KEYCLOAK-3318 Adapter support for prompt and max_age. Refactoring to not hardcode OIDC specifics to CookieAuthenticator

This commit is contained in:
mposolda 2016-07-21 18:18:05 +02:00
parent 079026a7be
commit 56e011dce4
9 changed files with 108 additions and 34 deletions

View file

@ -160,6 +160,12 @@ public class OAuthRequestAuthenticator {
String scope = getQueryParamValue(OAuth2Constants.SCOPE); String scope = getQueryParamValue(OAuth2Constants.SCOPE);
url = UriUtils.stripQueryParam(url, OAuth2Constants.SCOPE); url = UriUtils.stripQueryParam(url, OAuth2Constants.SCOPE);
String prompt = getQueryParamValue(OAuth2Constants.PROMPT);
url = UriUtils.stripQueryParam(url, OAuth2Constants.PROMPT);
String maxAge = getQueryParamValue(OAuth2Constants.MAX_AGE);
url = UriUtils.stripQueryParam(url, OAuth2Constants.MAX_AGE);
KeycloakUriBuilder redirectUriBuilder = deployment.getAuthUrl().clone() KeycloakUriBuilder redirectUriBuilder = deployment.getAuthUrl().clone()
.queryParam(OAuth2Constants.RESPONSE_TYPE, OAuth2Constants.CODE) .queryParam(OAuth2Constants.RESPONSE_TYPE, OAuth2Constants.CODE)
.queryParam(OAuth2Constants.CLIENT_ID, deployment.getResourceName()) .queryParam(OAuth2Constants.CLIENT_ID, deployment.getResourceName())
@ -172,6 +178,12 @@ public class OAuthRequestAuthenticator {
if (idpHint != null && idpHint.length() > 0) { if (idpHint != null && idpHint.length() > 0) {
redirectUriBuilder.queryParam(AdapterConstants.KC_IDP_HINT,idpHint); redirectUriBuilder.queryParam(AdapterConstants.KC_IDP_HINT,idpHint);
} }
if (prompt != null && prompt.length() > 0) {
redirectUriBuilder.queryParam(OAuth2Constants.PROMPT, prompt);
}
if (maxAge != null && maxAge.length() > 0) {
redirectUriBuilder.queryParam(OAuth2Constants.MAX_AGE, maxAge);
}
scope = TokenUtil.attachOIDCScope(scope); scope = TokenUtil.attachOIDCScope(scope);
redirectUriBuilder.queryParam(OAuth2Constants.SCOPE, scope); redirectUriBuilder.queryParam(OAuth2Constants.SCOPE, scope);

View file

@ -224,6 +224,10 @@
url += '&prompt=' + encodeURIComponent(options.prompt); url += '&prompt=' + encodeURIComponent(options.prompt);
} }
if (options && options.maxAge) {
url += '&max_age=' + encodeURIComponent(options.maxAge);
}
if (options && options.loginHint) { if (options && options.loginHint) {
url += '&login_hint=' + encodeURIComponent(options.loginHint); url += '&login_hint=' + encodeURIComponent(options.loginHint);
} }

View file

@ -73,6 +73,10 @@ public interface OAuth2Constants {
String UI_LOCALES_PARAM = "ui_locales"; String UI_LOCALES_PARAM = "ui_locales";
String PROMPT = "prompt";
String MAX_AGE = "max_age";
} }

View file

@ -74,4 +74,11 @@ public interface LoginProtocol extends Provider {
Response frontchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession); Response frontchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession);
Response finishLogout(UserSessionModel userSession); Response finishLogout(UserSessionModel userSession);
/**
* @param userSession
* @param clientSession
* @return true if SSO cookie authentication can't be used. User will need to "actively" reauthenticate
*/
boolean requireReauthentication(UserSessionModel userSession, ClientSessionModel clientSession);
} }

View file

@ -25,6 +25,7 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel; import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.services.ServicesLogger; import org.keycloak.services.ServicesLogger;
import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.AuthenticationManager;
@ -36,8 +37,6 @@ import org.keycloak.util.TokenUtil;
*/ */
public class CookieAuthenticator implements Authenticator { public class CookieAuthenticator implements Authenticator {
private static final ServicesLogger logger = ServicesLogger.ROOT_LOGGER;
@Override @Override
public boolean requiresUser() { public boolean requiresUser() {
return false; return false;
@ -50,11 +49,13 @@ public class CookieAuthenticator implements Authenticator {
if (authResult == null) { if (authResult == null) {
context.attempted(); context.attempted();
} else { } else {
ClientSessionModel clientSession = context.getClientSession();
LoginProtocol protocol = context.getSession().getProvider(LoginProtocol.class, clientSession.getAuthMethod());
// Cookie re-authentication is skipped if re-authentication is required // Cookie re-authentication is skipped if re-authentication is required
if (requireReauthentication(authResult.getSession(), context.getClientSession())) { if (protocol.requireReauthentication(authResult.getSession(), clientSession)) {
context.attempted(); context.attempted();
} else { } else {
ClientSessionModel clientSession = context.getClientSession();
clientSession.setNote(AuthenticationManager.SSO_AUTH, "true"); clientSession.setNote(AuthenticationManager.SSO_AUTH, "true");
context.setUser(authResult.getUser()); context.setUser(authResult.getUser());
@ -83,32 +84,4 @@ public class CookieAuthenticator implements Authenticator {
public void close() { public void close() {
} }
protected boolean requireReauthentication(UserSessionModel userSession, ClientSessionModel clientSession) {
return isPromptLogin(clientSession) || isAuthTimeExpired(userSession, clientSession);
}
protected boolean isPromptLogin(ClientSessionModel clientSession) {
String prompt = clientSession.getNote(OIDCLoginProtocol.PROMPT_PARAM);
return TokenUtil.hasPrompt(prompt, OIDCLoginProtocol.PROMPT_VALUE_LOGIN);
}
protected boolean isAuthTimeExpired(UserSessionModel userSession, ClientSessionModel clientSession) {
String authTime = userSession.getNote(AuthenticationManager.AUTH_TIME);
String maxAge = clientSession.getNote(OIDCLoginProtocol.MAX_AGE_PARAM);
if (maxAge == null) {
return false;
}
int authTimeInt = authTime==null ? 0 : Integer.parseInt(authTime);
int maxAgeInt = Integer.parseInt(maxAge);
if (authTimeInt + maxAgeInt < Time.currentTime()) {
logger.debugf("Authentication time is expired in CookieAuthenticator. userSession=%s, clientId=%s, maxAge=%d, authTime=%d", userSession.getId(),
clientSession.getClient().getId(), maxAgeInt, authTimeInt);
return true;
}
return false;
}
} }

View file

@ -18,6 +18,7 @@ package org.keycloak.protocol.oidc;
import org.keycloak.OAuth2Constants; import org.keycloak.OAuth2Constants;
import org.keycloak.OAuthErrorException; import org.keycloak.OAuthErrorException;
import org.keycloak.common.util.Time;
import org.keycloak.events.Details; import org.keycloak.events.Details;
import org.keycloak.events.EventBuilder; import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType; import org.keycloak.events.EventType;
@ -33,8 +34,10 @@ import org.keycloak.protocol.oidc.utils.OIDCResponseMode;
import org.keycloak.protocol.oidc.utils.OIDCResponseType; import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.representations.AccessTokenResponse; import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.services.ServicesLogger; import org.keycloak.services.ServicesLogger;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ClientSessionCode; import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.managers.ResourceAdminManager; import org.keycloak.services.managers.ResourceAdminManager;
import org.keycloak.util.TokenUtil;
import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
@ -57,8 +60,8 @@ public class OIDCLoginProtocol implements LoginProtocol {
public static final String REDIRECT_URI_PARAM = "redirect_uri"; public static final String REDIRECT_URI_PARAM = "redirect_uri";
public static final String CLIENT_ID_PARAM = "client_id"; public static final String CLIENT_ID_PARAM = "client_id";
public static final String NONCE_PARAM = "nonce"; public static final String NONCE_PARAM = "nonce";
public static final String MAX_AGE_PARAM = "max_age"; public static final String MAX_AGE_PARAM = OAuth2Constants.MAX_AGE;
public static final String PROMPT_PARAM = "prompt"; public static final String PROMPT_PARAM = OAuth2Constants.PROMPT;
public static final String LOGIN_HINT_PARAM = "login_hint"; public static final String LOGIN_HINT_PARAM = "login_hint";
public static final String LOGOUT_REDIRECT_URI = "OIDC_LOGOUT_REDIRECT_URI"; public static final String LOGOUT_REDIRECT_URI = "OIDC_LOGOUT_REDIRECT_URI";
public static final String ISSUER = "iss"; public static final String ISSUER = "iss";
@ -242,6 +245,36 @@ public class OIDCLoginProtocol implements LoginProtocol {
} }
} }
@Override
public boolean requireReauthentication(UserSessionModel userSession, ClientSessionModel clientSession) {
return isPromptLogin(clientSession) || isAuthTimeExpired(userSession, clientSession);
}
protected boolean isPromptLogin(ClientSessionModel clientSession) {
String prompt = clientSession.getNote(OIDCLoginProtocol.PROMPT_PARAM);
return TokenUtil.hasPrompt(prompt, OIDCLoginProtocol.PROMPT_VALUE_LOGIN);
}
protected boolean isAuthTimeExpired(UserSessionModel userSession, ClientSessionModel clientSession) {
String authTime = userSession.getNote(AuthenticationManager.AUTH_TIME);
String maxAge = clientSession.getNote(OIDCLoginProtocol.MAX_AGE_PARAM);
if (maxAge == null) {
return false;
}
int authTimeInt = authTime==null ? 0 : Integer.parseInt(authTime);
int maxAgeInt = Integer.parseInt(maxAge);
if (authTimeInt + maxAgeInt < Time.currentTime()) {
logger.debugf("Authentication time is expired, needs to reauthenticate. userSession=%s, clientId=%s, maxAge=%d, authTime=%d", userSession.getId(),
clientSession.getClient().getId(), maxAgeInt, authTimeInt);
return true;
}
return false;
}
@Override @Override
public void close() { public void close() {

View file

@ -629,6 +629,12 @@ public class SamlProtocol implements LoginProtocol {
return logoutBuilder; return logoutBuilder;
} }
@Override
public boolean requireReauthentication(UserSessionModel userSession, ClientSessionModel clientSession) {
// Not yet supported
return false;
}
private JaxrsSAML2BindingBuilder createBindingBuilder(SamlClient samlClient) { private JaxrsSAML2BindingBuilder createBindingBuilder(SamlClient samlClient) {
JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder(); JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder();
if (samlClient.requiresRealmSignature()) { if (samlClient.requiresRealmSignature()) {

View file

@ -72,6 +72,11 @@ public abstract class AbstractPage {
return this; return this;
} }
public AbstractPage removeUriParameter(String name) {
uriParameters.remove(name);
return this;
}
public Object getUriParameter(String name) { public Object getUriParameter(String name) {
return uriParameters.get(name); return uriParameters.get(name);
} }

View file

@ -25,7 +25,9 @@ import org.junit.Ignore;
import org.junit.Test; import org.junit.Test;
import org.keycloak.OAuth2Constants; import org.keycloak.OAuth2Constants;
import org.keycloak.common.Version; import org.keycloak.common.Version;
import org.keycloak.common.util.Time;
import org.keycloak.constants.AdapterConstants; import org.keycloak.constants.AdapterConstants;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService; import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.representations.AccessToken; import org.keycloak.representations.AccessToken;
import org.keycloak.representations.VersionRepresentation; import org.keycloak.representations.VersionRepresentation;
@ -33,6 +35,7 @@ import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.adapter.AbstractServletsAdapterTest; import org.keycloak.testsuite.adapter.AbstractServletsAdapterTest;
import org.keycloak.testsuite.adapter.filter.AdapterActionsFilter; import org.keycloak.testsuite.adapter.filter.AdapterActionsFilter;
import org.keycloak.testsuite.adapter.page.*; import org.keycloak.testsuite.adapter.page.*;
import org.keycloak.testsuite.util.URLUtils;
import org.keycloak.util.BasicAuthHelper; import org.keycloak.util.BasicAuthHelper;
import javax.ws.rs.client.Client; import javax.ws.rs.client.Client;
@ -448,5 +451,32 @@ public abstract class AbstractDemoServletsAdapterTest extends AbstractServletsAd
setAdapterAndServerTimeOffset(0, tokenMinTTLPage.toString()); setAdapterAndServerTimeOffset(0, tokenMinTTLPage.toString());
} }
// Tests forwarding of parameters like "prompt"
@Test
public void testOIDCParamsForwarding() {
// test login to customer-portal which does a bearer request to customer-db
securePortal.navigateTo();
assertCurrentUrlStartsWithLoginUrlOf(testRealmPage);
testRealmLoginPage.form().login("bburke@redhat.com", "password");
assertCurrentUrlEquals(securePortal);
String pageSource = driver.getPageSource();
assertTrue(pageSource.contains("Bill Burke") && pageSource.contains("Stian Thorgersen"));
int currentTime = Time.currentTime();
setAdapterAndServerTimeOffset(10, securePortal.toString());
// Test I need to reauthenticate with prompt=login
String appUri = tokenMinTTLPage.getUriBuilder().queryParam(OIDCLoginProtocol.PROMPT_PARAM, OIDCLoginProtocol.PROMPT_VALUE_LOGIN).build().toString();
URLUtils.navigateToUri(driver, appUri, true);
assertCurrentUrlStartsWithLoginUrlOf(testRealmPage);
testRealmLoginPage.form().login("bburke@redhat.com", "password");
AccessToken token = tokenMinTTLPage.getAccessToken();
int authTime = token.getAuthTime();
Assert.assertTrue(currentTime + 10 <= authTime);
// Revert times
setAdapterAndServerTimeOffset(0, tokenMinTTLPage.toString());
}
} }