Merge pull request #1181 from patriot1burke/master
filter oidc broker import keys
This commit is contained in:
commit
23a3aa023c
6 changed files with 70 additions and 59 deletions
|
@ -70,7 +70,10 @@ public class KeycloakOIDCIdentityProvider extends OIDCIdentityProvider {
|
|||
for (String sessionId : action.getKeycloakSessionIds()) {
|
||||
String brokerSessionId = getConfig().getAlias() + "." + sessionId;
|
||||
UserSessionModel userSession = session.sessions().getUserSessionByBrokerSessionId(realm, brokerSessionId);
|
||||
if (userSession != null) {
|
||||
if (userSession != null
|
||||
&& userSession.getState() != UserSessionModel.State.LOGGING_OUT
|
||||
&& userSession.getState() != UserSessionModel.State.LOGGED_OUT
|
||||
) {
|
||||
AuthenticationManager.backchannelLogout(session, realm, userSession, uriInfo, clientConnection, headers);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -139,7 +139,8 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
|
|||
.path(OIDCEndpoint.class, "logoutResponse")
|
||||
.build(realm.getName(), getConfig().getAlias()).toString();
|
||||
logoutUri.queryParam("post_logout_redirect_uri", redirect);
|
||||
return Response.status(302).location(logoutUri.build()).build();
|
||||
Response response = Response.status(302).location(logoutUri.build()).build();
|
||||
return response;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -21,6 +21,7 @@ import org.keycloak.broker.oidc.util.SimpleHttp;
|
|||
import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
|
||||
import org.keycloak.jose.jwk.JWK;
|
||||
import org.keycloak.jose.jwk.JWKParser;
|
||||
import org.keycloak.jose.jws.Algorithm;
|
||||
import org.keycloak.models.IdentityProviderModel;
|
||||
import org.keycloak.models.utils.KeycloakModelUtils;
|
||||
import org.keycloak.protocol.oidc.representations.JSONWebKeySet;
|
||||
|
@ -80,7 +81,7 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory
|
|||
JSONWebKeySet keySet = JsonSerialization.readValue(keySetString, JSONWebKeySet.class);
|
||||
for (JWK jwk : keySet.getKeys()) {
|
||||
JWKParser parse = JWKParser.create(jwk);
|
||||
if (parse.getJwk().getPublicKeyUse().equals(JWK.SIG_USE)) {
|
||||
if (parse.getJwk().getPublicKeyUse().equals(JWK.SIG_USE) && keyTypeSupported(jwk.getKeyType())) {
|
||||
PublicKey key = parse.toPublicKey();
|
||||
config.setPublicKeySignatureVerifier(KeycloakModelUtils.getPemFromKey(key));
|
||||
config.setValidateSignature(true);
|
||||
|
@ -95,4 +96,8 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory
|
|||
}
|
||||
return config.getConfig();
|
||||
}
|
||||
|
||||
protected static boolean keyTypeSupported(String type) {
|
||||
return type != null && type.equals("RSA");
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,53 +1,53 @@
|
|||
package org.keycloak.models;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||
*/
|
||||
public interface UserSessionModel {
|
||||
|
||||
String getId();
|
||||
|
||||
/**
|
||||
* If created via a broker external login, this is an identifier that can be
|
||||
* used to match external broker backchannel logout requests to a UserSession
|
||||
*
|
||||
* @return
|
||||
*/
|
||||
String getBrokerSessionId();
|
||||
String getBrokerUserId();
|
||||
|
||||
UserModel getUser();
|
||||
|
||||
String getLoginUsername();
|
||||
|
||||
String getIpAddress();
|
||||
|
||||
String getAuthMethod();
|
||||
|
||||
boolean isRememberMe();
|
||||
|
||||
int getStarted();
|
||||
|
||||
int getLastSessionRefresh();
|
||||
|
||||
void setLastSessionRefresh(int seconds);
|
||||
|
||||
List<ClientSessionModel> getClientSessions();
|
||||
|
||||
public String getNote(String name);
|
||||
public void setNote(String name, String value);
|
||||
public void removeNote(String name);
|
||||
|
||||
State getState();
|
||||
void setState(State state);
|
||||
|
||||
public static enum State {
|
||||
LOGGING_IN,
|
||||
LOGGED_IN,
|
||||
LOGGING_OUT,
|
||||
LOGGED_OUT
|
||||
}
|
||||
|
||||
}
|
||||
package org.keycloak.models;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||
*/
|
||||
public interface UserSessionModel {
|
||||
|
||||
String getId();
|
||||
|
||||
/**
|
||||
* If created via a broker external login, this is an identifier that can be
|
||||
* used to match external broker backchannel logout requests to a UserSession
|
||||
*
|
||||
* @return
|
||||
*/
|
||||
String getBrokerSessionId();
|
||||
String getBrokerUserId();
|
||||
|
||||
UserModel getUser();
|
||||
|
||||
String getLoginUsername();
|
||||
|
||||
String getIpAddress();
|
||||
|
||||
String getAuthMethod();
|
||||
|
||||
boolean isRememberMe();
|
||||
|
||||
int getStarted();
|
||||
|
||||
int getLastSessionRefresh();
|
||||
|
||||
void setLastSessionRefresh(int seconds);
|
||||
|
||||
List<ClientSessionModel> getClientSessions();
|
||||
|
||||
public String getNote(String name);
|
||||
public void setNote(String name, String value);
|
||||
public void removeNote(String name);
|
||||
|
||||
State getState();
|
||||
void setState(State state);
|
||||
|
||||
public static enum State {
|
||||
LOGGING_IN,
|
||||
LOGGED_IN,
|
||||
LOGGING_OUT,
|
||||
LOGGED_OUT
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -44,6 +44,7 @@ public class AdminAuth {
|
|||
public boolean hasRealmRole(String role) {
|
||||
if (client instanceof ClientModel) {
|
||||
RoleModel roleModel = realm.getRole(role);
|
||||
if (roleModel == null) return false;
|
||||
return user.hasRole(roleModel) && client.hasScope(roleModel);
|
||||
} else {
|
||||
AccessToken.Access access = token.getRealmAccess();
|
||||
|
@ -63,6 +64,7 @@ public class AdminAuth {
|
|||
public boolean hasAppRole(ClientModel app, String role) {
|
||||
if (client instanceof ClientModel) {
|
||||
RoleModel roleModel = app.getRole(role);
|
||||
if (roleModel == null) return false;
|
||||
return user.hasRole(roleModel) && client.hasScope(roleModel);
|
||||
} else {
|
||||
AccessToken.Access access = token.getResourceAccess(app.getClientId());
|
||||
|
|
|
@ -218,12 +218,12 @@ public class AdminRoot {
|
|||
}
|
||||
|
||||
protected boolean isAdmin(AdminAuth auth) {
|
||||
if (auth.hasOneOfRealmRole(AdminRoles.ADMIN, AdminRoles.CREATE_REALM)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
RealmManager realmManager = new RealmManager(session);
|
||||
if (auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm())) {
|
||||
if (auth.hasOneOfRealmRole(AdminRoles.ADMIN, AdminRoles.CREATE_REALM)) {
|
||||
return true;
|
||||
}
|
||||
for (RealmModel realm : session.realms().getRealms()) {
|
||||
ClientModel client = realm.getMasterAdminClient();
|
||||
if (auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES)) {
|
||||
|
|
Loading…
Reference in a new issue