Add acr scope to all clients for those migrating from older than Keycloak 18

closes #31107

Signed-off-by: mposolda <mposolda@gmail.com>
This commit is contained in:
mposolda 2024-08-15 18:55:26 +02:00 committed by Marek Posolda
parent cb418b0bfc
commit 3d787727f9
8 changed files with 26 additions and 12 deletions

View file

@ -22,8 +22,10 @@ import org.jboss.logging.Logger;
import org.keycloak.common.Profile; import org.keycloak.common.Profile;
import org.keycloak.migration.MigrationProvider; import org.keycloak.migration.MigrationProvider;
import org.keycloak.migration.ModelVersion; import org.keycloak.migration.ModelVersion;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RealmRepresentation;
/** /**
@ -56,8 +58,14 @@ public class MigrateTo18_0_0 implements Migration {
if (Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION)) { if (Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION)) {
MigrationProvider migrationProvider = session.getProvider(MigrationProvider.class); MigrationProvider migrationProvider = session.getProvider(MigrationProvider.class);
ClientScopeModel acrScope = KeycloakModelUtils.getClientScopeByName(realm, "acr");
if (acrScope == null) {
// create 'acr' default client scope in the realm. // create 'acr' default client scope in the realm.
migrationProvider.addOIDCAcrClientScope(realm); acrScope = migrationProvider.addOIDCAcrClientScope(realm);
//add acr scope to all existing OIDC clients
session.clients().addClientScopeToAllClients(realm, acrScope, true);
}
} }
} }
} }

View file

@ -76,7 +76,7 @@ public interface MigrationProvider extends Provider {
* @param realm * @param realm
* @return created or already existing client scope 'acr' * @return created or already existing client scope 'acr'
*/ */
void addOIDCAcrClientScope(RealmModel realm); ClientScopeModel addOIDCAcrClientScope(RealmModel realm);
/** /**
* Add 'basic' client scope or return it if already exists * Add 'basic' client scope or return it if already exists

View file

@ -393,7 +393,7 @@ public class OIDCLoginProtocolFactory extends AbstractLoginProtocolFactory {
} }
public void addAcrClientScope(RealmModel newRealm) { public ClientScopeModel addAcrClientScope(RealmModel newRealm) {
if (Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION)) { if (Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION)) {
ClientScopeModel acrScope = KeycloakModelUtils.getClientScopeByName(newRealm, ACR_SCOPE); ClientScopeModel acrScope = KeycloakModelUtils.getClientScopeByName(newRealm, ACR_SCOPE);
if (acrScope == null) { if (acrScope == null) {
@ -411,8 +411,10 @@ public class OIDCLoginProtocolFactory extends AbstractLoginProtocolFactory {
} else { } else {
logger.debugf("Client scope '%s' already exists in realm '%s'. Skip creating it.", ACR_SCOPE, newRealm.getName()); logger.debugf("Client scope '%s' already exists in realm '%s'. Skip creating it.", ACR_SCOPE, newRealm.getName());
} }
return acrScope;
} else { } else {
logger.debugf("Skip creating client scope '%s' in the realm '%s' due the step-up authentication feature is disabled.", ACR_SCOPE, newRealm.getName()); logger.debugf("Skip creating client scope '%s' in the realm '%s' due the step-up authentication feature is disabled.", ACR_SCOPE, newRealm.getName());
return null;
} }
} }

View file

@ -103,8 +103,8 @@ public class DefaultMigrationProvider implements MigrationProvider {
} }
@Override @Override
public void addOIDCAcrClientScope(RealmModel realm) { public ClientScopeModel addOIDCAcrClientScope(RealmModel realm) {
getOIDCLoginProtocolFactory().addAcrClientScope(realm); return getOIDCLoginProtocolFactory().addAcrClientScope(realm);
} }
@Override @Override

View file

@ -302,6 +302,9 @@ public class AccountCredentialResource {
@Deprecated @Deprecated
public void removeCredential(final @PathParam("credentialId") String credentialId) { public void removeCredential(final @PathParam("credentialId") String credentialId) {
auth.require(AccountRoles.MANAGE_ACCOUNT); auth.require(AccountRoles.MANAGE_ACCOUNT);
logger.warnf("Using deprecated endpoint of Account REST service for removing credential of user '%s' in the realm '%s'. It is recommended to use application initiated actions (AIA) for removing credentials",
user.getUsername(),
realm.getName());
CredentialModel credential = CredentialDeleteHelper.removeCredential(session, user, credentialId, this::getCurrentAuthenticatedLevel); CredentialModel credential = CredentialDeleteHelper.removeCredential(session, user, credentialId, this::getCurrentAuthenticatedLevel);
if (credential != null && OTPCredentialModel.TYPE.equals(credential.getType())) { if (credential != null && OTPCredentialModel.TYPE.equals(credential.getType())) {

View file

@ -441,6 +441,7 @@ public abstract class AbstractMigrationTest extends AbstractKeycloakTest {
assertThat(defaultClientScopes, Matchers.hasItems( assertThat(defaultClientScopes, Matchers.hasItems(
OIDCLoginProtocolFactory.BASIC_SCOPE, OIDCLoginProtocolFactory.BASIC_SCOPE,
OIDCLoginProtocolFactory.ACR_SCOPE,
OAuth2Constants.SCOPE_PROFILE, OAuth2Constants.SCOPE_PROFILE,
OAuth2Constants.SCOPE_EMAIL OAuth2Constants.SCOPE_EMAIL
)); ));

View file

@ -643,7 +643,7 @@
"authenticationFlowBindingOverrides" : { }, "authenticationFlowBindingOverrides" : { },
"fullScopeAllowed" : true, "fullScopeAllowed" : true,
"nodeReRegistrationTimeout" : -1, "nodeReRegistrationTimeout" : -1,
"defaultClientScopes" : [ "web-origins", "roles", "profile", "email" ], "defaultClientScopes" : [ "acr", "web-origins", "roles", "profile", "email" ],
"optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
}, { }, {
"id" : "c11d03ac-b4b0-4581-995c-cc9c2f868b17", "id" : "c11d03ac-b4b0-4581-995c-cc9c2f868b17",

View file

@ -2875,7 +2875,7 @@
"authenticationFlowBindingOverrides" : { }, "authenticationFlowBindingOverrides" : { },
"fullScopeAllowed" : true, "fullScopeAllowed" : true,
"nodeReRegistrationTimeout" : -1, "nodeReRegistrationTimeout" : -1,
"defaultClientScopes" : [ "web-origins", "roles", "profile", "email" ], "defaultClientScopes" : [ "acr", "web-origins", "roles", "profile", "email" ],
"optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
}, { }, {
"id" : "c11d03ac-b4b0-4581-995c-cc9c2f868b17", "id" : "c11d03ac-b4b0-4581-995c-cc9c2f868b17",