response.getStatusCode());
|
||||||
|
events.expectCodeToToken(loginEvent.getDetails().get(Details.CODE_ID), loginEvent.getSessionId())
|
||||||
|
.client(oauth.getClientId())
|
||||||
|
.detail(Details.CLIENT_AUTH_METHOD, JWTClientSecretAuthenticator.PROVIDER_ID)
|
||||||
|
.assertEvent();
|
||||||
|
|
||||||
|
|
||||||
|
// 2nd attempt to use same clientSignedJWT should fail
|
||||||
|
oauth.openLoginForm();
|
||||||
|
loginEvent = events.expectLogin()
|
||||||
|
.client("test-app")
|
||||||
|
.assertEvent();
|
||||||
|
|
||||||
|
String code2 = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
|
||||||
|
response = doAccessTokenRequest(code2, clientSignedJWT);
|
||||||
|
events.expectCodeToToken(loginEvent.getDetails().get(Details.CODE_ID), loginEvent.getSessionId())
|
||||||
|
.error("invalid_client_credentials")
|
||||||
|
.clearDetails()
|
||||||
|
.user((String) null)
|
||||||
|
.session((String) null)
|
||||||
|
.assertEvent();
|
||||||
|
|
||||||
|
|
||||||
|
assertEquals(400, response.getStatusCode());
|
||||||
|
assertEquals("unauthorized_client", response.getError());
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
private String getClientSignedJWT(String secret, int timeout) {
|
private String getClientSignedJWT(String secret, int timeout) {
|
||||||
JWTClientSecretCredentialsProvider jwtProvider = new JWTClientSecretCredentialsProvider();
|
JWTClientSecretCredentialsProvider jwtProvider = new JWTClientSecretCredentialsProvider();
|
||||||
jwtProvider.setClientSecret(secret);
|
jwtProvider.setClientSecret(secret);
|
||||||
|
|
|
@ -621,10 +621,30 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
|
||||||
assertError(response, "client1", "unauthorized_client", Errors.INVALID_CLIENT_CREDENTIALS);
|
assertError(response, "client1", "unauthorized_client", Errors.INVALID_CLIENT_CREDENTIALS);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testAssertionReuse() throws Exception {
|
||||||
|
String clientJwt = getClient1SignedJWT();
|
||||||
|
|
||||||
|
OAuthClient.AccessTokenResponse response = doClientCredentialsGrantRequest(clientJwt);
|
||||||
|
|
||||||
|
assertEquals(200, response.getStatusCode());
|
||||||
|
AccessToken accessToken = oauth.verifyToken(response.getAccessToken());
|
||||||
|
Assert.assertNotNull(accessToken);
|
||||||
|
Assert.assertNull(response.getError());
|
||||||
|
|
||||||
|
// 2nd attempt to reuse same JWT should fail
|
||||||
|
response = doClientCredentialsGrantRequest(clientJwt);
|
||||||
|
|
||||||
|
assertEquals(400, response.getStatusCode());
|
||||||
|
assertEquals("unauthorized_client", response.getError());
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testMissingIdClaim() throws Exception {
|
public void testMissingIdClaim() throws Exception {
|
||||||
OAuthClient.AccessTokenResponse response = testMissingClaim("id");
|
OAuthClient.AccessTokenResponse response = testMissingClaim("id");
|
||||||
assertSuccess(response, app1.getClientId(), serviceAccountUser.getId(), serviceAccountUser.getUsername());
|
assertError(response, app1.getClientId(), "unauthorized_client", Errors.INVALID_CLIENT_CREDENTIALS);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|
Loading…
Reference in a new issue