libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

KEYCLOAK-18653 Client Policy - Endpoint : support Pushed Authorization Request Endpoint

Browse source
This commit is contained in:
Takashi Norimatsu 2021-07-04 16:19:53 +09:00 committed by Marek Posolda
parent 4099833be8
commit 63b737545f
5 changed files with 108 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
server-spi/src/main/java/org/keycloak/services/clientpolicy/ClientPolicyEvent.java
View file

@ -37,6 +37,7 @@ public enum ClientPolicyEvent {
TOKEN_INTROSPECT,
USERINFO_REQUEST,
LOGOUT_REQUEST,
BACKCHANNEL_AUTHENTICATION_REQUEST
BACKCHANNEL_AUTHENTICATION_REQUEST,
PUSHED_AUTHORIZATION_REQUEST
}

49
services/src/main/java/org/keycloak/protocol/oidc/par/clientpolicy/context/PushedAuthorizationRequestContext.java Normal file
View file

@ -0,0 +1,49 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.protocol.oidc.par.clientpolicy.context;
import javax.ws.rs.core.MultivaluedMap;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
public class PushedAuthorizationRequestContext implements ClientPolicyContext {
private final MultivaluedMap<String, String> requestParameters;
private AuthorizationEndpointRequest request;
public PushedAuthorizationRequestContext(AuthorizationEndpointRequest request,
MultivaluedMap<String, String> requestParameters) {
this.request = request;
this.requestParameters = requestParameters;
}
@Override
public ClientPolicyEvent getEvent() {
return ClientPolicyEvent.PUSHED_AUTHORIZATION_REQUEST;
}
public AuthorizationEndpointRequest getRequest() {
return request;
}
public MultivaluedMap<String, String> getRequestParameters() {
return requestParameters;
}
}

8
services/src/main/java/org/keycloak/protocol/oidc/par/endpoints/ParEndpoint.java
View file

@ -30,6 +30,8 @@ import org.keycloak.protocol.oidc.endpoints.AuthorizationEndpointChecker;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequestParserProcessor;
import org.keycloak.protocol.oidc.par.ParResponse;
import org.keycloak.protocol.oidc.par.clientpolicy.context.PushedAuthorizationRequestContext;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.resources.Cors;
import org.keycloak.utils.ProfileHelper;
@ -136,6 +138,12 @@ public class ParEndpoint extends AbstractParEndpoint {
ex.throwAsCorsErrorResponseException(cors);
}
try {
session.clientPolicy().triggerOnEvent(new PushedAuthorizationRequestContext(authorizationRequest, httpRequest.getDecodedFormParameters()));
} catch (ClientPolicyException cpe) {
throw throwErrorResponseException(cpe.getError(), cpe.getErrorDetail(), Response.Status.BAD_REQUEST);
}
Map<String, String> params = new HashMap<>();
UUID key = UUID.randomUUID();

1
testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/services/clientpolicy/executor/TestRaiseExeptionExecutor.java
View file

@ -52,6 +52,7 @@ public class TestRaiseExeptionExecutor implements ClientPolicyExecutorProvider<C
case UPDATED:
case UNREGISTER:
case BACKCHANNEL_AUTHENTICATION_REQUEST:
case PUSHED_AUTHORIZATION_REQUEST:
return true;
default :
return false;

47
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/par/ParTest.java
View file

@ -53,15 +53,23 @@ import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.oidc.OIDCClientRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.condition.AnyClientConditionFactory;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
import org.keycloak.testsuite.client.AbstractClientPoliciesTest;
import org.keycloak.testsuite.services.clientpolicy.executor.TestRaiseExeptionExecutorFactory;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder;
import org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder;
import org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder;
import org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder;
import org.keycloak.testsuite.util.OAuthClient.ParResponse;
import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.QUARKUS;
import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.REMOTE;
import static org.keycloak.testsuite.util.ClientPoliciesUtil.createAnyClientConditionConfig;
@EnableFeature(value = Profile.Feature.PAR, skipRestart = true)
@AuthServerContainerExclude({REMOTE, QUARKUS})
@ -811,6 +819,45 @@ public class ParTest extends AbstractClientPoliciesTest {
}
}
@Test
public void testExtendedClientPolicyIntefacesForPar() throws Exception {
// create client dynamically
String clientId = createClientDynamically(generateSuffixedName(CLIENT_NAME), (OIDCClientRepresentation clientRep) -> {
clientRep.setRequirePushedAuthorizationRequests(Boolean.TRUE);
clientRep.setRedirectUris(new ArrayList<String>(Arrays.asList(CLIENT_REDIRECT_URI)));
});
OIDCClientRepresentation oidcCRep = getClientDynamically(clientId);
String clientSecret = oidcCRep.getClientSecret();
assertEquals(Boolean.TRUE, oidcCRep.getRequirePushedAuthorizationRequests());
assertTrue(oidcCRep.getRedirectUris().contains(CLIENT_REDIRECT_URI));
assertEquals(OIDCLoginProtocol.CLIENT_SECRET_BASIC, oidcCRep.getTokenEndpointAuthMethod());
// register profiles
String json = (new ClientProfilesBuilder()).addProfile(
(new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forste Profilen")
.addExecutor(TestRaiseExeptionExecutorFactory.PROVIDER_ID, null)
.toRepresentation()
).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy(
(new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "La Premiere Politique", Boolean.TRUE)
.addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig())
.addProfile(PROFILE_NAME)
.toRepresentation()
).toString();
updatePolicies(json);
// Pushed Authorization Request
oauth.clientId(clientId);
oauth.redirectUri(CLIENT_REDIRECT_URI);
ParResponse response = oauth.doPushedAuthorizationRequest(clientId, clientSecret);
assertEquals(400, response.getStatusCode());
assertEquals(ClientPolicyEvent.PUSHED_AUTHORIZATION_REQUEST.toString(), response.getError());
assertEquals("Exception thrown intentionally", response.getErrorDescription());
}
private void doNormalAuthzProcess(String requestUri, String redirectUrl, String clientId, String clientSecret) {
// Authorization Request with request_uri of PAR
// remove parameters as query strings of uri