libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

remove clientmodel.agent phase1

Browse source
This commit is contained in:
Bill Burke 2014-02-27 13:55:04 -05:00
parent f8da693fd0
commit 3fc273070e
29 changed files with 63 additions and 319 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/OAuthGrantBean.java
View file

@ -61,7 +61,7 @@ public class OAuthGrantBean {
}
public String getClient() {
return client.getAgent().getLoginName();
return client.getClientId();
}
}

12
model/api/src/main/java/org/keycloak/models/ClientModel.java
View file

@ -7,8 +7,20 @@ import java.util.Set;
* @version $Revision: 1 $
*/
public interface ClientModel {
/**
* Internal database key
*
* @return
*/
String getId();
/**
* String exposed to outside world
*
* @return
*/
String getClientId();
UserModel getAgent();
long getAllowedClaimsMask();

2
model/api/src/main/java/org/keycloak/models/Constants.java
View file

@ -9,8 +9,6 @@ public interface Constants {
String ADMIN_CONSOLE_APPLICATION = "admin-console";
String INTERNAL_ROLE = "KEYCLOAK_";
String APPLICATION_ROLE = INTERNAL_ROLE + "_APPLICATION";
String IDENTITY_REQUESTER_ROLE = INTERNAL_ROLE + "_IDENTITY_REQUESTER";
String ACCOUNT_MANAGEMENT_APP = "account";
}

13
model/api/src/main/java/org/keycloak/models/RealmModel.java
View file

@ -117,24 +117,11 @@ public interface RealmModel extends RoleContainerModel, RoleMapperModel, ScopeMa
boolean removeApplication(String id);
List<RequiredCredentialModel> getRequiredApplicationCredentials();
List<RequiredCredentialModel> getRequiredOAuthClientCredentials();
ApplicationModel getApplicationById(String id);
ApplicationModel getApplicationByName(String name);
void addRequiredOAuthClientCredential(String type);
void addRequiredResourceCredential(String type);
void updateRequiredCredentials(Set<String> creds);
void updateRequiredOAuthClientCredentials(Set<String> creds);
void updateRequiredApplicationCredentials(Set<String> creds);
UserModel getUserBySocialLink(SocialLinkModel socialLink);
Set<SocialLinkModel> getSocialLinks(UserModel user);

5
model/jpa/src/main/java/org/keycloak/models/jpa/ApplicationAdapter.java
View file

@ -48,6 +48,11 @@ public class ApplicationAdapter implements ApplicationModel {
return entity.getId();
}
@Override
public String getClientId() {
return getName();
}
@Override
public String getName() {
return entity.getName();

5
model/jpa/src/main/java/org/keycloak/models/jpa/OAuthClientAdapter.java
View file

@ -27,6 +27,11 @@ public class OAuthClientAdapter implements OAuthClientModel {
return entity.getId();
}
@Override
public String getClientId() {
return getAgent().getLoginName();
}
@Override
public boolean isEnabled() {
return getAgent().isEnabled();

119
model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java
View file

@ -313,125 +313,6 @@ public class RealmAdapter implements RealmModel {
return requiredCredentialModels; //To change body of implemented methods use File | Settings | File Templates.
}
@Override
public List<RequiredCredentialModel> getRequiredApplicationCredentials() {
List<RequiredCredentialModel> requiredCredentialModels = new ArrayList<RequiredCredentialModel>();
Collection<RequiredCredentialEntity> entities = realm.getRequiredAppCredentials();
if (entities == null) return requiredCredentialModels;
for (RequiredCredentialEntity entity : entities) {
RequiredCredentialModel model = new RequiredCredentialModel();
model.setFormLabel(entity.getFormLabel());
model.setType(entity.getType());
model.setSecret(entity.isSecret());
model.setInput(entity.isInput());
requiredCredentialModels.add(model);
}
return requiredCredentialModels; //To change body of implemented methods use File | Settings | File Templates.
}
@Override
public List<RequiredCredentialModel> getRequiredOAuthClientCredentials() {
List<RequiredCredentialModel> requiredCredentialModels = new ArrayList<RequiredCredentialModel>();
Collection<RequiredCredentialEntity> entities = realm.getRequiredOAuthClCredentials();
if (entities == null) return requiredCredentialModels;
for (RequiredCredentialEntity entity : entities) {
RequiredCredentialModel model = new RequiredCredentialModel();
model.setFormLabel(entity.getFormLabel());
model.setType(entity.getType());
model.setSecret(entity.isSecret());
model.setInput(entity.isInput());
requiredCredentialModels.add(model);
}
return requiredCredentialModels; //To change body of implemented methods use File | Settings | File Templates.
}
public void addRequiredOAuthClientCredential(RequiredCredentialModel model) {
RequiredCredentialEntity entity = new RequiredCredentialEntity();
entity.setInput(model.isInput());
entity.setSecret(model.isSecret());
entity.setType(model.getType());
entity.setFormLabel(model.getFormLabel());
em.persist(entity);
realm.getRequiredOAuthClCredentials().add(entity);
em.flush();
}
@Override
public void addRequiredOAuthClientCredential(String type) {
RequiredCredentialModel model = initRequiredCredentialModel(type);
addRequiredOAuthClientCredential(model);
em.flush();
}
public void addRequiredResourceCredential(RequiredCredentialModel model) {
RequiredCredentialEntity entity = new RequiredCredentialEntity();
entity.setInput(model.isInput());
entity.setSecret(model.isSecret());
entity.setType(model.getType());
entity.setFormLabel(model.getFormLabel());
em.persist(entity);
realm.getRequiredAppCredentials().add(entity);
em.flush();
}
@Override
public void addRequiredResourceCredential(String type) {
RequiredCredentialModel model = initRequiredCredentialModel(type);
addRequiredResourceCredential(model);
em.flush();
}
@Override
public void updateRequiredOAuthClientCredentials(Set<String> creds) {
Collection<RequiredCredentialEntity> relationships = realm.getRequiredOAuthClCredentials();
if (relationships == null) relationships = new ArrayList<RequiredCredentialEntity>();
Set<String> already = new HashSet<String>();
List<RequiredCredentialEntity> remove = new ArrayList<RequiredCredentialEntity>();
for (RequiredCredentialEntity rel : relationships) {
if (!creds.contains(rel.getType())) {
remove.add(rel);
} else {
already.add(rel.getType());
}
}
for (RequiredCredentialEntity entity : remove) {
relationships.remove(entity);
em.remove(entity);
}
for (String cred : creds) {
if (!already.contains(cred)) {
addRequiredOAuthClientCredential(cred);
}
}
em.flush();
}
@Override
public void updateRequiredApplicationCredentials(Set<String> creds) {
Collection<RequiredCredentialEntity> relationships = realm.getRequiredAppCredentials();
if (relationships == null) relationships = new ArrayList<RequiredCredentialEntity>();
Set<String> already = new HashSet<String>();
List<RequiredCredentialEntity> remove = new ArrayList<RequiredCredentialEntity>();
for (RequiredCredentialEntity rel : relationships) {
if (!creds.contains(rel.getType())) {
remove.add(rel);
} else {
already.add(rel.getType());
}
}
for (RequiredCredentialEntity entity : remove) {
relationships.remove(entity);
em.remove(entity);
}
for (String cred : creds) {
if (!already.contains(cred)) {
addRequiredResourceCredential(cred);
}
}
em.flush();
}
@Override
public UserModel getUser(String name) {

24
model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java
View file

@ -62,14 +62,6 @@ public class RealmEntity {
@JoinTable(name="User_RequiredCreds")
Collection<RequiredCredentialEntity> requiredCredentials = new ArrayList<RequiredCredentialEntity>();
@OneToMany(cascade ={CascadeType.REMOVE}, orphanRemoval = true)
@JoinTable(name="App_RequiredCreds")
Collection<RequiredCredentialEntity> requiredAppCredentials = new ArrayList<RequiredCredentialEntity>();
@OneToMany(cascade ={CascadeType.REMOVE}, orphanRemoval = true)
@JoinTable(name="OAuthClient_RequiredCreds")
Collection<RequiredCredentialEntity> requiredOAuthClCredentials = new ArrayList<RequiredCredentialEntity>();
@OneToMany(fetch = FetchType.LAZY, cascade ={CascadeType.REMOVE}, orphanRemoval = true, mappedBy = "realm")
Collection<ApplicationEntity> applications = new ArrayList<ApplicationEntity>();
@ -236,22 +228,6 @@ public class RealmEntity {
this.requiredCredentials = requiredCredentials;
}
public Collection<RequiredCredentialEntity> getRequiredAppCredentials() {
return requiredAppCredentials;
}
public void setRequiredAppCredentials(Collection<RequiredCredentialEntity> requiredAppCredentials) {
this.requiredAppCredentials = requiredAppCredentials;
}
public Collection<RequiredCredentialEntity> getRequiredOAuthClCredentials() {
return requiredOAuthClCredentials;
}
public void setRequiredOAuthClCredentials(Collection<RequiredCredentialEntity> requiredOAuthClCredentials) {
this.requiredOAuthClCredentials = requiredOAuthClCredentials;
}
public Collection<ApplicationEntity> getApplications() {
return applications;
}

5
model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ApplicationAdapter.java
View file

@ -60,6 +60,11 @@ public class ApplicationAdapter extends AbstractAdapter implements ApplicationMo
return application.getId();
}
@Override
public String getClientId() {
return getName();
}
@Override
public String getName() {
return application.getName();

5
model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/OAuthClientAdapter.java
View file

@ -35,6 +35,11 @@ public class OAuthClientAdapter extends AbstractAdapter implements OAuthClientMo
return delegate.getId();
}
@Override
public String getClientId() {
return getAgent().getLoginName();
}
@Override
public long getAllowedClaimsMask() {
return delegate.getAllowedClaimsMask();

32
model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java
View file

@ -730,18 +730,6 @@ public class RealmAdapter extends AbstractAdapter implements RealmModel {
addRequiredCredential(credentialModel, realm.getRequiredCredentials());
}
@Override
public void addRequiredResourceCredential(String type) {
RequiredCredentialModel credentialModel = initRequiredCredentialModel(type);
addRequiredCredential(credentialModel, realm.getRequiredApplicationCredentials());
}
@Override
public void addRequiredOAuthClientCredential(String type) {
RequiredCredentialModel credentialModel = initRequiredCredentialModel(type);
addRequiredCredential(credentialModel, realm.getRequiredOAuthClientCredentials());
}
protected void addRequiredCredential(RequiredCredentialModel credentialModel, List<RequiredCredentialEntity> persistentCollection) {
RequiredCredentialEntity credEntity = new RequiredCredentialEntity();
credEntity.setType(credentialModel.getType());
@ -759,16 +747,6 @@ public class RealmAdapter extends AbstractAdapter implements RealmModel {
updateRequiredCredentials(creds, realm.getRequiredCredentials());
}
@Override
public void updateRequiredApplicationCredentials(Set<String> creds) {
updateRequiredCredentials(creds, realm.getRequiredApplicationCredentials());
}
@Override
public void updateRequiredOAuthClientCredentials(Set<String> creds) {
updateRequiredCredentials(creds, realm.getRequiredOAuthClientCredentials());
}
protected void updateRequiredCredentials(Set<String> creds, List<RequiredCredentialEntity> credsEntities) {
Set<String> already = new HashSet<String>();
Set<RequiredCredentialEntity> toRemove = new HashSet<RequiredCredentialEntity>();
@ -796,16 +774,6 @@ public class RealmAdapter extends AbstractAdapter implements RealmModel {
return convertRequiredCredentialEntities(realm.getRequiredCredentials());
}
@Override
public List<RequiredCredentialModel> getRequiredApplicationCredentials() {
return convertRequiredCredentialEntities(realm.getRequiredApplicationCredentials());
}
@Override
public List<RequiredCredentialModel> getRequiredOAuthClientCredentials() {
return convertRequiredCredentialEntities(realm.getRequiredOAuthClientCredentials());
}
protected List<RequiredCredentialModel> convertRequiredCredentialEntities(Collection<RequiredCredentialEntity> credEntities) {
List<RequiredCredentialModel> result = new ArrayList<RequiredCredentialModel>();

20
model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/RealmEntity.java
View file

@ -46,8 +46,6 @@ public class RealmEntity extends AbstractMongoIdentifiableEntity implements Mong
private List<String> defaultRoles = new ArrayList<String>();
private List<RequiredCredentialEntity> requiredCredentials = new ArrayList<RequiredCredentialEntity>();
private List<RequiredCredentialEntity> requiredApplicationCredentials = new ArrayList<RequiredCredentialEntity>();
private List<RequiredCredentialEntity> requiredOAuthClientCredentials = new ArrayList<RequiredCredentialEntity>();
private Map<String, String> smtpConfig = new HashMap<String, String>();
private Map<String, String> socialConfig = new HashMap<String, String>();
@ -241,24 +239,6 @@ public class RealmEntity extends AbstractMongoIdentifiableEntity implements Mong
this.requiredCredentials = requiredCredentials;
}
@MongoField
public List<RequiredCredentialEntity> getRequiredApplicationCredentials() {
return requiredApplicationCredentials;
}
public void setRequiredApplicationCredentials(List<RequiredCredentialEntity> requiredApplicationCredentials) {
this.requiredApplicationCredentials = requiredApplicationCredentials;
}
@MongoField
public List<RequiredCredentialEntity> getRequiredOAuthClientCredentials() {
return requiredOAuthClientCredentials;
}
public void setRequiredOAuthClientCredentials(List<RequiredCredentialEntity> requiredOAuthClientCredentials) {
this.requiredOAuthClientCredentials = requiredOAuthClientCredentials;
}
@MongoField
public Map<String, String> getSmtpConfig() {
return smtpConfig;

5
model/tests/src/test/java/org/keycloak/model/test/AdapterTest.java
View file

@ -139,9 +139,6 @@ public class AdapterTest extends AbstractModelTest {
OAuthClientModel oauth = new OAuthClientManager(realmModel).create("oauth-client");
oauth = realmModel.getOAuthClient("oauth-client");
Assert.assertTrue(realmModel.hasRole(oauth.getAgent(), realmModel.getRole(Constants.IDENTITY_REQUESTER_ROLE)));
}
@Test
@ -418,7 +415,7 @@ public class AdapterTest extends AbstractModelTest {
realmModel.addRole("admin");
realmModel.addRole("user");
Set<RoleModel> roles = realmModel.getRoles();
Assert.assertEquals(5, roles.size());
Assert.assertEquals(3, roles.size());
UserModel user = realmModel.addUser("bburke");
RoleModel realmUserRole = realmModel.getRole("user");
realmModel.grantRole(user, realmUserRole);

2
model/tests/src/test/java/org/keycloak/model/test/ImportTest.java
View file

@ -151,8 +151,6 @@ public class ImportTest extends AbstractModelTest {
Assert.assertFalse(realm.isUpdateProfileOnInitialSocialLogin());
Assert.assertEquals(600, realm.getAccessCodeLifespanUserAction());
verifyRequiredCredentials(realm.getRequiredCredentials(), "password");
verifyRequiredCredentials(realm.getRequiredApplicationCredentials(), "secret");
verifyRequiredCredentials(realm.getRequiredOAuthClientCredentials(), "secret");
}
private void verifyRequiredCredentials(List<RequiredCredentialModel> requiredCreds, String expectedType) {

4
services/src/main/java/org/keycloak/services/managers/AppAuthManager.java
View file

@ -36,7 +36,7 @@ public class AppAuthManager extends AuthenticationManager {
this.tokenManager = tokenManager;
}
public NewCookie createCookie(RealmModel realm, UserModel client, String code, URI uri) {
public NewCookie createCookie(RealmModel realm, ClientModel client, String code, URI uri) {
JWSInput input = new JWSInput(code);
boolean verifiedCode = false;
try {
@ -67,7 +67,7 @@ public class AppAuthManager extends AuthenticationManager {
throw new BadRequestException();
}
if (!client.getLoginName().equals(accessCode.getClient().getAgent().getLoginName())) {
if (!client.getClientId().equals(accessCode.getClient().getClientId())) {
logger.debug("bad client");
throw new BadRequestException();
}

2
services/src/main/java/org/keycloak/services/managers/ApplianceBootstrap.java
View file

@ -45,8 +45,6 @@ public class ApplianceBootstrap {
realm.setName(Constants.ADMIN_REALM);
realm.setEnabled(true);
realm.addRequiredCredential(CredentialRepresentation.PASSWORD);
realm.addRequiredOAuthClientCredential(CredentialRepresentation.PASSWORD);
realm.addRequiredResourceCredential(CredentialRepresentation.PASSWORD);
realm.setCentralLoginLifespan(3000);
realm.setAccessTokenLifespan(60);
realm.setRefreshTokenLifespan(3600);

16
services/src/main/java/org/keycloak/services/managers/ApplicationManager.java
View file

@ -46,11 +46,10 @@ public class ApplicationManager {
* Does not create scope or role mappings!
*
* @param realm
* @param loginRole
* @param resourceRep
* @return
*/
public ApplicationModel createApplication(RealmModel realm, RoleModel loginRole, ApplicationRepresentation resourceRep) {
public ApplicationModel createApplication(RealmModel realm, ApplicationRepresentation resourceRep) {
logger.debug("************ CREATE APPLICATION: {0}" + resourceRep.getName());
ApplicationModel applicationModel = realm.addApplication(resourceRep.getName());
applicationModel.setEnabled(resourceRep.isEnabled());
@ -59,7 +58,6 @@ public class ApplicationManager {
applicationModel.setBaseUrl(resourceRep.getBaseUrl());
applicationModel.updateApplication();
UserModel resourceUser = applicationModel.getAgent();
applicationModel.setSecret(resourceRep.getSecret());
if (applicationModel.getSecret() == null) {
generateSecret(applicationModel);
@ -73,14 +71,11 @@ public class ApplicationManager {
}
if (resourceRep.getWebOrigins() != null) {
for (String webOrigin : resourceRep.getWebOrigins()) {
logger.debug("Application: {0} webOrigin: {1}", resourceUser.getLoginName(), webOrigin);
logger.debug("Application: {0} webOrigin: {1}", resourceRep.getName(), webOrigin);
applicationModel.addWebOrigin(webOrigin);
}
}
realm.grantRole(resourceUser, loginRole);
if (resourceRep.getDefaultRoles() != null) {
applicationModel.updateDefaultRoles(resourceRep.getDefaultRoles());
}
@ -123,15 +118,8 @@ public class ApplicationManager {
}
}
public ApplicationModel createApplication(RealmModel realm, ApplicationRepresentation resourceRep) {
RoleModel loginRole = realm.getRole(Constants.APPLICATION_ROLE);
return createApplication(realm, loginRole, resourceRep);
}
public ApplicationModel createApplication(RealmModel realm, String name) {
RoleModel loginRole = realm.getRole(Constants.APPLICATION_ROLE);
ApplicationModel app = realm.addApplication(name);
realm.grantRole(app.getAgent(), loginRole);
generateSecret(app);
return app;

15
services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
View file

@ -60,7 +60,7 @@ public class AuthenticationManager {
protected NewCookie createLoginCookie(RealmModel realm, UserModel user, ClientModel client, String cookieName, String cookiePath, boolean rememberMe) {
AccessToken identityToken = createIdentityToken(realm, user);
if (client != null) {
identityToken.issuedFor(client.getAgent().getLoginName());
identityToken.issuedFor(client.getClientId());
}
String encoded = encodeToken(realm, identityToken);
boolean secureOnly = !realm.isSslNotRequired();
@ -174,18 +174,7 @@ public class AuthenticationManager {
Set<String> types = new HashSet<String>();
List<RequiredCredentialModel> requiredCredentials = null;
RoleModel applicationRole = realm.getRole(Constants.APPLICATION_ROLE);
RoleModel identityRequesterRole = realm.getRole(Constants.IDENTITY_REQUESTER_ROLE);
if (realm.hasRole(user, applicationRole)) {
requiredCredentials = realm.getRequiredApplicationCredentials();
} else if (realm.hasRole(user, identityRequesterRole)) {
requiredCredentials = realm.getRequiredOAuthClientCredentials();
} else {
requiredCredentials = realm.getRequiredCredentials();
}
for (RequiredCredentialModel credential : requiredCredentials) {
for (RequiredCredentialModel credential : realm.getRequiredCredentials()) {
types.add(credential.getType());
}

16
services/src/main/java/org/keycloak/services/managers/OAuthClientManager.java
View file

@ -32,18 +32,16 @@ public class OAuthClientManager {
this.realm = realm;
}
public UserCredentialModel generateSecret(RealmModel realm, OAuthClientModel app) {
public UserCredentialModel generateSecret(OAuthClientModel app) {
UserCredentialModel secret = UserCredentialModel.generateSecret();
realm.updateCredential(app.getAgent(), secret);
app.setSecret(secret.getValue());
return secret;
}
public OAuthClientModel create(String name) {
OAuthClientModel model = realm.addOAuthClient(name);
RoleModel role = realm.getRole(Constants.IDENTITY_REQUESTER_ROLE);
realm.grantRole(model.getAgent(), role);
generateSecret(realm, model);
generateSecret(model);
return model;
}
@ -61,7 +59,7 @@ public class OAuthClientManager {
}
public void update(OAuthClientRepresentation rep, OAuthClientModel model) {
model.getAgent().setEnabled(rep.isEnabled());
model.setEnabled(rep.isEnabled());
List<String> redirectUris = rep.getRedirectUris();
if (redirectUris != null) {
model.setRedirectUris(new HashSet<String>(redirectUris));
@ -80,8 +78,8 @@ public class OAuthClientManager {
public static OAuthClientRepresentation toRepresentation(OAuthClientModel model) {
OAuthClientRepresentation rep = new OAuthClientRepresentation();
rep.setId(model.getId());
rep.setName(model.getAgent().getLoginName());
rep.setEnabled(model.getAgent().isEnabled());
rep.setName(model.getClientId());
rep.setEnabled(model.isEnabled());
Set<String> redirectUris = model.getRedirectUris();
if (redirectUris != null) {
rep.setRedirectUris(new LinkedList<String>(redirectUris));
@ -127,7 +125,7 @@ public class OAuthClientManager {
rep.setSslNotRequired(realmModel.isSslNotRequired());
rep.setAuthServerUrl(baseUri.toString());
rep.setResource(model.getAgent().getLoginName());
rep.setResource(model.getClientId());
Map<String, String> creds = new HashMap<String, String>();
creds.put(CredentialRepresentation.SECRET, model.getSecret());

34
services/src/main/java/org/keycloak/services/managers/RealmManager.java
View file

@ -70,15 +70,10 @@ public class RealmManager {
if (id == null) id = KeycloakModelUtils.generateId();
RealmModel realm = identitySession.createRealm(id, name);
realm.setName(name);
realm.addRole(Constants.APPLICATION_ROLE);
realm.addRole(Constants.IDENTITY_REQUESTER_ROLE);
setupAdminManagement(realm);
setupAccountManagement(realm);
realm.addRequiredOAuthClientCredential(UserCredentialModel.SECRET);
realm.addRequiredResourceCredential(UserCredentialModel.SECRET);
return realm;
}
@ -258,9 +253,6 @@ public class RealmManager {
if (rep.getApplications() != null) {
Map<String, ApplicationModel> appMap = createApplications(rep, newRealm);
for (ApplicationModel app : appMap.values()) {
userMap.put(app.getAgent().getLoginName(), app.getAgent());
}
}
if (rep.getRoles() != null) {
@ -310,11 +302,7 @@ public class RealmManager {
}
if (rep.getOauthClients() != null) {
Map<String, OAuthClientModel> oauthMap = createOAuthClients(rep, newRealm);
for (OAuthClientModel app : oauthMap.values()) {
userMap.put(app.getAgent().getLoginName(), app.getAgent());
}
createOAuthClients(rep, newRealm);
}
// Now that all possible users and applications are created (users, apps, and oauth clients), do role mappings and scope mappings
@ -364,8 +352,7 @@ public class RealmManager {
if (role == null) {
role = newRealm.addRole(roleString.trim());
}
UserModel user = userMap.get(scope.getClient());
ClientModel client = newRealm.findClient(user.getLoginName());
ClientModel client = newRealm.findClient(scope.getClient());
newRealm.addScopeMapping(client, role);
}
@ -481,34 +468,21 @@ public class RealmManager {
newRealm.addRequiredCredential(requiredCred);
}
public void addResourceRequiredCredential(RealmModel newRealm, String requiredCred) {
newRealm.addRequiredResourceCredential(requiredCred);
}
public void addOAuthClientRequiredCredential(RealmModel newRealm, String requiredCred) {
newRealm.addRequiredOAuthClientCredential(requiredCred);
}
protected Map<String, ApplicationModel> createApplications(RealmRepresentation rep, RealmModel realm) {
Map<String, ApplicationModel> appMap = new HashMap<String, ApplicationModel>();
RoleModel loginRole = realm.getRole(Constants.APPLICATION_ROLE);
ApplicationManager manager = new ApplicationManager(this);
for (ApplicationRepresentation resourceRep : rep.getApplications()) {
ApplicationModel app = manager.createApplication(realm, loginRole, resourceRep);
ApplicationModel app = manager.createApplication(realm, resourceRep);
appMap.put(app.getName(), app);
}
return appMap;
}
protected Map<String, OAuthClientModel> createOAuthClients(RealmRepresentation realmRep, RealmModel realm) {
Map<String, OAuthClientModel> appMap = new HashMap<String, OAuthClientModel>();
protected void createOAuthClients(RealmRepresentation realmRep, RealmModel realm) {
OAuthClientManager manager = new OAuthClientManager(realm);
for (OAuthClientRepresentation rep : realmRep.getOauthClients()) {
OAuthClientModel app = manager.create(rep);
appMap.put(app.getAgent().getLoginName(), app);
}
return appMap;
}

2
services/src/main/java/org/keycloak/services/managers/TokenManager.java
View file

@ -290,7 +290,7 @@ public class TokenManager {
token.subject(user.getId());
token.audience(realm.getName());
token.issuedNow();
token.issuedFor(client.getAgent().getLoginName());
token.issuedFor(client.getClientId());
token.issuer(realm.getName());
if (realm.getAccessTokenLifespan() > 0) {
token.expiration((System.currentTimeMillis() / 1000) + realm.getAccessTokenLifespan());

5
services/src/main/java/org/keycloak/services/resources/AccountService.java
View file

@ -254,8 +254,7 @@ public class AccountService {
logger.debug("realm not enabled");
throw new ForbiddenException();
}
UserModel client = application.getAgent();
if (!client.isEnabled() || !application.isEnabled()) {
if (!application.isEnabled()) {
logger.debug("account management app not enabled");
throw new ForbiddenException();
}
@ -274,7 +273,7 @@ public class AccountService {
redirectUri = redirectUri.resolve("?referrer=" + referrer);
}
NewCookie cookie = authManager.createCookie(realm, client, code, Urls.accountBase(uriInfo.getBaseUri()).build(realm.getName()));
NewCookie cookie = authManager.createCookie(realm, application, code, Urls.accountBase(uriInfo.getBaseUri()).build(realm.getName()));
return Response.status(302).cookie(cookie).location(redirectUri).build();
} finally {
authManager.expireCookie(Urls.accountBase(uriInfo.getBaseUri()).build(realm.getName()));

11
services/src/main/java/org/keycloak/services/resources/TokenService.java
View file

@ -8,6 +8,7 @@ import org.keycloak.OAuthErrorException;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
@ -404,7 +405,7 @@ public class TokenService {
return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(res)
.build();
}
if (!client.getAgent().getLoginName().equals(accessCode.getClient().getAgent().getLoginName())) {
if (!client.getClientId().equals(accessCode.getClient().getClientId())) {
Map<String, String> res = new HashMap<String, String>();
res.put("error", "invalid_grant");
res.put("error_description", "Auth error");
@ -486,14 +487,6 @@ public class TokenService {
return oauth.forwardToSecurityFailure("Invalid redirect_uri.");
}
logger.info("Checking roles...");
RoleModel resourceRole = realm.getRole(Constants.APPLICATION_ROLE);
RoleModel identityRequestRole = realm.getRole(Constants.IDENTITY_REQUESTER_ROLE);
boolean isResource = realm.hasRole(client.getAgent(), resourceRole);
if (!isResource && !realm.hasRole(client.getAgent(), identityRequestRole)) {
logger.warn("Login requester not allowed to request login.");
return oauth.forwardToSecurityFailure("Login requester not allowed to request login.");
}
logger.info("Checking cookie...");
UserModel user = authManager.authenticateIdentityCookie(realm, uriInfo, headers);
if (user != null) {

5
services/src/main/java/org/keycloak/services/resources/admin/AdminService.java
View file

@ -325,8 +325,7 @@ public class AdminService {
return redirectOnLoginError("realm not enabled");
}
ApplicationModel adminConsole = adminRealm.getApplicationNameMap().get(Constants.ADMIN_CONSOLE_APPLICATION);
UserModel adminConsoleUser = adminConsole.getAgent();
if (!adminConsole.isEnabled() || !adminConsoleUser.isEnabled()) {
if (!adminConsole.isEnabled()) {
logger.debug("admin app not enabled");
return redirectOnLoginError("admin app not enabled");
}
@ -342,7 +341,7 @@ public class AdminService {
new JaxrsOAuthClient().checkStateCookie(uriInfo, headers);
logger.debug("loginRedirect SUCCESS");
NewCookie cookie = authManager.createCookie(adminRealm, adminConsoleUser, code, AdminService.saasCookiePath(uriInfo).build());
NewCookie cookie = authManager.createCookie(adminRealm, adminConsole, code, AdminService.saasCookiePath(uriInfo).build());
URI redirectUri = contextRoot(uriInfo).path(adminPath).build();
if (path != null) {

2
services/src/main/java/org/keycloak/services/resources/admin/OAuthClientResource.java
View file

@ -112,7 +112,7 @@ public class OAuthClientResource {
logger.debug("regenerateSecret");
UserCredentialModel cred = UserCredentialModel.generateSecret();
realm.updateCredential(oauthClient.getAgent(), cred);
oauthClient.setSecret(cred.getValue());
CredentialRepresentation rep = ModelToRepresentation.toRepresentation(cred);
return rep;
}

2
services/src/main/java/org/keycloak/services/resources/admin/OAuthClientsResource.java
View file

@ -58,7 +58,7 @@ public class OAuthClientsResource {
rep.add(OAuthClientManager.toRepresentation(oauth));
} else {
OAuthClientRepresentation client = new OAuthClientRepresentation();
client.setName(oauth.getAgent().getLoginName());
client.setName(oauth.getClientId());
rep.add(client);
}
}

2
services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java
View file

@ -199,7 +199,7 @@ public class UsersResource {
}
private boolean isUser(UserModel user) {
return !realm.hasRole(user, realm.getRole(Constants.IDENTITY_REQUESTER_ROLE)) && !realm.hasRole(user, realm.getRole(Constants.APPLICATION_ROLE));
return true;
}
@Path("{username}/role-mappings")

9
services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java
View file

@ -23,6 +23,7 @@ package org.keycloak.services.resources.flows;
import org.jboss.resteasy.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
import org.keycloak.models.OAuthClientModel;
@ -107,12 +108,7 @@ public class OAuthFlows {
isTotpConfigurationRequired(user);
isEmailVerificationRequired(user);
RoleModel resourceRole = realm.getRole(Constants.APPLICATION_ROLE);
RoleModel identityRequestRole = realm.getRole(Constants.IDENTITY_REQUESTER_ROLE);
boolean isResource = realm.hasRole(client.getAgent(), resourceRole);
if (!isResource && !realm.hasRole(client.getAgent(), identityRequestRole)) {
return forwardToSecurityFailure("Login requester not allowed to request login.");
}
boolean isResource = client instanceof ApplicationModel;
AccessCodeEntry accessCode = tokenManager.createAccessCode(scopeParam, state, redirect, realm, client, user);
log.debug("processAccessCode: isResource: {0}", isResource);
log.debug("processAccessCode: go to oauth page?: {0}",
@ -129,7 +125,6 @@ public class OAuthFlows {
if (!isResource
&& (accessCode.getRealmRolesRequested().size() > 0 || accessCode.getResourceRolesRequested().size() > 0)) {
OAuthClientModel oauthClient = realm.getOAuthClient(client.getAgent().getLoginName());
accessCode.setExpiration(System.currentTimeMillis() / 1000 + realm.getAccessCodeLifespanUserAction());
return Flows.forms(realm, request, uriInfo).setAccessCode(accessCode.getId(), accessCode.getCode()).
setAccessRequest(accessCode.getRealmRolesRequested(), accessCode.getResourceRolesRequested()).

6
testsuite/performance/src/test/java/org/keycloak/testsuite/performance/CreateRealmsWorker.java
View file

@ -78,14 +78,8 @@ public class CreateRealmsWorker implements Worker {
// Add required credentials
if (createRequiredCredentials) {
realmManager.addRequiredCredential(realm, CredentialRepresentation.PASSWORD);
realmManager.addResourceRequiredCredential(realm, CredentialRepresentation.PASSWORD);
realmManager.addOAuthClientRequiredCredential(realm, CredentialRepresentation.PASSWORD);
realmManager.addRequiredCredential(realm, CredentialRepresentation.TOTP);
realmManager.addResourceRequiredCredential(realm, CredentialRepresentation.TOTP);
realmManager.addOAuthClientRequiredCredential(realm, CredentialRepresentation.TOTP);
realmManager.addRequiredCredential(realm, CredentialRepresentation.CLIENT_CERT);
realmManager.addResourceRequiredCredential(realm, CredentialRepresentation.CLIENT_CERT);
realmManager.addOAuthClientRequiredCredential(realm, CredentialRepresentation.CLIENT_CERT);
}
log.info("Finished creation of realm " + realmName);