improved oauth login/grant

2014-08-05 19:36:19 -04:00 · 2014-08-05 19:36:19 -04:00 · 5b5fea347a
commit 5b5fea347a
parent d049007412
12 changed files with 90 additions and 44 deletions
--- a/forms/common-themes/src/main/resources/theme/login/base/login-oauth-grant.ftl
+++ b/forms/common-themes/src/main/resources/theme/login/base/login-oauth-grant.ftl
@ -4,10 +4,10 @@
    <#if section = "title">
        ${rb.oauthGrantTitle}
    <#elseif section = "header">
-        ${rb.oauthGrantTitleHtml}
+        Temporary access for <strong>${(realm.name)!''}</strong> requested by <strong>${(client.clientId)!''}</strong>.
    <#elseif section = "form">
        <div id="kc-oauth" class="content-area">
-            <h3><strong>${oauth.client}</strong> ${rb.oauthGrantRequest}</h3>
+            <h3>${rb.oauthGrantRequest}</h3>
            <ul>
                <#if oauth.claimsRequested??>
                    <li>
@ -45,8 +45,8 @@

                    <div id="kc-form-buttons" class="${properties.kcFormButtonsClass!}">
                        <div class="${properties.kcFormButtonsWrapperClass!}">
-                            <input class="btn btn-primary btn-lg" name="accept" id="kc-login" type="submit" value="${rb.accept}"/>
-                            <input class="btn btn-default btn-lg" name="cancel" id="kc-cancel" type="submit" value="${rb.cancel}"/>
+                            <input class="btn btn-primary btn-lg" name="accept" id="kc-login" type="submit" value="${rb.yes}"/>
+                            <input class="btn btn-default btn-lg" name="cancel" id="kc-cancel" type="submit" value="${rb.no}"/>
                        </div>
                    </div>
                </div>
--- a/forms/common-themes/src/main/resources/theme/login/base/login.ftl
+++ b/forms/common-themes/src/main/resources/theme/login/base/login.ftl
@ -1,9 +1,17 @@
 <#import "template.ftl" as layout>
 <@layout.registrationLayout displayInfo=social.displayInfo; section>
    <#if section = "title">
-        ${rb.loginTitle} ${realm.name}
+        <#if client.application>
+             ${rb.loginTitle} ${realm.name}
+        <#elseif client.oauthClient>
+             ${realm.name} ${rb.loginOauthTitle}
+        </#if>
    <#elseif section = "header">
-        ${rb.loginTitle} <strong>${(realm.name)!''}</strong>
+        <#if client.application>
+             ${rb.loginTitle} <strong>${(realm.name)!''}</strong>
+        <#elseif client.oauthClient>
+             Temporary access for <strong>${(realm.name)!''}</strong> requested by <strong>${(client.clientId)!''}</strong>.
+        </#if>
    <#elseif section = "form">
        <#if realm.password>
            <form id="kc-form-login" class="${properties.kcFormClass!}" action="${url.loginAction}" method="post">
--- a/forms/common-themes/src/main/resources/theme/login/base/messages/messages.properties
+++ b/forms/common-themes/src/main/resources/theme/login/base/messages/messages.properties
@ -23,6 +23,8 @@ passwordNewConfirm=New Password confirmation
 cancel=Cancel
 accept=Accept
 submit=Submit
+yes=Yes
+no=No

 authenticatorCode=One-time-password
 clientCertificate=Client Certificate
@ -50,6 +52,8 @@ successTotpRemoved=Google authenticator removed.
 usernameExists=Username already exists

 loginTitle=Log in to
+loginOauthTitle=Temporary access.
+loginOauthTitleHtml=Temporary access requested.  Login to grant access.
 loginForgot=Forgot

 loginTotpTitle=Google Authenticator Setup
@ -67,9 +71,10 @@ loginProfileError=Some required fields are empty or incorrect.
 loginProfileErrorSteps=Please correct the fields in red.

 oauthGrantTitle=OAuth Grant
-oauthGrantTitleHtml=<strong>Keycloak</strong> Central Login
+oauthGrantTitleHtml=Temporary access requested
 oauthGrantTerms=Keycloak Central Login and Google will use this information in accordance with their respective terms of service and privacy policies.
-oauthGrantRequest=requests access to:
+oauthGrantRequest=Do you grant these access privileges?
+oauthGrantLoginRequest=Do you grant access?

 emailVerifyTitle=Email verification
 emailVerifyInstr=An email with instructions to verify your email address has been sent to you.
--- a/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/FreeMarkerLoginFormsProvider.java
+++ b/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/FreeMarkerLoginFormsProvider.java
@ -10,6 +10,7 @@ import org.keycloak.freemarker.Theme;
 import org.keycloak.freemarker.ThemeProvider;
 import org.keycloak.login.LoginFormsPages;
 import org.keycloak.login.LoginFormsProvider;
+import org.keycloak.login.freemarker.model.ClientBean;
 import org.keycloak.login.freemarker.model.CodeBean;
 import org.keycloak.login.freemarker.model.LoginBean;
 import org.keycloak.login.freemarker.model.MessageBean;
@ -189,6 +190,10 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
            attributes.put("url", new UrlBean(realm, theme, baseUri));
        }

+        if (client != null) {
+            attributes.put("client", new ClientBean(client));
+        }
+
        attributes.put("login", new LoginBean(formData));

        switch (page) {
--- a/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/ClientBean.java
+++ b/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/ClientBean.java
@ -0,0 +1,29 @@
+package org.keycloak.login.freemarker.model;
+
+import org.keycloak.models.ApplicationModel;
+import org.keycloak.models.ClientModel;
+import org.keycloak.models.OAuthClientModel;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class ClientBean {
+    protected ClientModel client;
+
+    public ClientBean(ClientModel client) {
+        this.client = client;
+    }
+
+    public boolean isApplication() {
+        return client instanceof ApplicationModel;
+    }
+
+    public boolean isOauthClient() {
+        return client instanceof OAuthClientModel;
+    }
+
+    public String getClientId() {
+        return client.getClientId();
+    }
+}
--- a/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/OAuthGrantBean.java
+++ b/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/OAuthGrantBean.java
@ -41,8 +41,6 @@ public class OAuthGrantBean {
    private String code;
    private ClientModel client;
    private List<String> claimsRequested;
-    private String oAuthCode;
-    private String action;

    public OAuthGrantBean(String code, ClientModel client, List<RoleModel> realmRolesRequested, MultivaluedMap<String, RoleModel> resourceRolesRequested) {
        this.code = code;
--- a/services/src/main/java/org/keycloak/services/resources/AccountService.java
+++ b/services/src/main/java/org/keycloak/services/resources/AccountService.java
@ -189,7 +189,7 @@ public class AccountService {
            try {
                require(AccountRoles.MANAGE_ACCOUNT);
            } catch (ForbiddenException e) {
-                return Flows.forms(session, realm, uriInfo).setError("No access").createErrorPage();
+                return Flows.forms(session, realm, null, uriInfo).setError("No access").createErrorPage();
            }

            String[] referrer = getReferrer();
--- a/services/src/main/java/org/keycloak/services/resources/RequiredActionsService.java
+++ b/services/src/main/java/org/keycloak/services/resources/RequiredActionsService.java
@ -116,7 +116,7 @@ public class RequiredActionsService {

        String error = Validation.validateUpdateProfileForm(formData);
        if (error != null) {
-            return Flows.forms(session, realm, uriInfo).setUser(user).setError(error).createResponse(RequiredAction.UPDATE_PROFILE);
+            return Flows.forms(session, realm, null, uriInfo).setUser(user).setError(error).createResponse(RequiredAction.UPDATE_PROFILE);
        }

        user.setFirstName(formData.getFirst("firstName"));
@ -155,7 +155,7 @@ public class RequiredActionsService {
        String totp = formData.getFirst("totp");
        String totpSecret = formData.getFirst("totpSecret");

-        LoginFormsProvider loginForms = Flows.forms(session, realm, uriInfo).setUser(user);
+        LoginFormsProvider loginForms = Flows.forms(session, realm, null, uriInfo).setUser(user);
        if (Validation.isEmpty(totp)) {
            return loginForms.setError(Messages.MISSING_TOTP).createResponse(RequiredAction.CONFIGURE_TOTP);
        } else if (!new TimeBasedOTP().validate(totp, totpSecret.getBytes())) {
@ -195,7 +195,7 @@ public class RequiredActionsService {
        String passwordNew = formData.getFirst("password-new");
        String passwordConfirm = formData.getFirst("password-confirm");

-        LoginFormsProvider loginForms = Flows.forms(session, realm, uriInfo).setUser(user);
+        LoginFormsProvider loginForms = Flows.forms(session, realm, null, uriInfo).setUser(user);
        if (Validation.isEmpty(passwordNew)) {
            return loginForms.setError(Messages.MISSING_PASSWORD).createResponse(RequiredAction.UPDATE_PASSWORD);
        } else if (!passwordNew.equals(passwordConfirm)) {
@ -251,7 +251,7 @@ public class RequiredActionsService {

            initAudit(accessCode);

-            return Flows.forms(session, realm, uriInfo).setAccessCode(accessCode.getCode()).setUser(accessCode.getUser())
+            return Flows.forms(session, realm, null, uriInfo).setAccessCode(accessCode.getCode()).setUser(accessCode.getUser())
                    .createResponse(RequiredAction.VERIFY_EMAIL);
        }
    }
@ -265,9 +265,9 @@ public class RequiredActionsService {
                return unauthorized();
            }

-            return Flows.forms(session, realm, uriInfo).setAccessCode(accessCode.getCode()).createResponse(RequiredAction.UPDATE_PASSWORD);
+            return Flows.forms(session, realm, null, uriInfo).setAccessCode(accessCode.getCode()).createResponse(RequiredAction.UPDATE_PASSWORD);
        } else {
-            return Flows.forms(session, realm, uriInfo).createPasswordReset();
+            return Flows.forms(session, realm, null, uriInfo).createPasswordReset();
        }
    }

@ -327,11 +327,11 @@ public class RequiredActionsService {
                audit.user(user).detail(Details.EMAIL, user.getEmail()).detail(Details.CODE_ID, accessCode.getCodeId()).success();
            } catch (EmailException e) {
                logger.error("Failed to send password reset email", e);
-                return Flows.forms(this.session, realm, uriInfo).setError("emailSendError").createErrorPage();
+                return Flows.forms(this.session, realm, client, uriInfo).setError("emailSendError").createErrorPage();
            }
        }

-        return Flows.forms(session, realm, uriInfo).setSuccess("emailSent").createPasswordReset();
+        return Flows.forms(session, realm, client,  uriInfo).setSuccess("emailSent").createPasswordReset();
    }

    private AccessCode getAccessCodeEntry(RequiredAction requiredAction) {
@ -368,7 +368,7 @@ public class RequiredActionsService {
        Set<RequiredAction> requiredActions = user.getRequiredActions();
        if (!requiredActions.isEmpty()) {
            accessCode.setRequiredAction(requiredActions.iterator().next());
-            return Flows.forms(session, realm, uriInfo).setAccessCode(accessCode.getCode()).setUser(user)
+            return Flows.forms(session, realm, null, uriInfo).setAccessCode(accessCode.getCode()).setUser(user)
                    .createResponse(requiredActions.iterator().next());
        } else {
            logger.debugv("redirectOauth: redirecting to: {0}", accessCode.getRedirectUri());
@ -410,7 +410,7 @@ public class RequiredActionsService {
    }

    private Response unauthorized() {
-        return Flows.forms(session, realm, uriInfo).setError("Unauthorized request").createErrorPage();
+        return Flows.forms(session, realm, null, uriInfo).setError("Unauthorized request").createErrorPage();
    }

 }
--- a/services/src/main/java/org/keycloak/services/resources/SocialResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/SocialResource.java
@ -110,7 +110,7 @@ public class SocialResource {
            initialRequest = new JWSInput(encodedState).readJsonContent(State.class);
        } catch (Throwable t) {
            logger.warn("Invalid social callback", t);
-            return Flows.forms(session, null, uriInfo).setError("Unexpected callback").createErrorPage();
+            return Flows.forms(session, null, null, uriInfo).setError("Unexpected callback").createErrorPage();
        }

        SocialProvider provider = SocialLoader.load(initialRequest.getProvider());
@ -174,7 +174,7 @@ public class SocialResource {
            queryParms.putSingle(OAuth2Constants.RESPONSE_TYPE, responseType);

            audit.error(Errors.REJECTED_BY_USER);
-            return  Flows.forms(session, realm, uriInfo).setQueryParams(queryParms).setWarning("Access denied").createLogin();
+            return  Flows.forms(session, realm, client, uriInfo).setQueryParams(queryParms).setWarning("Access denied").createLogin();
        } catch (SocialProviderException e) {
            logger.error("Failed to process social callback", e);
            return oauth.forwardToSecurityFailure("Failed to process social callback");
@ -278,25 +278,25 @@ public class SocialResource {
        SocialProvider provider = SocialLoader.load(providerId);
        if (provider == null) {
            audit.error(Errors.SOCIAL_PROVIDER_NOT_FOUND);
-            return Flows.forms(session, realm, uriInfo).setError("Social provider not found").createErrorPage();
+            return Flows.forms(session, realm, null, uriInfo).setError("Social provider not found").createErrorPage();
        }

        ClientModel client = realm.findClient(clientId);
        if (client == null) {
            audit.error(Errors.CLIENT_NOT_FOUND);
            logger.warn("Unknown login requester: " + clientId);
-            return Flows.forms(session, realm, uriInfo).setError("Unknown login requester.").createErrorPage();
+            return Flows.forms(session, realm, null, uriInfo).setError("Unknown login requester.").createErrorPage();
        }

        if (!client.isEnabled()) {
            audit.error(Errors.CLIENT_DISABLED);
            logger.warn("Login requester not enabled.");
-            return Flows.forms(session, realm, uriInfo).setError("Login requester not enabled.").createErrorPage();
+            return Flows.forms(session, realm, null, uriInfo).setError("Login requester not enabled.").createErrorPage();
        }
        redirectUri = TokenService.verifyRedirectUri(uriInfo, redirectUri, realm, client);
        if (redirectUri == null) {
            audit.error(Errors.INVALID_REDIRECT_URI);
-            return Flows.forms(session, realm, uriInfo).setError("Invalid redirect_uri.").createErrorPage();
+            return Flows.forms(session, realm, null, uriInfo).setError("Invalid redirect_uri.").createErrorPage();
        }

        try {
@ -309,7 +309,7 @@ public class SocialResource {
                    .redirectToSocialProvider();
        } catch (Throwable t) {
            logger.error("Failed to redirect to social auth", t);
-            return Flows.forms(session, realm, uriInfo).setError("Failed to redirect to social auth").createErrorPage();
+            return Flows.forms(session, realm, null, uriInfo).setError("Failed to redirect to social auth").createErrorPage();
        }
    }

--- a/services/src/main/java/org/keycloak/services/resources/TokenService.java
+++ b/services/src/main/java/org/keycloak/services/resources/TokenService.java
@ -538,18 +538,18 @@ public class TokenService {
                return oauth.processAccessCode(scopeParam, state, redirect, client, user, userSession, audit);
            case ACCOUNT_TEMPORARILY_DISABLED:
                audit.error(Errors.USER_TEMPORARILY_DISABLED);
-                return Flows.forms(this.session, realm, uriInfo).setError(Messages.ACCOUNT_TEMPORARILY_DISABLED).setFormData(formData).createLogin();
+                return Flows.forms(this.session, realm, client, uriInfo).setError(Messages.ACCOUNT_TEMPORARILY_DISABLED).setFormData(formData).createLogin();
            case ACCOUNT_DISABLED:
                audit.error(Errors.USER_DISABLED);
-                return Flows.forms(this.session, realm, uriInfo).setError(Messages.ACCOUNT_DISABLED).setFormData(formData).createLogin();
+                return Flows.forms(this.session, realm, client, uriInfo).setError(Messages.ACCOUNT_DISABLED).setFormData(formData).createLogin();
            case MISSING_TOTP:
-                return Flows.forms(this.session, realm, uriInfo).setFormData(formData).createLoginTotp();
+                return Flows.forms(this.session, realm, client, uriInfo).setFormData(formData).createLoginTotp();
            case INVALID_USER:
                audit.error(Errors.USER_NOT_FOUND);
-                return Flows.forms(this.session, realm, uriInfo).setError(Messages.INVALID_USER).setFormData(formData).createLogin();
+                return Flows.forms(this.session, realm, client, uriInfo).setError(Messages.INVALID_USER).setFormData(formData).createLogin();
            default:
                audit.error(Errors.INVALID_USER_CREDENTIALS);
-                return Flows.forms(this.session, realm, uriInfo).setError(Messages.INVALID_USER).setFormData(formData).createLogin();
+                return Flows.forms(this.session, realm, client, uriInfo).setError(Messages.INVALID_USER).setFormData(formData).createLogin();
        }
    }

@ -634,13 +634,13 @@ public class TokenService {

        if (error != null) {
            audit.error(Errors.INVALID_REGISTRATION);
-            return Flows.forms(session, realm, uriInfo).setError(error).setFormData(formData).createRegistration();
+            return Flows.forms(session, realm, client, uriInfo).setError(error).setFormData(formData).createRegistration();
        }

        // Validate that user with this username doesn't exist in realm or any authentication provider
        if (session.users().getUserByUsername(username, realm) != null) {
            audit.error(Errors.USERNAME_IN_USE);
-            return Flows.forms(session, realm, uriInfo).setError(Messages.USERNAME_EXISTS).setFormData(formData).createRegistration();
+            return Flows.forms(session, realm, client, uriInfo).setError(Messages.USERNAME_EXISTS).setFormData(formData).createRegistration();
        }

        UserModel user = session.users().addUser(realm, username);
@ -668,7 +668,7 @@ public class TokenService {
            // User already registered, but force him to update password
            if (!passwordUpdateSuccessful) {
                user.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
-                return Flows.forms(session, realm, uriInfo).setError(passwordUpdateError).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
+                return Flows.forms(session, realm, client, uriInfo).setError(passwordUpdateError).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
            }
        }

@ -959,7 +959,7 @@ public class TokenService {
            return oauth.redirectError(client, "access_denied", state, redirect);
        }

-        LoginFormsProvider forms = Flows.forms(session, realm, uriInfo);
+        LoginFormsProvider forms = Flows.forms(session, realm, client, uriInfo);

        if (loginHint != null) {
            MultivaluedMap<String, String> formData = new MultivaluedMapImpl<String, String>();
@ -1028,7 +1028,7 @@ public class TokenService {

        authManager.expireIdentityCookie(realm, uriInfo, clientConnection);

-        return Flows.forms(session, realm, uriInfo).createRegistration();
+        return Flows.forms(session, realm, client, uriInfo).createRegistration();
    }

    /**
@ -1150,7 +1150,7 @@ public class TokenService {
    @Path("oauth/oob")
    @GET
    public Response installedAppUrnCallback(final @QueryParam("code") String code, final @QueryParam("error") String error, final @QueryParam("error_description") String errorDescription) {
-        LoginFormsProvider forms = Flows.forms(session, realm, uriInfo);
+        LoginFormsProvider forms = Flows.forms(session, realm, null, uriInfo);
        if (code != null) {
            return forms.setAccessCode(code).createCode();
        } else {
--- a/services/src/main/java/org/keycloak/services/resources/flows/Flows.java
+++ b/services/src/main/java/org/keycloak/services/resources/flows/Flows.java
@ -24,6 +24,7 @@ package org.keycloak.services.resources.flows;
 import org.jboss.resteasy.spi.HttpRequest;
 import org.keycloak.ClientConnection;
 import org.keycloak.login.LoginFormsProvider;
+import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.services.managers.AuthenticationManager;
@ -40,8 +41,8 @@ public class Flows {
    private Flows() {
    }

-    public static LoginFormsProvider forms(KeycloakSession session, RealmModel realm, UriInfo uriInfo) {
-        return session.getProvider(LoginFormsProvider.class).setRealm(realm).setUriInfo(uriInfo);
+    public static LoginFormsProvider forms(KeycloakSession session, RealmModel realm, ClientModel client, UriInfo uriInfo) {
+        return session.getProvider(LoginFormsProvider.class).setRealm(realm).setUriInfo(uriInfo).setClient(client);
    }

    public static OAuthFlows oauth(KeycloakSession session, RealmModel realm, HttpRequest request, UriInfo uriInfo, ClientConnection clientConnection, AuthenticationManager authManager,
--- a/services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java
+++ b/services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java
@ -142,7 +142,7 @@ public class OAuthFlows {
                audit.clone().event(EventType.SEND_VERIFY_EMAIL).detail(Details.EMAIL, accessCode.getUser().getEmail()).success();
            }

-            return Flows.forms(this.session, realm, uriInfo).setAccessCode(accessCode.getCode()).setUser(user)
+            return Flows.forms(this.session, realm, client, uriInfo).setAccessCode(accessCode.getCode()).setUser(user)
                    .createResponse(action);
        }

@ -159,7 +159,7 @@ public class OAuthFlows {
                }
            }

-            return Flows.forms(this.session, realm, uriInfo)
+            return Flows.forms(this.session, realm, client, uriInfo)
                    .setAccessCode(accessCode.getCode())
                    .setAccessRequest(realmRoles, resourceRoles)
                    .setClient(client)
@ -177,7 +177,7 @@ public class OAuthFlows {
    }

    public Response forwardToSecurityFailure(String message) {
-        return Flows.forms(session, realm, uriInfo).setError(message).createErrorPage();
+        return Flows.forms(session, realm, null, uriInfo).setError(message).createErrorPage();
    }

    private void isTotpConfigurationRequired(UserModel user) {