Merge pull request #1181 from patriot1burke/master

filter oidc broker import keys
This commit is contained in:
Bill Burke 2015-04-24 19:37:25 -04:00
commit 23a3aa023c
6 changed files with 70 additions and 59 deletions

View file

@ -70,7 +70,10 @@ public class KeycloakOIDCIdentityProvider extends OIDCIdentityProvider {
for (String sessionId : action.getKeycloakSessionIds()) {
String brokerSessionId = getConfig().getAlias() + "." + sessionId;
UserSessionModel userSession = session.sessions().getUserSessionByBrokerSessionId(realm, brokerSessionId);
if (userSession != null) {
if (userSession != null
&& userSession.getState() != UserSessionModel.State.LOGGING_OUT
&& userSession.getState() != UserSessionModel.State.LOGGED_OUT
) {
AuthenticationManager.backchannelLogout(session, realm, userSession, uriInfo, clientConnection, headers);
}
}

View file

@ -139,7 +139,8 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
.path(OIDCEndpoint.class, "logoutResponse")
.build(realm.getName(), getConfig().getAlias()).toString();
logoutUri.queryParam("post_logout_redirect_uri", redirect);
return Response.status(302).location(logoutUri.build()).build();
Response response = Response.status(302).location(logoutUri.build()).build();
return response;
}
@Override

View file

@ -21,6 +21,7 @@ import org.keycloak.broker.oidc.util.SimpleHttp;
import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jwk.JWKParser;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.representations.JSONWebKeySet;
@ -80,7 +81,7 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory
JSONWebKeySet keySet = JsonSerialization.readValue(keySetString, JSONWebKeySet.class);
for (JWK jwk : keySet.getKeys()) {
JWKParser parse = JWKParser.create(jwk);
if (parse.getJwk().getPublicKeyUse().equals(JWK.SIG_USE)) {
if (parse.getJwk().getPublicKeyUse().equals(JWK.SIG_USE) && keyTypeSupported(jwk.getKeyType())) {
PublicKey key = parse.toPublicKey();
config.setPublicKeySignatureVerifier(KeycloakModelUtils.getPemFromKey(key));
config.setValidateSignature(true);
@ -95,4 +96,8 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory
}
return config.getConfig();
}
protected static boolean keyTypeSupported(String type) {
return type != null && type.equals("RSA");
}
}

View file

@ -1,53 +1,53 @@
package org.keycloak.models;
import java.util.List;
/**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
*/
public interface UserSessionModel {
String getId();
/**
* If created via a broker external login, this is an identifier that can be
* used to match external broker backchannel logout requests to a UserSession
*
* @return
*/
String getBrokerSessionId();
String getBrokerUserId();
UserModel getUser();
String getLoginUsername();
String getIpAddress();
String getAuthMethod();
boolean isRememberMe();
int getStarted();
int getLastSessionRefresh();
void setLastSessionRefresh(int seconds);
List<ClientSessionModel> getClientSessions();
public String getNote(String name);
public void setNote(String name, String value);
public void removeNote(String name);
State getState();
void setState(State state);
public static enum State {
LOGGING_IN,
LOGGED_IN,
LOGGING_OUT,
LOGGED_OUT
}
}
package org.keycloak.models;
import java.util.List;
/**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
*/
public interface UserSessionModel {
String getId();
/**
* If created via a broker external login, this is an identifier that can be
* used to match external broker backchannel logout requests to a UserSession
*
* @return
*/
String getBrokerSessionId();
String getBrokerUserId();
UserModel getUser();
String getLoginUsername();
String getIpAddress();
String getAuthMethod();
boolean isRememberMe();
int getStarted();
int getLastSessionRefresh();
void setLastSessionRefresh(int seconds);
List<ClientSessionModel> getClientSessions();
public String getNote(String name);
public void setNote(String name, String value);
public void removeNote(String name);
State getState();
void setState(State state);
public static enum State {
LOGGING_IN,
LOGGED_IN,
LOGGING_OUT,
LOGGED_OUT
}
}

View file

@ -44,6 +44,7 @@ public class AdminAuth {
public boolean hasRealmRole(String role) {
if (client instanceof ClientModel) {
RoleModel roleModel = realm.getRole(role);
if (roleModel == null) return false;
return user.hasRole(roleModel) && client.hasScope(roleModel);
} else {
AccessToken.Access access = token.getRealmAccess();
@ -63,6 +64,7 @@ public class AdminAuth {
public boolean hasAppRole(ClientModel app, String role) {
if (client instanceof ClientModel) {
RoleModel roleModel = app.getRole(role);
if (roleModel == null) return false;
return user.hasRole(roleModel) && client.hasScope(roleModel);
} else {
AccessToken.Access access = token.getResourceAccess(app.getClientId());

View file

@ -218,12 +218,12 @@ public class AdminRoot {
}
protected boolean isAdmin(AdminAuth auth) {
if (auth.hasOneOfRealmRole(AdminRoles.ADMIN, AdminRoles.CREATE_REALM)) {
return true;
}
RealmManager realmManager = new RealmManager(session);
if (auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm())) {
if (auth.hasOneOfRealmRole(AdminRoles.ADMIN, AdminRoles.CREATE_REALM)) {
return true;
}
for (RealmModel realm : session.realms().getRealms()) {
ClientModel client = realm.getMasterAdminClient();
if (auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES)) {