KEYCLOAK-17937 Client Policy - Endpoint : support CIBA Backchannel Authentication Endpoint
This commit is contained in:
Takashi Norimatsu
Marek Posolda
parent
2803685cd7
commit
2b1624390a
5 changed files with 113 additions and 1 deletions
|
|
@ -36,6 +36,7 @@ public enum ClientPolicyEvent {
|
|||
TOKEN_REVOKE,
|
||||
TOKEN_INTROSPECT,
|
||||
USERINFO_REQUEST,
|
||||
LOGOUT_REQUEST
|
||||
LOGOUT_REQUEST,
|
||||
BACKCHANNEL_AUTHENTICATION_REQUEST
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -38,6 +38,8 @@ import org.keycloak.protocol.oidc.grants.ciba.endpoints.request.BackchannelAuthe
|
|||
import org.keycloak.protocol.oidc.grants.ciba.endpoints.request.BackchannelAuthenticationEndpointRequestParserProcessor;
|
||||
import org.keycloak.protocol.oidc.grants.ciba.resolvers.CIBALoginUserResolver;
|
||||
import org.keycloak.services.ErrorResponseException;
|
||||
import org.keycloak.services.clientpolicy.ClientPolicyException;
|
||||
import org.keycloak.services.clientpolicy.context.BackchannelAuthenticationRequestContext;
|
||||
import org.keycloak.util.JsonSerialization;
|
||||
|
||||
import javax.ws.rs.Consumes;
|
||||
|
|
@ -185,6 +187,12 @@ public class BackchannelAuthenticationEndpoint extends AbstractCibaEndpoint {
|
|||
|
||||
extractAdditionalParams(endpointRequest, request);
|
||||
|
||||
try {
|
||||
session.clientPolicy().triggerOnEvent(new BackchannelAuthenticationRequestContext(endpointRequest, params));
|
||||
} catch (ClientPolicyException cpe) {
|
||||
throw new ErrorResponseException(cpe.getError(), cpe.getErrorDetail(), Response.Status.BAD_REQUEST);
|
||||
}
|
||||
|
||||
return request;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,52 @@
|
|||
/*
|
||||
* Copyright 2021 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.keycloak.services.clientpolicy.context;
|
||||
|
||||
import javax.ws.rs.core.MultivaluedMap;
|
||||
|
||||
import org.keycloak.protocol.oidc.grants.ciba.endpoints.request.BackchannelAuthenticationEndpointRequest;
|
||||
import org.keycloak.services.clientpolicy.ClientPolicyContext;
|
||||
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a>
|
||||
*/
|
||||
public class BackchannelAuthenticationRequestContext implements ClientPolicyContext {
|
||||
|
||||
private final BackchannelAuthenticationEndpointRequest request;
|
||||
private final MultivaluedMap<String, String> requestParameters;
|
||||
|
||||
public BackchannelAuthenticationRequestContext(BackchannelAuthenticationEndpointRequest request,
|
||||
MultivaluedMap<String, String> requestParameters) {
|
||||
this.request = request;
|
||||
this.requestParameters = requestParameters;
|
||||
}
|
||||
|
||||
@Override
|
||||
public ClientPolicyEvent getEvent() {
|
||||
return ClientPolicyEvent.BACKCHANNEL_AUTHENTICATION_REQUEST;
|
||||
}
|
||||
|
||||
public BackchannelAuthenticationEndpointRequest getRequest() {
|
||||
return request;
|
||||
}
|
||||
|
||||
public MultivaluedMap<String, String> getRequestParameters() {
|
||||
return requestParameters;
|
||||
}
|
||||
}
|
||||
|
|
@ -51,6 +51,7 @@ public class TestRaiseExeptionExecutor implements ClientPolicyExecutorProvider<C
|
|||
case REGISTERED:
|
||||
case UPDATED:
|
||||
case UNREGISTER:
|
||||
case BACKCHANNEL_AUTHENTICATION_REQUEST:
|
||||
return true;
|
||||
default :
|
||||
return false;
|
||||
|
|
|
|||
|
|
@ -34,11 +34,13 @@ import org.keycloak.authentication.authenticators.client.JWTClientAuthenticator;
|
|||
import org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator;
|
||||
import org.keycloak.authentication.authenticators.client.X509ClientAuthenticator;
|
||||
import org.keycloak.client.registration.ClientRegistrationException;
|
||||
import org.keycloak.common.Profile;
|
||||
import org.keycloak.events.Details;
|
||||
import org.keycloak.events.Errors;
|
||||
import org.keycloak.events.EventType;
|
||||
import org.keycloak.jose.jws.Algorithm;
|
||||
import org.keycloak.models.AdminRoles;
|
||||
import org.keycloak.models.CibaConfig;
|
||||
import org.keycloak.models.Constants;
|
||||
import org.keycloak.models.utils.KeycloakModelUtils;
|
||||
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
|
||||
|
|
@ -80,6 +82,7 @@ import org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmExecuto
|
|||
import org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmForSignedJwtExecutorFactory;
|
||||
import org.keycloak.testsuite.admin.ApiUtil;
|
||||
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
|
||||
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
|
||||
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
|
||||
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
|
||||
import org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject;
|
||||
|
|
@ -90,6 +93,7 @@ import org.keycloak.testsuite.util.MutualTLSUtils;
|
|||
import org.keycloak.testsuite.util.OAuthClient;
|
||||
import org.keycloak.testsuite.util.RoleBuilder;
|
||||
import org.keycloak.testsuite.util.ServerURLs;
|
||||
import org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement;
|
||||
import org.keycloak.util.JsonSerialization;
|
||||
|
||||
import java.io.IOException;
|
||||
|
|
@ -105,10 +109,15 @@ import java.util.List;
|
|||
import java.util.Map;
|
||||
import java.util.Optional;
|
||||
|
||||
import static org.hamcrest.MatcherAssert.assertThat;
|
||||
import static org.hamcrest.Matchers.equalTo;
|
||||
import static org.hamcrest.Matchers.is;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.fail;
|
||||
import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
|
||||
import static org.keycloak.testsuite.admin.ApiUtil.findUserByUsername;
|
||||
import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.QUARKUS;
|
||||
import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.REMOTE;
|
||||
import static org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder;
|
||||
import static org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder;
|
||||
import static org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder;
|
||||
|
|
@ -2233,6 +2242,47 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
|
|||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
@EnableFeature(value = Profile.Feature.CIBA, skipRestart = true)
|
||||
@AuthServerContainerExclude({REMOTE, QUARKUS})
|
||||
public void testExtendedClientPolicyIntefacesForCiba() throws Exception {
|
||||
String clientId = generateSuffixedName("confidential-app");
|
||||
String clientSecret = "app-secret";
|
||||
createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
|
||||
clientRep.setSecret(clientSecret);
|
||||
clientRep.setStandardFlowEnabled(Boolean.TRUE);
|
||||
clientRep.setImplicitFlowEnabled(Boolean.TRUE);
|
||||
clientRep.setPublicClient(Boolean.FALSE);
|
||||
clientRep.setBearerOnly(Boolean.FALSE);
|
||||
Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
|
||||
attributes.put(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE_PER_CLIENT, "poll");
|
||||
attributes.put(CibaConfig.OIDC_CIBA_GRANT_ENABLED, Boolean.TRUE.toString());
|
||||
clientRep.setAttributes(attributes);
|
||||
});
|
||||
|
||||
// register profiles
|
||||
String json = (new ClientProfilesBuilder()).addProfile(
|
||||
(new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forste Profilen")
|
||||
.addExecutor(TestRaiseExeptionExecutorFactory.PROVIDER_ID, null)
|
||||
.toRepresentation()
|
||||
).toString();
|
||||
updateProfiles(json);
|
||||
|
||||
// register policies
|
||||
json = (new ClientPoliciesBuilder()).addPolicy(
|
||||
(new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "La Premiere Politique", Boolean.TRUE)
|
||||
.addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig())
|
||||
.addProfile(PROFILE_NAME)
|
||||
.toRepresentation()
|
||||
).toString();
|
||||
updatePolicies(json);
|
||||
|
||||
AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(clientId, clientSecret, TEST_USER_NAME, "Pjb9eD8w", null, null);
|
||||
assertEquals(400, response.getStatusCode());
|
||||
assertEquals(ClientPolicyEvent.BACKCHANNEL_AUTHENTICATION_REQUEST.toString(), response.getError());
|
||||
assertEquals("Exception thrown intentionally", response.getErrorDescription());
|
||||
}
|
||||
|
||||
private void checkMtlsFlow() throws IOException {
|
||||
// Check login.
|
||||
OAuthClient.AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
|
||||
|
|
|
|||
Loading…
Reference in a new issue