KEYCLOAK-6980 Check if client_assertion was already used during signed JWT client authentication

model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanSingleUseTokenStoreProvider.java

@@ -0,0 +1,74 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.models.sessions.infinispan;
+
+import java.util.concurrent.TimeUnit;
+import java.util.function.Supplier;
+
+import org.infinispan.client.hotrod.exceptions.HotRodClientException;
+import org.infinispan.commons.api.BasicCache;
+import org.jboss.logging.Logger;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.SingleUseTokenStoreProvider;
+import org.keycloak.models.sessions.infinispan.entities.ActionTokenValueEntity;
+
+/**
+ * TODO: Check if Boolean can be used as single-use cache argument instead of ActionTokenValueEntity. With respect to other single-use cache usecases like "Revoke Refresh Token" .
+ * Also with respect to the usage of streams iterating over "actionTokens" cache (check there are no ClassCastExceptions when casting values directly to ActionTokenValueEntity)
+ *
+ *
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class InfinispanSingleUseTokenStoreProvider implements SingleUseTokenStoreProvider {
+
+    public static final Logger logger = Logger.getLogger(InfinispanSingleUseTokenStoreProvider.class);
+
+    private final Supplier<BasicCache<String, ActionTokenValueEntity>> tokenCache;
+    private final KeycloakSession session;
+
+    public InfinispanSingleUseTokenStoreProvider(KeycloakSession session, Supplier<BasicCache<String, ActionTokenValueEntity>> actionKeyCache) {
+        this.session = session;
+        this.tokenCache = actionKeyCache;
+    }
+
+    @Override
+    public boolean putIfAbsent(String tokenId, int lifespanInSeconds) {
+        ActionTokenValueEntity tokenValue = new ActionTokenValueEntity(null);
+
+        // Rather keep the items in the cache for a bit longer
+        lifespanInSeconds = lifespanInSeconds + 10;
+
+        try {
+            BasicCache<String, ActionTokenValueEntity> cache = tokenCache.get();
+            ActionTokenValueEntity existing = cache.putIfAbsent(tokenId, tokenValue, lifespanInSeconds, TimeUnit.SECONDS);
+            return existing == null;
+        } catch (HotRodClientException re) {
+            // No need to retry. The hotrod (remoteCache) has some retries in itself in case of some random network error happened.
+            // In case of lock conflict, we don't want to retry anyway as there was likely an attempt to use the token from different place.
+            logger.debugf(re, "Failed when adding token %s", tokenId);
+
+            return false;
+        }
+
+    }
+
+    @Override
+    public void close() {
+
+    }
+}

model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanSingleUseTokenStoreProviderFactory.java

@@ -0,0 +1,96 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.models.sessions.infinispan;
+
+import java.util.function.Supplier;
+
+import org.infinispan.Cache;
+import org.infinispan.client.hotrod.Flag;
+import org.infinispan.client.hotrod.RemoteCache;
+import org.infinispan.commons.api.BasicCache;
+import org.jboss.logging.Logger;
+import org.keycloak.Config;
+import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.models.SingleUseTokenStoreProviderFactory;
+import org.keycloak.models.sessions.infinispan.entities.ActionTokenValueEntity;
+import org.keycloak.models.sessions.infinispan.util.InfinispanUtil;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class InfinispanSingleUseTokenStoreProviderFactory implements SingleUseTokenStoreProviderFactory {
+
+    private static final Logger LOG = Logger.getLogger(InfinispanSingleUseTokenStoreProviderFactory.class);
+
+    // Reuse "actionTokens" infinispan cache for now
+    private volatile Supplier<BasicCache<String, ActionTokenValueEntity>> tokenCache;
+
+    @Override
+    public InfinispanSingleUseTokenStoreProvider create(KeycloakSession session) {
+        lazyInit(session);
+        return new InfinispanSingleUseTokenStoreProvider(session, tokenCache);
+    }
+
+    private void lazyInit(KeycloakSession session) {
+        if (tokenCache == null) {
+            synchronized (this) {
+                if (tokenCache == null) {
+                    InfinispanConnectionProvider connections = session.getProvider(InfinispanConnectionProvider.class);
+                    Cache cache = connections.getCache(InfinispanConnectionProvider.ACTION_TOKEN_CACHE);
+
+                    RemoteCache remoteCache = InfinispanUtil.getRemoteCache(cache);
+
+                    if (remoteCache != null) {
+                        LOG.debugf("Having remote stores. Using remote cache '%s' for single-use cache of token", remoteCache.getName());
+                        this.tokenCache = () -> {
+                            // Doing this way as flag is per invocation
+                            return remoteCache.withFlags(Flag.FORCE_RETURN_VALUE);
+                        };
+                    } else {
+                        LOG.debugf("Not having remote stores. Using normal cache '%s' for single-use cache of token", cache.getName());
+                        this.tokenCache = () -> {
+                            return cache;
+                        };
+                    }
+                }
+            }
+        }
+    }
+
+    @Override
+    public void init(Config.Scope config) {
+
+    }
+
+    @Override
+    public void postInit(KeycloakSessionFactory factory) {
+
+    }
+
+    @Override
+    public void close() {
+
+    }
+
+    @Override
+    public String getId() {
+        return "infinispan";
+    }
+}

model/infinispan/src/main/resources/META-INF/services/org.keycloak.models.SingleUseTokenStoreProviderFactory

@@ -0,0 +1,18 @@
+#
+# Copyright 2017 Red Hat, Inc. and/or its affiliates
+# and other contributors as indicated by the @author tags.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+org.keycloak.models.sessions.infinispan.InfinispanSingleUseTokenStoreProviderFactory

server-spi-private/src/main/java/org/keycloak/models/SingleUseTokenStoreProvider.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.models;
+
+import org.keycloak.provider.Provider;
+
+/**
+ * Provides single-use cache for OAuth2 code parameter. Used to ensure that particular value of code parameter is used once.
+ *
+ * TODO: For now, it is separate provider as {@link CodeToTokenStoreProvider}, however will be good to merge those 2 providers to "SingleUseCacheProvider"
+ * in the future as they provide very similar thing
+ *
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public interface SingleUseTokenStoreProvider extends Provider {
+
+    /**
+     * Will try to put the token into the cache. It will success just if token is not already there.
+     *
+     * @param tokenId
+     * @param lifespanInSeconds Minimum lifespan for which successfully added token will be kept in the cache.
+     * @return true if token was successfully put into the cache. This means that same token wasn't in the cache before
+     */
+    boolean putIfAbsent(String tokenId, int lifespanInSeconds);
+
+}

server-spi-private/src/main/java/org/keycloak/models/SingleUseTokenStoreProviderFactory.java

@@ -0,0 +1,26 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.models;
+
+import org.keycloak.provider.ProviderFactory;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public interface SingleUseTokenStoreProviderFactory extends ProviderFactory<SingleUseTokenStoreProvider> {
+}

server-spi-private/src/main/java/org/keycloak/models/SingleUseTokenStoreSpi.java

@@ -0,0 +1,50 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.models;
+
+import org.keycloak.provider.Provider;
+import org.keycloak.provider.ProviderFactory;
+import org.keycloak.provider.Spi;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class SingleUseTokenStoreSpi implements Spi {
+
+    public static final String NAME = "singleUseTokenStore";
+
+    @Override
+    public boolean isInternal() {
+        return true;
+    }
+
+    @Override
+    public String getName() {
+        return NAME;
+    }
+
+    @Override
+    public Class<? extends Provider> getProviderClass() {
+        return SingleUseTokenStoreProvider.class;
+    }
+
+    @Override
+    public Class<? extends ProviderFactory> getProviderFactoryClass() {
+        return SingleUseTokenStoreProviderFactory.class;
+    }
+}

server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi

@@ -21,6 +21,7 @@ org.keycloak.storage.federated.UserFederatedStorageProviderSpi
 org.keycloak.models.RealmSpi
 org.keycloak.models.ActionTokenStoreSpi
 org.keycloak.models.CodeToTokenStoreSpi
+org.keycloak.models.SingleUseTokenStoreSpi
 org.keycloak.models.UserSessionSpi
 org.keycloak.models.UserSpi
 org.keycloak.models.session.UserSessionPersisterSpi

services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java

@@ -31,6 +31,7 @@ import java.util.Set;
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
 
+import org.jboss.logging.Logger;
 import org.keycloak.OAuth2Constants;
 import org.keycloak.authentication.AuthenticationFlowError;
 import org.keycloak.authentication.ClientAuthenticationFlowContext;
@@ -41,6 +42,7 @@ import org.keycloak.keys.loader.PublicKeyStorageManager;
 import org.keycloak.models.AuthenticationExecutionModel;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.RealmModel;
+import org.keycloak.models.SingleUseTokenStoreProvider;
 import org.keycloak.protocol.oidc.OIDCLoginProtocol;
 import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
 import org.keycloak.provider.ProviderConfigProperty;
@@ -59,6 +61,8 @@ import org.keycloak.services.Urls;
  */
 public class JWTClientAuthenticator extends AbstractClientAuthenticator {
 
+    private static final Logger logger = Logger.getLogger(JWTClientAuthenticator.class);
+
     public static final String PROVIDER_ID = "client-jwt";
     public static final String ATTR_PREFIX = "jwt.credential";
     public static final String CERTIFICATE_ATTR = "jwt.credential.certificate";
@@ -148,10 +152,25 @@ public class JWTClientAuthenticator extends AbstractClientAuthenticator {
             }
 
             // KEYCLOAK-2986
-            if (token.getExpiration() == 0 && token.getIssuedAt() + 10 < Time.currentTime()) {
+            int currentTime = Time.currentTime();
+            if (token.getExpiration() == 0 && token.getIssuedAt() + 10 < currentTime) {
                 throw new RuntimeException("Token is not active");
             }
 
+            if (token.getId() == null) {
+                throw new RuntimeException("Missing ID on the token");
+            }
+
+            SingleUseTokenStoreProvider singleUseCache = context.getSession().getProvider(SingleUseTokenStoreProvider.class);
+            int lifespanInSecs = Math.max(token.getExpiration() - currentTime, 10);
+            if (singleUseCache.putIfAbsent(token.getId(), lifespanInSecs)) {
+                logger.tracef("Added token '%s' to single-use cache. Lifespan: %d seconds, client: %s", token.getId(), lifespanInSecs, clientId);
+
+            } else {
+                logger.warnf("Token '%s' already used when authenticating client '%s'.", token.getId(), clientId);
+                throw new RuntimeException("Token reuse detected");
+            }
+
             context.success();
         } catch (Exception e) {
             ServicesLogger.LOGGER.errorValidatingAssertion(e);

services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientSecretAuthenticator.java

@@ -23,6 +23,7 @@ import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.jose.jws.crypto.HMACProvider;
 import org.keycloak.models.AuthenticationExecutionModel;
 import org.keycloak.models.AuthenticationExecutionModel.Requirement;
+import org.keycloak.models.SingleUseTokenStoreProvider;
 import org.keycloak.protocol.oidc.OIDCLoginProtocol;
 import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
 import org.keycloak.models.ClientModel;
@@ -39,6 +40,8 @@ import org.keycloak.services.Urls;
  * This is server side, which verifies JWT from client_assertion parameter, where the assertion was created on adapter side by
  * org.keycloak.adapters.authentication.JWTClientSecretCredentialsProvider
  *
+ * TODO: Try to create abstract superclass to be shared with {@link JWTClientAuthenticator}. Most of the code can be reused
+ *
  * @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a>
  */
 public class JWTClientSecretAuthenticator extends AbstractClientAuthenticator {
@@ -138,10 +141,25 @@ public class JWTClientSecretAuthenticator extends AbstractClientAuthenticator {
             }
 
             // KEYCLOAK-2986, token-timeout or token-expiration in keycloak.json might not be used
-            if (token.getExpiration() == 0 && token.getIssuedAt() + 10 < Time.currentTime()) {
+            int currentTime = Time.currentTime();
+            if (token.getExpiration() == 0 && token.getIssuedAt() + 10 < currentTime) {
                 throw new RuntimeException("Token is not active");
             }
 
+            if (token.getId() == null) {
+                throw new RuntimeException("Missing ID on the token");
+            }
+
+            SingleUseTokenStoreProvider singleUseCache = context.getSession().getProvider(SingleUseTokenStoreProvider.class);
+            int lifespanInSecs = Math.max(token.getExpiration() - currentTime, 10);
+            if (singleUseCache.putIfAbsent(token.getId(), lifespanInSecs)) {
+
+                logger.tracef("Added token '%s' to single-use cache. Lifespan: %d seconds, client: %s", token.getId(), lifespanInSecs, clientId);
+            } else {
+                logger.warnf("Token '%s' already used when authenticating client '%s'.", token.getId(), clientId);
+                throw new RuntimeException("Token reuse detected");
+            }
+
             context.success();
         } catch (Exception e) {
             ServicesLogger.LOGGER.errorValidatingAssertion(e);

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSecretSignedJWTTest.java

@@ -88,7 +88,48 @@ public class ClientAuthSecretSignedJWTTest extends AbstractKeycloakTest {
         assertEquals(400, response.getStatusCode());
         assertEquals("unauthorized_client", response.getError());
     }
-    
+
+
+    @Test
+    public void testAssertionReuse() throws Exception {
+        oauth.clientId("test-app");
+        oauth.doLogin("test-user@localhost", "password");
+        EventRepresentation loginEvent = events.expectLogin()
+                .client("test-app")
+                .assertEvent();
+
+        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
+        String clientSignedJWT = getClientSignedJWT("password", 20);
+
+        OAuthClient.AccessTokenResponse response = doAccessTokenRequest(code, clientSignedJWT);
+        assertEquals(200, response.getStatusCode());
+        events.expectCodeToToken(loginEvent.getDetails().get(Details.CODE_ID), loginEvent.getSessionId())
+                .client(oauth.getClientId())
+                .detail(Details.CLIENT_AUTH_METHOD, JWTClientSecretAuthenticator.PROVIDER_ID)
+                .assertEvent();
+
+
+        // 2nd attempt to use same clientSignedJWT should fail
+        oauth.openLoginForm();
+        loginEvent = events.expectLogin()
+                .client("test-app")
+                .assertEvent();
+
+        String code2 = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
+        response = doAccessTokenRequest(code2, clientSignedJWT);
+        events.expectCodeToToken(loginEvent.getDetails().get(Details.CODE_ID), loginEvent.getSessionId())
+                .error("invalid_client_credentials")
+                .clearDetails()
+                .user((String) null)
+                .session((String) null)
+                .assertEvent();
+
+
+        assertEquals(400, response.getStatusCode());
+        assertEquals("unauthorized_client", response.getError());
+    }
+
+
     private String getClientSignedJWT(String secret, int timeout) {
         JWTClientSecretCredentialsProvider jwtProvider = new JWTClientSecretCredentialsProvider();
         jwtProvider.setClientSecret(secret);

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java

@@ -621,10 +621,30 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
         assertError(response, "client1", "unauthorized_client", Errors.INVALID_CLIENT_CREDENTIALS);
     }
 
+
+    @Test
+    public void testAssertionReuse() throws Exception {
+        String clientJwt = getClient1SignedJWT();
+
+        OAuthClient.AccessTokenResponse response = doClientCredentialsGrantRequest(clientJwt);
+
+        assertEquals(200, response.getStatusCode());
+        AccessToken accessToken = oauth.verifyToken(response.getAccessToken());
+        Assert.assertNotNull(accessToken);
+        Assert.assertNull(response.getError());
+
+        // 2nd attempt to reuse same JWT should fail
+        response = doClientCredentialsGrantRequest(clientJwt);
+
+        assertEquals(400, response.getStatusCode());
+        assertEquals("unauthorized_client", response.getError());
+    }
+
+
     @Test
     public void testMissingIdClaim() throws Exception {
         OAuthClient.AccessTokenResponse response = testMissingClaim("id");
-        assertSuccess(response, app1.getClientId(), serviceAccountUser.getId(), serviceAccountUser.getUsername());
+        assertError(response, app1.getClientId(), "unauthorized_client", Errors.INVALID_CLIENT_CREDENTIALS);
     }
 
     @Test