KEYCLOAK-17667 Client Policy - Executor : Only Accept Confidential Client
This commit is contained in:
parent
e9035bb7b3
commit
3221708499
5 changed files with 187 additions and 1 deletions
|
@ -0,0 +1,68 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.services.clientpolicy.executor;
|
||||||
|
|
||||||
|
import org.keycloak.OAuthErrorException;
|
||||||
|
import org.keycloak.models.ClientModel;
|
||||||
|
import org.keycloak.models.KeycloakSession;
|
||||||
|
import org.keycloak.services.clientpolicy.ClientPolicyContext;
|
||||||
|
import org.keycloak.services.clientpolicy.ClientPolicyException;
|
||||||
|
|
||||||
|
import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a>
|
||||||
|
*/
|
||||||
|
public class ConfidentialClientAcceptExecutor implements ClientPolicyExecutorProvider<ClientPolicyExecutorConfiguration> {
|
||||||
|
|
||||||
|
protected final KeycloakSession session;
|
||||||
|
|
||||||
|
public ConfidentialClientAcceptExecutor(KeycloakSession session) {
|
||||||
|
this.session = session;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getProviderId() {
|
||||||
|
return ConfidentialClientAcceptExecutorFactory.PROVIDER_ID;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
|
||||||
|
switch (context.getEvent()) {
|
||||||
|
case AUTHORIZATION_REQUEST:
|
||||||
|
case TOKEN_REQUEST:
|
||||||
|
checkIsConfidentialClient();
|
||||||
|
return;
|
||||||
|
default:
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private void checkIsConfidentialClient() throws ClientPolicyException {
|
||||||
|
ClientModel client = session.getContext().getClient();
|
||||||
|
if (client == null) {
|
||||||
|
throw new ClientPolicyException(OAuthErrorException.INVALID_CLIENT, "invalid client access type");
|
||||||
|
}
|
||||||
|
if (client.isPublicClient()) {
|
||||||
|
throw new ClientPolicyException(OAuthErrorException.INVALID_CLIENT, "invalid client access type");
|
||||||
|
}
|
||||||
|
if (client.isBearerOnly()) {
|
||||||
|
throw new ClientPolicyException(OAuthErrorException.INVALID_CLIENT, "invalid client access type");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,66 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.keycloak.services.clientpolicy.executor;
|
||||||
|
|
||||||
|
import java.util.Collections;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import org.keycloak.Config.Scope;
|
||||||
|
import org.keycloak.models.KeycloakSession;
|
||||||
|
import org.keycloak.models.KeycloakSessionFactory;
|
||||||
|
import org.keycloak.provider.ProviderConfigProperty;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a>
|
||||||
|
*/
|
||||||
|
public class ConfidentialClientAcceptExecutorFactory implements ClientPolicyExecutorProviderFactory {
|
||||||
|
|
||||||
|
public static final String PROVIDER_ID = "confidentialclient-accept-executor";
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public ClientPolicyExecutorProvider create(KeycloakSession session) {
|
||||||
|
return new ConfidentialClientAcceptExecutor(session);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void init(Scope config) {
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void postInit(KeycloakSessionFactory factory) {
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void close() {
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getId() {
|
||||||
|
return PROVIDER_ID;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getHelpText() {
|
||||||
|
return "On authorization endpoint and token endpoint, this executor checks whether the client is confidential client. If not, it denies its request.";
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<ProviderConfigProperty> getConfigProperties() {
|
||||||
|
return Collections.emptyList();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -7,3 +7,4 @@ org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmEnforceExecuto
|
||||||
org.keycloak.services.clientpolicy.executor.SecureRedirectUriEnforceExecutorFactory
|
org.keycloak.services.clientpolicy.executor.SecureRedirectUriEnforceExecutorFactory
|
||||||
org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmForSignedJwtEnforceExecutorFactory
|
org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmForSignedJwtEnforceExecutorFactory
|
||||||
org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforceExecutorFactory
|
org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforceExecutorFactory
|
||||||
|
org.keycloak.services.clientpolicy.executor.ConfidentialClientAcceptExecutorFactory
|
|
@ -116,6 +116,7 @@ import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceHostsCondi
|
||||||
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceHostsConditionFactory;
|
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceHostsConditionFactory;
|
||||||
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceRolesCondition;
|
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceRolesCondition;
|
||||||
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceRolesConditionFactory;
|
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceRolesConditionFactory;
|
||||||
|
import org.keycloak.services.clientpolicy.executor.ConfidentialClientAcceptExecutor;
|
||||||
import org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforceExecutor;
|
import org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforceExecutor;
|
||||||
import org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforceExecutorFactory;
|
import org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforceExecutorFactory;
|
||||||
import org.keycloak.services.clientpolicy.executor.PKCEEnforceExecutor;
|
import org.keycloak.services.clientpolicy.executor.PKCEEnforceExecutor;
|
||||||
|
|
|
@ -81,6 +81,7 @@ import org.keycloak.services.clientpolicy.condition.ClientUpdateContextCondition
|
||||||
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceGroupsConditionFactory;
|
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceGroupsConditionFactory;
|
||||||
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceHostsConditionFactory;
|
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceHostsConditionFactory;
|
||||||
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceRolesConditionFactory;
|
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceRolesConditionFactory;
|
||||||
|
import org.keycloak.services.clientpolicy.executor.ConfidentialClientAcceptExecutorFactory;
|
||||||
import org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforceExecutorFactory;
|
import org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforceExecutorFactory;
|
||||||
import org.keycloak.services.clientpolicy.executor.PKCEEnforceExecutorFactory;
|
import org.keycloak.services.clientpolicy.executor.PKCEEnforceExecutorFactory;
|
||||||
import org.keycloak.services.clientpolicy.executor.SecureClientAuthEnforceExecutorFactory;
|
import org.keycloak.services.clientpolicy.executor.SecureClientAuthEnforceExecutorFactory;
|
||||||
|
@ -1511,6 +1512,55 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testConfidentialClientAcceptExecutorExecutor() throws Exception {
|
||||||
|
// register profiles
|
||||||
|
String json = (new ClientProfilesBuilder()).addProfile(
|
||||||
|
(new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Erstes Profil", Boolean.FALSE, null)
|
||||||
|
.addExecutor(ConfidentialClientAcceptExecutorFactory.PROVIDER_ID, null)
|
||||||
|
.toRepresentation()
|
||||||
|
).toString();
|
||||||
|
updateProfiles(json);
|
||||||
|
|
||||||
|
// register policies
|
||||||
|
json = (new ClientPoliciesBuilder()).addPolicy(
|
||||||
|
(new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Erstes Politik", Boolean.FALSE, Boolean.TRUE, null, null)
|
||||||
|
.addCondition(ClientRolesConditionFactory.PROVIDER_ID,
|
||||||
|
createClientRolesConditionConfig(Arrays.asList(SAMPLE_CLIENT_ROLE)))
|
||||||
|
.addProfile(PROFILE_NAME)
|
||||||
|
.toRepresentation()
|
||||||
|
).toString();
|
||||||
|
updatePolicies(json);
|
||||||
|
|
||||||
|
String clientConfidentialId = generateSuffixedName("confidential-app");
|
||||||
|
String clientConfidentialSecret = "app-secret";
|
||||||
|
String cidConfidential = createClientByAdmin(clientConfidentialId, (ClientRepresentation clientRep) -> {
|
||||||
|
clientRep.setSecret(clientConfidentialSecret);
|
||||||
|
clientRep.setStandardFlowEnabled(Boolean.TRUE);
|
||||||
|
clientRep.setImplicitFlowEnabled(Boolean.TRUE);
|
||||||
|
clientRep.setPublicClient(Boolean.FALSE);
|
||||||
|
clientRep.setBearerOnly(Boolean.FALSE);
|
||||||
|
});
|
||||||
|
adminClient.realm(REALM_NAME).clients().get(cidConfidential).roles().create(RoleBuilder.create().name(SAMPLE_CLIENT_ROLE).build());
|
||||||
|
|
||||||
|
successfulLoginAndLogout(clientConfidentialId, clientConfidentialSecret);
|
||||||
|
|
||||||
|
String clientPublicId = generateSuffixedName("public-app");
|
||||||
|
String cidPublic = createClientByAdmin(clientPublicId, (ClientRepresentation clientRep) -> {
|
||||||
|
clientRep.setSecret(clientConfidentialSecret);
|
||||||
|
clientRep.setStandardFlowEnabled(Boolean.TRUE);
|
||||||
|
clientRep.setImplicitFlowEnabled(Boolean.TRUE);
|
||||||
|
clientRep.setPublicClient(Boolean.TRUE);
|
||||||
|
clientRep.setBearerOnly(Boolean.FALSE);
|
||||||
|
});
|
||||||
|
adminClient.realm(REALM_NAME).clients().get(cidPublic).roles().create(RoleBuilder.create().name(SAMPLE_CLIENT_ROLE).build());
|
||||||
|
|
||||||
|
oauth.clientId(clientPublicId);
|
||||||
|
oauth.openLoginForm();
|
||||||
|
assertEquals(OAuthErrorException.INVALID_CLIENT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
|
||||||
|
assertEquals("invalid client access type", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
|
||||||
|
}
|
||||||
|
|
||||||
private void checkMtlsFlow() throws IOException {
|
private void checkMtlsFlow() throws IOException {
|
||||||
// Check login.
|
// Check login.
|
||||||
OAuthClient.AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
|
OAuthClient.AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
|
||||||
|
|
Loading…
Reference in a new issue