Pre-authorization hook for client policies

Closes #9017

server-spi/src/main/java/org/keycloak/services/clientpolicy/ClientPolicyEvent.java

@@ -30,6 +30,7 @@ public enum ClientPolicyEvent {
     UPDATED,
     VIEW,
     UNREGISTER,
+    PRE_AUTHORIZATION_REQUEST,
     AUTHORIZATION_REQUEST,
     IMPLICIT_HYBRID_TOKEN_RESPONSE,
     TOKEN_REQUEST,

services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java

@@ -45,6 +45,7 @@ import org.keycloak.services.ErrorPageException;
 import org.keycloak.services.Urls;
 import org.keycloak.services.clientpolicy.ClientPolicyException;
 import org.keycloak.services.clientpolicy.context.AuthorizationRequestContext;
+import org.keycloak.services.clientpolicy.context.PreAuthorizationRequestContext;
 import org.keycloak.services.messages.Messages;
 import org.keycloak.services.resources.LoginActionsService;
 import org.keycloak.services.util.CacheControlUtil;
@@ -144,6 +145,12 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
 
         checkSsl();
         checkRealm();
+
+        try {
+            session.clientPolicy().triggerOnEvent(new PreAuthorizationRequestContext(clientId, params));
+        } catch (ClientPolicyException cpe) {
+            throw new ErrorPageException(session, authenticationSession, cpe.getErrorStatus(), cpe.getErrorDetail());
+        }
         checkClient(clientId);
 
         request = AuthorizationEndpointRequestParserProcessor.parseRequest(event, session, client, params, AuthorizationEndpointRequestParserProcessor.EndpointType.OIDC_AUTH_ENDPOINT);

services/src/main/java/org/keycloak/services/clientpolicy/context/PreAuthorizationRequestContext.java

@@ -0,0 +1,51 @@
+/*
+ * Copyright 2023 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.services.clientpolicy.context;
+
+import javax.ws.rs.core.MultivaluedMap;
+
+import org.keycloak.services.clientpolicy.ClientPolicyContext;
+import org.keycloak.services.clientpolicy.ClientPolicyEvent;
+
+/**
+ * @author <a href="mailto:demetrio@carretti.pro">Dmitry Telegin</a>
+ */
+public class PreAuthorizationRequestContext implements ClientPolicyContext {
+
+    private final String clientId;
+    private final MultivaluedMap<String, String> requestParameters;
+
+    public PreAuthorizationRequestContext(String clientId, MultivaluedMap<String, String> requestParameters) {
+        this.clientId = clientId;
+        this.requestParameters = requestParameters;
+    }
+
+    @Override
+    public ClientPolicyEvent getEvent() {
+        return ClientPolicyEvent.PRE_AUTHORIZATION_REQUEST;
+    }
+
+    public String getClientId() {
+        return clientId;
+    }
+
+    public MultivaluedMap<String, String> getRequestParameters() {
+        return requestParameters;
+    }
+
+}

services/src/main/java/org/keycloak/services/clientpolicy/executor/RejectRequestExecutor.java

@@ -38,6 +38,6 @@ public class RejectRequestExecutor implements ClientPolicyExecutorProvider<Clien
 
     @Override
     public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
-        throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "request not allowed");
+        throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Request not allowed");
     }
 }

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/AbstractClientPoliciesTest.java

@@ -204,7 +204,7 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest {
     protected static final String ERR_MSG_MISSING_NONCE = "Missing parameter: nonce";
     protected static final String ERR_MSG_MISSING_STATE = "Missing parameter: state";
     protected static final String ERR_MSG_CLIENT_REG_FAIL = "Failed to send request";
-    protected static final String ERR_MSG_REQ_NOT_ALLOWED = "request not allowed";
+    protected static final String ERR_MSG_REQ_NOT_ALLOWED = "Request not allowed";
 
     protected ClientRegistration reg;
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesExtendedEventTest.java

@@ -19,6 +19,7 @@ package org.keycloak.testsuite.client.policies;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
 import static org.keycloak.testsuite.admin.ApiUtil.findUserByUsername;
@@ -537,4 +538,32 @@ public class ClientPoliciesExtendedEventTest extends AbstractClientPoliciesTest
         assertEquals(ClientPolicyEvent.RESOURCE_OWNER_PASSWORD_CREDENTIALS_RESPONSE.toString(), response.getError());
         assertEquals("Exception thrown intentionally", response.getErrorDescription());
     }
+
+    @Test
+    public void testExtendedClientPolicyIntefacesForPreAuthorizationRequest() throws Exception {
+        // register profiles
+        String json = (new ClientProfilesBuilder()).addProfile(
+                (new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forste Profilen")
+                        .addExecutor(TestRaiseExceptionExecutorFactory.PROVIDER_ID,
+                                createTestRaiseExeptionExecutorConfig(Arrays.asList(ClientPolicyEvent.PRE_AUTHORIZATION_REQUEST)))
+                        .toRepresentation()
+        ).toString();
+        updateProfiles(json);
+
+        // register policies
+        json = (new ClientPoliciesBuilder()).addPolicy(
+                (new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "La Premiere Politique", Boolean.TRUE)
+                        .addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig())
+                        .addProfile(PROFILE_NAME)
+                        .toRepresentation()
+        ).toString();
+        updatePolicies(json);
+
+        // Authorization Request
+        oauth.realm(REALM_NAME);
+        oauth.clientId("foo");
+        oauth.openLoginForm();
+        assertTrue(errorPage.isCurrent());
+        assertEquals("Exception thrown intentionally", errorPage.getError());
+    }
 }

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesTest.java

@@ -24,6 +24,7 @@ import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.not;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
 import static org.keycloak.testsuite.admin.ApiUtil.findClientResourceByClientId;
@@ -909,8 +910,8 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
         try {
             oauth.clientId(clientBetaId);
             oauth.openLoginForm();
-            assertEquals(OAuthErrorException.INVALID_REQUEST, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
-            assertEquals(ERR_MSG_REQ_NOT_ALLOWED, oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
+            assertTrue(errorPage.isCurrent());
+            assertEquals(ERR_MSG_REQ_NOT_ALLOWED, errorPage.getError());
             revertToBuiltinProfiles();
             successfulLoginAndLogout(clientBetaId, "secretBeta");
         } catch (Exception e) {