libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

Merge pull request #149 from stianst/master

Browse source 
Added oauth client installation to admin console. Rename JWT prn to sub.
This commit is contained in:
stianst 2014-01-10 09:07:15 -08:00
commit 626839f0f3
26 changed files with 197 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
admin-ui/src/main/resources/META-INF/resources/admin/index.html
View file

@ -11,7 +11,7 @@
<link rel="stylesheet" href="/auth-server/admin-ui/css/reset.css">
<link rel="stylesheet" href="/auth-server/admin-ui/bootstrap-3.0.0-wip/css/bootstrap.css">
<link rel="stylesheet" href="/auth-server/admin-ui/css/sprites.css">
<link rel="stylesheet" href='http://fonts.googleapis.com/css?family=Open+Sans:400,300,300italic,400italic,600,600italic,700,700italic,800,800italic'>
<link rel="stylesheet" href='//fonts.googleapis.com/css?family=Open+Sans:400,300,300italic,400italic,600,600italic,700,700italic,800,800italic'>
<!-- RCUE styles -->
<link rel="stylesheet" href="/auth-server/admin-ui/css/base.css">

16
admin-ui/src/main/resources/META-INF/resources/admin/js/app.js
View file

@ -396,7 +396,21 @@ module.config([ '$routeProvider', function($routeProvider) {
},
controller : 'OAuthClientScopeMappingCtrl'
})
.when('/realms/:realm/oauth-clients/:oauth/installation', {
templateUrl : 'partials/oauth-client-installation.html',
resolve : {
realm : function(RealmLoader) {
return RealmLoader();
},
oauth : function(OAuthClientLoader) {
return OAuthClientLoader();
},
installation : function(OAuthClientInstallationLoader) {
return OAuthClientInstallationLoader();
}
},
controller : 'OAuthClientInstallationCtrl'
})
.when('/create/oauth-client/:realm', {
templateUrl : 'partials/oauth-client-detail.html',
resolve : {

8
admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/oauth-clients.js
View file

@ -294,3 +294,11 @@ module.controller('OAuthClientScopeMappingCtrl', function($scope, $http, realm,
});
module.controller('OAuthClientInstallationCtrl', function($scope, realm, installation, oauth, OAuthClientInstallation, $routeParams) {
$scope.realm = realm;
$scope.oauth = oauth;
$scope.installation = installation;
$scope.download = OAuthClientInstallation.url({ realm: $routeParams.realm, oauth: $routeParams.oauth });
});

9
admin-ui/src/main/resources/META-INF/resources/admin/js/loaders.js
View file

@ -152,3 +152,12 @@ module.factory('OAuthClientListLoader', function(Loader, OAuthClient, $route, $q
}
});
});
module.factory('OAuthClientInstallationLoader', function(Loader, OAuthClientInstallation, $route, $q) {
return Loader.get(OAuthClientInstallation, function() {
return {
realm : $route.current.params.realm,
oauth : $route.current.params.oauth
}
});
});

16
admin-ui/src/main/resources/META-INF/resources/admin/js/services.js
View file

@ -291,6 +291,22 @@ module.factory('OAuthClientApplicationScopeMapping', function($resource) {
});
});
module.factory('OAuthClientInstallation', function($resource) {
var url = '/auth-server/rest/saas/admin/realms/:realm/oauth-clients/:oauth/installation';
var resource = $resource('/auth-server/rest/saas/admin/realms/:realm/oauth-clients/:oauth/installation', {
realm : '@realm',
oauth : '@oauth'
}, {
update : {
method : 'PUT'
}
});
resource.url = function(parameters) {
return url.replace(':realm', parameters.realm).replace(':oauth', parameters.oauth);
}
return resource;
});
module.factory('Current', function(Realm, $route) {
var current = {};

1
admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-credentials.html
View file

@ -7,6 +7,7 @@
<li><a href="#/realms/{{realm.id}}/oauth-clients/{{oauth.id}}">Settings</a></li>
<li class="active"><a href="#/realms/{{realm.id}}/oauth-clients/{{oauth.id}}/credentials">Credentials</a></li>
<li><a href="#/realms/{{realm.id}}/oauth-clients/{{oauth.id}}/scope-mappings">Scope</a></li>
<li><a href="#/realms/{{realm.id}}/oauth-clients/{{oauth.id}}/installation">Installation</a></li>
</ul>
</div>
<div id="content">

1
admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-detail.html
View file

@ -7,6 +7,7 @@
<li class="active"><a href="#/realms/{{realm.id}}/oauth-clients/{{oauth.id}}">Settings</a></li>
<li><a href="#/realms/{{realm.id}}/oauth-clients/{{oauth.id}}/credentials">Credentials</a></li>
<li><a href="#/realms/{{realm.id}}/oauth-clients/{{oauth.id}}/scope-mappings">Scope</a></li>
<li><a href="#/realms/{{realm.id}}/oauth-clients/{{oauth.id}}/installation">Installation</a></li>
</ul>
</div>
<div class="top-nav" data-ng-show="create">

25
admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-installation.html Executable file
View file

@ -0,0 +1,25 @@
<div id="wrapper" class="container">
<div class="row">
<div class="bs-sidebar col-md-3 clearfix" data-ng-include data-src="'partials/realm-menu.html'"></div>
<div id="content-area" class="col-md-9" role="main">
<div class="top-nav" data-ng-show="!create">
<ul class="rcue-tabs">
<li><a href="#/realms/{{realm.id}}/oauth-clients/{{oauth.id}}">Settings</a></li>
<li><a href="#/realms/{{realm.id}}/oauth-clients/{{oauth.id}}/credentials">Credentials</a></li>
<li><a href="#/realms/{{realm.id}}/oauth-clients/{{oauth.id}}/scope-mappings">Scope</a></li>
<li class="active"><a href="#/realms/{{realm.id}}/oauth-clients/{{oauth.id}}/installation">Installation</a></li>
</ul>
</div>
<div class="top-nav" data-ng-show="create">
<ul class="rcue-tabs">
<li></li>
</ul>
</div>
<div id="content">
<a class="button primary" href="{{download}}" download="keycloak.json" type="submit">Download</a></br>
<textarea style="width: 100%;" rows="20" onclick="this.select()">{{installation | json}}</textarea>
</div>
</div>
<div id="container-right-bg"></div>
</div>
</div>

1
admin-ui/src/main/resources/META-INF/resources/admin/partials/oauth-client-scope-mappings.html
View file

@ -7,6 +7,7 @@
<li><a href="#/realms/{{realm.id}}/oauth-clients/{{oauth.id}}">Settings</a></li>
<li><a href="#/realms/{{realm.id}}/oauth-clients/{{oauth.id}}/credentials">Credentials</a></li>
<li class="active"><a href="#/realms/{{realm.id}}/oauth-clients/{{oauth.id}}/scope-mappings">Scope</a></li>
<li><a href="#/realms/{{realm.id}}/oauth-clients/{{oauth.id}}/installation">Installation</a></li>
</ul>
</div>
<div id="content">

2
core/src/main/java/org/keycloak/RSATokenVerifier.java
View file

@ -32,7 +32,7 @@ public class RSATokenVerifier {
if (!token.isActive()) {
throw new VerificationException("Token is not active.");
}
String user = token.getPrincipal();
String user = token.getSubject();
if (user == null) {
throw new VerificationException("Token user was null");
}

10
core/src/main/java/org/keycloak/representations/JsonWebToken.java
View file

@ -22,8 +22,8 @@ public class JsonWebToken implements Serializable {
protected String issuer;
@JsonProperty("aud")
protected String audience;
@JsonProperty("prn")
protected String principal;
@JsonProperty("sub")
protected String subject;
@JsonProperty("typ")
protected String type;
@ -116,12 +116,12 @@ public class JsonWebToken implements Serializable {
return this;
}
public String getPrincipal() {
return principal;
public String getSubject() {
return subject;
}
public JsonWebToken principal(String principal) {
this.principal = principal;
this.subject = principal;
return this;
}

2
core/src/test/java/org/keycloak/RSAVerifierTest.java
View file

@ -97,7 +97,7 @@ public class RSAVerifierTest {
.rsa256(idpPair.getPrivate());
SkeletonKeyToken token = verifySkeletonKeyToken(encoded);
Assert.assertTrue(token.getResourceAccess("service").getRoles().contains("admin"));
Assert.assertEquals("CN=Client", token.getPrincipal());
Assert.assertEquals("CN=Client", token.getSubject());
}
private SkeletonKeyToken verifySkeletonKeyToken(String encoded) throws VerificationException {

2
forms/src/main/resources/META-INF/resources/forms/theme/default/styles.css
View file

@ -3,7 +3,7 @@
@IMPORT url("css/forms.css");
@IMPORT url("css/zocial/zocial.css");
@IMPORT url("css/login-register.css");
@IMPORT url("http://fonts.googleapis.com/css?family=Open+Sans:400,300,300italic,400italic,600,600italic,700,700italic,800,800italic");
@IMPORT url("//fonts.googleapis.com/css?family=Open+Sans:400,300,300italic,400italic,600,600italic,700,700italic,800,800italic");
.zocial.google {
background-color: #dd4b39 !important;

2
integration/as7-eap6/adapter/src/main/java/org/keycloak/adapters/as7/CatalinaBearerTokenAuthenticator.java
View file

@ -102,7 +102,7 @@ public class CatalinaBearerTokenAuthenticator {
}
surrogate = chain[0].getSubjectX500Principal().getName();
}
SkeletonKeyPrincipal skeletonKeyPrincipal = new SkeletonKeyPrincipal(token.getPrincipal(), surrogate);
SkeletonKeyPrincipal skeletonKeyPrincipal = new SkeletonKeyPrincipal(token.getSubject(), surrogate);
principal = new CatalinaSecurityContextHelper().createPrincipal(request.getContext().getRealm(), skeletonKeyPrincipal, roles);
request.setUserPrincipal(principal);
request.setAuthType("OAUTH_BEARER");

6
integration/as7-eap6/adapter/src/main/java/org/keycloak/adapters/as7/CatalinaSecurityContextHelper.java
View file

@ -65,11 +65,11 @@ public class CatalinaSecurityContextHelper {
}
/**
* Get the Principal given the authenticated Subject. Currently the first principal that is not of type {@code Group} is
* considered or the single principal inside the CallerPrincipal group.
* Get the Principal given the authenticated Subject. Currently the first subject that is not of type {@code Group} is
* considered or the single subject inside the CallerPrincipal group.
*
* @param subject
* @return the authenticated principal
* @return the authenticated subject
*/
protected Principal getPrincipal(Subject subject) {
Principal principal = null;

4
integration/as7-eap6/adapter/src/main/java/org/keycloak/adapters/as7/OAuthAuthenticatorValve.java
View file

@ -227,7 +227,7 @@ public class OAuthAuthenticatorValve extends FormAuthenticator implements Lifecy
SkeletonKeyToken.Access access = token.getRealmAccess();
if (access != null) roles.addAll(access.getRoles());
}
SkeletonKeyPrincipal skp = new SkeletonKeyPrincipal(token.getPrincipal(), null);
SkeletonKeyPrincipal skp = new SkeletonKeyPrincipal(token.getSubject(), null);
GenericPrincipal principal = new CatalinaSecurityContextHelper().createPrincipal(context.getRealm(), skp, roles);
Session session = request.getSessionInternal(true);
session.setPrincipal(principal);
@ -235,7 +235,7 @@ public class OAuthAuthenticatorValve extends FormAuthenticator implements Lifecy
SkeletonKeySession skSession = new SkeletonKeySession(oauth.getTokenString(), token, realmConfiguration.getMetadata());
session.setNote(SkeletonKeySession.class.getName(), skSession);
String username = token.getPrincipal();
String username = token.getSubject();
log.debug("userSessionManage.login: " + username);
userSessionManagement.login(session, username);
}

2
integration/jaxrs-oauth-client/src/main/java/org/keycloak/jaxrs/JaxrsBearerTokenFilter.java
View file

@ -71,7 +71,7 @@ public class JaxrsBearerTokenFilter implements ContainerRequestFilter {
ResteasyProviderFactory.pushContext(SkeletonKeySession.class, skSession);
String callerPrincipal = securityContext.getUserPrincipal() != null ? securityContext.getUserPrincipal().getName() : null;
final SkeletonKeyPrincipal principal = new SkeletonKeyPrincipal(token.getPrincipal(), callerPrincipal);
final SkeletonKeyPrincipal principal = new SkeletonKeyPrincipal(token.getSubject(), callerPrincipal);
final boolean isSecure = securityContext.isSecure();
final SkeletonKeyToken.Access access;
if (resourceMetadata.getResourceName() != null) {

2
integration/undertow/src/main/java/org/keycloak/adapters/undertow/KeycloakAuthenticationMechanism.java
View file

@ -98,7 +98,7 @@ public class KeycloakAuthenticationMechanism implements AuthenticationMechanism
}
protected SkeletonKeyPrincipal completeAuthentication(SecurityContext securityContext, SkeletonKeyToken token, String surrogate) {
final SkeletonKeyPrincipal skeletonKeyPrincipal = new SkeletonKeyPrincipal(token.getPrincipal(), surrogate);
final SkeletonKeyPrincipal skeletonKeyPrincipal = new SkeletonKeyPrincipal(token.getSubject(), surrogate);
Set<String> roles = null;
if (adapterConfig.isUseResourceRoleMappings()) {
SkeletonKeyToken.Access access = token.getResourceAccess(resourceMetadata.getResourceName());

4
services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
View file

@ -172,7 +172,7 @@ public class AuthenticationManager {
Auth auth = new Auth(token);
UserModel user = realm.getUser(token.getPrincipal());
UserModel user = realm.getUser(token.getSubject());
if (user == null || !user.isEnabled()) {
logger.debug("Unknown user in identity cookie");
expireIdentityCookie(realm, uriInfo);
@ -219,7 +219,7 @@ public class AuthenticationManager {
Auth auth = new Auth(token);
UserModel user = realm.getUser(token.getPrincipal());
UserModel user = realm.getUser(token.getSubject());
if (user == null || !user.isEnabled()) {
throw new NotAuthorizedException("invalid_user");
}

28
services/src/main/java/org/keycloak/services/managers/OAuthClientManager.java
View file

@ -1,17 +1,23 @@
package org.keycloak.services.managers;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.Constants;
import org.keycloak.models.OAuthClientModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.adapters.config.BaseAdapterConfig;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.OAuthClientRepresentation;
import org.keycloak.services.resources.flows.Urls;
import java.net.URI;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
/**
@ -76,4 +82,26 @@ public class OAuthClientManager {
}
return rep;
}
public BaseAdapterConfig toInstallationRepresentation(RealmModel realmModel, OAuthClientModel model, URI baseUri) {
BaseAdapterConfig rep = new BaseAdapterConfig();
rep.setRealm(realmModel.getId());
rep.setRealmKey(realmModel.getPublicKeyPem());
rep.setSslNotRequired(realmModel.isSslNotRequired());
rep.setAuthUrl(Urls.realmLoginPage(baseUri, realmModel.getId()).toString());
rep.setCodeUrl(Urls.realmCode(baseUri, realmModel.getId()).toString());
rep.setUseResourceRoleMappings(false);
rep.setResource(model.getOAuthAgent().getLoginName());
Map<String, String> creds = new HashMap<String, String>();
creds.put(CredentialRepresentation.PASSWORD, "INSERT CLIENT PASSWORD");
if (model.getOAuthAgent().isTotp()) {
creds.put(CredentialRepresentation.TOTP, "INSERT CLIENT TOTP");
}
rep.setCredentials(creds);
return rep;
}
}

46
services/src/main/java/org/keycloak/services/resources/TokenService.java
View file

@ -32,6 +32,7 @@ import org.keycloak.services.validation.Validation;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.NotAcceptableException;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
@ -129,6 +130,10 @@ public class TokenService {
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_JSON)
public Response grantIdentityToken(final MultivaluedMap<String, String> form) {
if (!checkSsl()) {
throw new NotAcceptableException("HTTPS required");
}
String username = form.getFirst(AuthenticationManager.FORM_USERNAME);
if (username == null) {
throw new NotAuthorizedException("No user");
@ -155,6 +160,10 @@ public class TokenService {
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_JSON)
public Response grantAccessToken(final MultivaluedMap<String, String> form) {
if (!checkSsl()) {
throw new NotAcceptableException("HTTPS required");
}
String username = form.getFirst(AuthenticationManager.FORM_USERNAME);
if (username == null) {
throw new NotAuthorizedException("No user");
@ -187,6 +196,10 @@ public class TokenService {
logger.debug("TokenService.processLogin");
OAuthFlows oauth = Flows.oauth(realm, request, uriInfo, authManager, tokenManager);
if (!checkSsl()) {
return oauth.forwardToSecurityFailure("HTTPS required");
}
if (!realm.isEnabled()) {
return oauth.forwardToSecurityFailure("Realm not enabled.");
}
@ -360,6 +373,11 @@ public class TokenService {
@Produces("application/json")
public Response accessCodeToToken(final MultivaluedMap<String, String> formData) {
logger.debug("accessRequest <---");
if (!checkSsl()) {
throw new NotAcceptableException("HTTPS required");
}
if (!realm.isEnabled()) {
throw new NotAuthorizedException("Realm not enabled");
}
@ -480,6 +498,10 @@ public class TokenService {
logger.info("TokenService.loginPage");
OAuthFlows oauth = Flows.oauth(realm, request, uriInfo, authManager, tokenManager);
if (!checkSsl()) {
return oauth.forwardToSecurityFailure("HTTPS required");
}
if (!realm.isEnabled()) {
logger.warn("Realm not enabled");
return oauth.forwardToSecurityFailure("Realm not enabled");
@ -529,6 +551,10 @@ public class TokenService {
logger.info("**********registerPage()");
OAuthFlows oauth = Flows.oauth(realm, request, uriInfo, authManager, tokenManager);
if (!checkSsl()) {
return oauth.forwardToSecurityFailure("HTTPS required");
}
if (!realm.isEnabled()) {
logger.warn("Realm not enabled");
return oauth.forwardToSecurityFailure("Realm not enabled");
@ -581,6 +607,10 @@ public class TokenService {
public Response processOAuth(final MultivaluedMap<String, String> formData) {
OAuthFlows oauth = Flows.oauth(realm, request, uriInfo, authManager, tokenManager);
if (!checkSsl()) {
return oauth.forwardToSecurityFailure("HTTPS required");
}
String code = formData.getFirst("code");
JWSInput input = new JWSInput(code);
boolean verifiedCode = false;
@ -628,4 +658,20 @@ public class TokenService {
}
}
private boolean checkSsl() {
if (realm.isSslNotRequired()) {
return true;
}
if (uriInfo.getBaseUri().getScheme().equals("https")) {
return true;
}
if ("https".equals(headers.getHeaderString("X-Forwarded-Proto"))) {
return true;
}
return false;
}
}

20
services/src/main/java/org/keycloak/services/resources/admin/OAuthClientResource.java
View file

@ -6,10 +6,13 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OAuthClientModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.representations.adapters.config.BaseAdapterConfig;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.OAuthClientRepresentation;
import org.keycloak.services.managers.ApplicationManager;
import org.keycloak.services.managers.OAuthClientManager;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.util.JsonSerialization;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
@ -17,7 +20,10 @@ import javax.ws.rs.GET;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.UriInfo;
import java.io.IOException;
import java.util.List;
/**
@ -29,6 +35,8 @@ public class OAuthClientResource {
protected RealmModel realm;
protected OAuthClientModel oauthClient;
protected KeycloakSession session;
@Context
protected UriInfo uriInfo;
public OAuthClientResource(RealmModel realm, OAuthClientModel oauthClient, KeycloakSession session) {
this.realm = realm;
@ -51,6 +59,18 @@ public class OAuthClientResource {
return OAuthClientManager.toRepresentation(oauthClient);
}
@GET
@NoCache
@Path("installation")
@Produces(MediaType.APPLICATION_JSON)
public String getInstallation() throws IOException {
OAuthClientManager manager = new OAuthClientManager(realm);
BaseAdapterConfig rep = manager.toInstallationRepresentation(realm, oauthClient, uriInfo.getBaseUri());
// TODO Temporary solution to pretty-print
return JsonSerialization.mapper.writerWithDefaultPrettyPrinter().writeValueAsString(rep);
}
@DELETE
@NoCache
public void deleteOAuthClient() {

5
services/src/main/java/org/keycloak/services/resources/admin/OAuthClientsResource.java
View file

@ -15,6 +15,7 @@ import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.container.ResourceContext;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@ -32,6 +33,9 @@ public class OAuthClientsResource {
protected KeycloakSession session;
@Context
protected ResourceContext resourceContext;
public OAuthClientsResource(RealmModel realm, KeycloakSession session) {
this.realm = realm;
this.session = session;
@ -64,6 +68,7 @@ public class OAuthClientsResource {
throw new NotFoundException();
}
OAuthClientResource oAuthClientResource = new OAuthClientResource(realm, oauth, session);
resourceContext.initResource(oAuthClientResource);
return oAuthClientResource;
}

1
services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
View file

@ -43,6 +43,7 @@ public class RealmAdminResource extends RoleContainerResource {
@Path("oauth-clients")
public OAuthClientsResource getOAuthClients() {
OAuthClientsResource oauth = new OAuthClientsResource(realm, session);
resourceContext.initResource(oauth);
return oauth;
}

2
testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
View file

@ -69,7 +69,7 @@ public class AccessTokenTest {
SkeletonKeyToken token = oauth.verifyToken(response.getAccessToken());
Assert.assertEquals("test-user@localhost", token.getPrincipal());
Assert.assertEquals("test-user@localhost", token.getSubject());
Assert.assertEquals(1, token.getRealmAccess().getRoles().size());
Assert.assertTrue(token.getRealmAccess().isUserInRole("user"));

2
testsuite/integration/src/test/java/org/keycloak/testsuite/social/SocialLoginTest.java
View file

@ -102,7 +102,7 @@ public class SocialLoginTest {
SkeletonKeyToken token = oauth.verifyToken(response.getAccessToken());
Assert.assertEquals("dummy-user", token.getPrincipal());
Assert.assertEquals("dummy-user", token.getSubject());
}
@Test