Add acr scope to all clients for those migrating from older than Keycloak 18
closes #31107 Signed-off-by: mposolda <mposolda@gmail.com>
This commit is contained in:
mposolda
Marek Posolda
parent
cb418b0bfc
commit
3d787727f9
8 changed files with 26 additions and 12 deletions
|
|
@ -22,8 +22,10 @@ import org.jboss.logging.Logger;
|
||||||
import org.keycloak.common.Profile;
|
import org.keycloak.common.Profile;
|
||||||
import org.keycloak.migration.MigrationProvider;
|
import org.keycloak.migration.MigrationProvider;
|
||||||
import org.keycloak.migration.ModelVersion;
|
import org.keycloak.migration.ModelVersion;
|
||||||
|
import org.keycloak.models.ClientScopeModel;
|
||||||
import org.keycloak.models.KeycloakSession;
|
import org.keycloak.models.KeycloakSession;
|
||||||
import org.keycloak.models.RealmModel;
|
import org.keycloak.models.RealmModel;
|
||||||
|
import org.keycloak.models.utils.KeycloakModelUtils;
|
||||||
import org.keycloak.representations.idm.RealmRepresentation;
|
import org.keycloak.representations.idm.RealmRepresentation;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -56,8 +58,14 @@ public class MigrateTo18_0_0 implements Migration {
|
||||||
if (Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION)) {
|
if (Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION)) {
|
||||||
MigrationProvider migrationProvider = session.getProvider(MigrationProvider.class);
|
MigrationProvider migrationProvider = session.getProvider(MigrationProvider.class);
|
||||||
|
|
||||||
// create 'acr' default client scope in the realm.
|
ClientScopeModel acrScope = KeycloakModelUtils.getClientScopeByName(realm, "acr");
|
||||||
migrationProvider.addOIDCAcrClientScope(realm);
|
if (acrScope == null) {
|
||||||
|
// create 'acr' default client scope in the realm.
|
||||||
|
acrScope = migrationProvider.addOIDCAcrClientScope(realm);
|
||||||
|
|
||||||
|
//add acr scope to all existing OIDC clients
|
||||||
|
session.clients().addClientScopeToAllClients(realm, acrScope, true);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -76,7 +76,7 @@ public interface MigrationProvider extends Provider {
|
||||||
* @param realm
|
* @param realm
|
||||||
* @return created or already existing client scope 'acr'
|
* @return created or already existing client scope 'acr'
|
||||||
*/
|
*/
|
||||||
void addOIDCAcrClientScope(RealmModel realm);
|
ClientScopeModel addOIDCAcrClientScope(RealmModel realm);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Add 'basic' client scope or return it if already exists
|
* Add 'basic' client scope or return it if already exists
|
||||||
|
|
|
||||||
|
|
@ -393,7 +393,7 @@ public class OIDCLoginProtocolFactory extends AbstractLoginProtocolFactory {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public void addAcrClientScope(RealmModel newRealm) {
|
public ClientScopeModel addAcrClientScope(RealmModel newRealm) {
|
||||||
if (Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION)) {
|
if (Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION)) {
|
||||||
ClientScopeModel acrScope = KeycloakModelUtils.getClientScopeByName(newRealm, ACR_SCOPE);
|
ClientScopeModel acrScope = KeycloakModelUtils.getClientScopeByName(newRealm, ACR_SCOPE);
|
||||||
if (acrScope == null) {
|
if (acrScope == null) {
|
||||||
|
|
@ -411,8 +411,10 @@ public class OIDCLoginProtocolFactory extends AbstractLoginProtocolFactory {
|
||||||
} else {
|
} else {
|
||||||
logger.debugf("Client scope '%s' already exists in realm '%s'. Skip creating it.", ACR_SCOPE, newRealm.getName());
|
logger.debugf("Client scope '%s' already exists in realm '%s'. Skip creating it.", ACR_SCOPE, newRealm.getName());
|
||||||
}
|
}
|
||||||
|
return acrScope;
|
||||||
} else {
|
} else {
|
||||||
logger.debugf("Skip creating client scope '%s' in the realm '%s' due the step-up authentication feature is disabled.", ACR_SCOPE, newRealm.getName());
|
logger.debugf("Skip creating client scope '%s' in the realm '%s' due the step-up authentication feature is disabled.", ACR_SCOPE, newRealm.getName());
|
||||||
|
return null;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -103,8 +103,8 @@ public class DefaultMigrationProvider implements MigrationProvider {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void addOIDCAcrClientScope(RealmModel realm) {
|
public ClientScopeModel addOIDCAcrClientScope(RealmModel realm) {
|
||||||
getOIDCLoginProtocolFactory().addAcrClientScope(realm);
|
return getOIDCLoginProtocolFactory().addAcrClientScope(realm);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
|
||||||
|
|
@ -119,7 +119,7 @@ public class AccountCredentialResource {
|
||||||
public String getCategory() {
|
public String getCategory() {
|
||||||
return category;
|
return category;
|
||||||
}
|
}
|
||||||
|
|
||||||
public String getType() {
|
public String getType() {
|
||||||
return type;
|
return type;
|
||||||
}
|
}
|
||||||
|
|
@ -302,6 +302,9 @@ public class AccountCredentialResource {
|
||||||
@Deprecated
|
@Deprecated
|
||||||
public void removeCredential(final @PathParam("credentialId") String credentialId) {
|
public void removeCredential(final @PathParam("credentialId") String credentialId) {
|
||||||
auth.require(AccountRoles.MANAGE_ACCOUNT);
|
auth.require(AccountRoles.MANAGE_ACCOUNT);
|
||||||
|
logger.warnf("Using deprecated endpoint of Account REST service for removing credential of user '%s' in the realm '%s'. It is recommended to use application initiated actions (AIA) for removing credentials",
|
||||||
|
user.getUsername(),
|
||||||
|
realm.getName());
|
||||||
CredentialModel credential = CredentialDeleteHelper.removeCredential(session, user, credentialId, this::getCurrentAuthenticatedLevel);
|
CredentialModel credential = CredentialDeleteHelper.removeCredential(session, user, credentialId, this::getCurrentAuthenticatedLevel);
|
||||||
|
|
||||||
if (credential != null && OTPCredentialModel.TYPE.equals(credential.getType())) {
|
if (credential != null && OTPCredentialModel.TYPE.equals(credential.getType())) {
|
||||||
|
|
|
||||||
|
|
@ -441,6 +441,7 @@ public abstract class AbstractMigrationTest extends AbstractKeycloakTest {
|
||||||
|
|
||||||
assertThat(defaultClientScopes, Matchers.hasItems(
|
assertThat(defaultClientScopes, Matchers.hasItems(
|
||||||
OIDCLoginProtocolFactory.BASIC_SCOPE,
|
OIDCLoginProtocolFactory.BASIC_SCOPE,
|
||||||
|
OIDCLoginProtocolFactory.ACR_SCOPE,
|
||||||
OAuth2Constants.SCOPE_PROFILE,
|
OAuth2Constants.SCOPE_PROFILE,
|
||||||
OAuth2Constants.SCOPE_EMAIL
|
OAuth2Constants.SCOPE_EMAIL
|
||||||
));
|
));
|
||||||
|
|
@ -1189,9 +1190,9 @@ public abstract class AbstractMigrationTest extends AbstractKeycloakTest {
|
||||||
protected void testDefaultRoles(RealmResource realm) {
|
protected void testDefaultRoles(RealmResource realm) {
|
||||||
String realmName = realm.toRepresentation().getRealm().toLowerCase();
|
String realmName = realm.toRepresentation().getRealm().toLowerCase();
|
||||||
assertThat(realm.roles().get("default-roles-" + realmName).getRoleComposites().stream()
|
assertThat(realm.roles().get("default-roles-" + realmName).getRoleComposites().stream()
|
||||||
.map(RoleRepresentation::getName).collect(Collectors.toSet()),
|
.map(RoleRepresentation::getName).collect(Collectors.toSet()),
|
||||||
allOf(
|
allOf(
|
||||||
hasItem(realmName + "-test-realm-role"),
|
hasItem(realmName + "-test-realm-role"),
|
||||||
hasItem(realmName + "-test-client-role"))
|
hasItem(realmName + "-test-client-role"))
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
@ -1217,7 +1218,7 @@ public abstract class AbstractMigrationTest extends AbstractKeycloakTest {
|
||||||
|
|
||||||
realm.clients().findByClientId("migration-saml-client")
|
realm.clients().findByClientId("migration-saml-client")
|
||||||
.forEach(clientRepresentation -> {
|
.forEach(clientRepresentation -> {
|
||||||
assertThat(clientRepresentation.getAttributes(), hasEntry("extremely_long_attribute",
|
assertThat(clientRepresentation.getAttributes(), hasEntry("extremely_long_attribute",
|
||||||
" 00000 00010 00020 00030 00040 00050 00060 00070 00080 00090"
|
" 00000 00010 00020 00030 00040 00050 00060 00070 00080 00090"
|
||||||
+ " 00100 00110 00120 00130 00140 00150 00160 00170 00180 00190"
|
+ " 00100 00110 00120 00130 00140 00150 00160 00170 00180 00190"
|
||||||
+ " 00200 00210 00220 00230 00240 00250 00260 00270 00280 00290"
|
+ " 00200 00210 00220 00230 00240 00250 00260 00270 00280 00290"
|
||||||
|
|
|
||||||
|
|
@ -643,7 +643,7 @@
|
||||||
"authenticationFlowBindingOverrides" : { },
|
"authenticationFlowBindingOverrides" : { },
|
||||||
"fullScopeAllowed" : true,
|
"fullScopeAllowed" : true,
|
||||||
"nodeReRegistrationTimeout" : -1,
|
"nodeReRegistrationTimeout" : -1,
|
||||||
"defaultClientScopes" : [ "web-origins", "roles", "profile", "email" ],
|
"defaultClientScopes" : [ "acr", "web-origins", "roles", "profile", "email" ],
|
||||||
"optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
|
"optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
|
||||||
}, {
|
}, {
|
||||||
"id" : "c11d03ac-b4b0-4581-995c-cc9c2f868b17",
|
"id" : "c11d03ac-b4b0-4581-995c-cc9c2f868b17",
|
||||||
|
|
|
||||||
|
|
@ -2875,7 +2875,7 @@
|
||||||
"authenticationFlowBindingOverrides" : { },
|
"authenticationFlowBindingOverrides" : { },
|
||||||
"fullScopeAllowed" : true,
|
"fullScopeAllowed" : true,
|
||||||
"nodeReRegistrationTimeout" : -1,
|
"nodeReRegistrationTimeout" : -1,
|
||||||
"defaultClientScopes" : [ "web-origins", "roles", "profile", "email" ],
|
"defaultClientScopes" : [ "acr", "web-origins", "roles", "profile", "email" ],
|
||||||
"optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
|
"optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
|
||||||
}, {
|
}, {
|
||||||
"id" : "c11d03ac-b4b0-4581-995c-cc9c2f868b17",
|
"id" : "c11d03ac-b4b0-4581-995c-cc9c2f868b17",
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue