saml backchannel logout
This commit is contained in:
parent
c609ae3496
commit
6d5ab0f66b
12 changed files with 615 additions and 512 deletions
|
@ -68,12 +68,12 @@
|
||||||
<span tooltip-placement="right" tooltip="Valid URI pattern a browser can redirect to after a successful login or logout. Simple wildcards are allowed i.e. 'http://example.com/*'. Relative path can be specified too i.e. /my/relative/path/*. Relative paths will generate a redirect URI using the request's host and port." class="fa fa-info-circle"></span>
|
<span tooltip-placement="right" tooltip="Valid URI pattern a browser can redirect to after a successful login or logout. Simple wildcards are allowed i.e. 'http://example.com/*'. Relative path can be specified too i.e. /my/relative/path/*. Relative paths will generate a redirect URI using the request's host and port." class="fa fa-info-circle"></span>
|
||||||
</div>
|
</div>
|
||||||
<div class="form-group" data-ng-show="!application.bearerOnly && !create">
|
<div class="form-group" data-ng-show="!application.bearerOnly && !create">
|
||||||
<label class="col-sm-2 control-label" for="baseUrl">Base URL</label>
|
<label class="col-sm-2 control-label" for="baseUrl">Default Redirect URL</label>
|
||||||
<div class="col-sm-6">
|
<div class="col-sm-6">
|
||||||
<input class="form-control" type="text" name="baseUrl" id="baseUrl"
|
<input class="form-control" type="text" name="baseUrl" id="baseUrl"
|
||||||
data-ng-model="application.baseUrl">
|
data-ng-model="application.baseUrl">
|
||||||
</div>
|
</div>
|
||||||
<span tooltip-placement="right" tooltip="Optional URL to use when linking to this application. i.e. the welcome page." class="fa fa-info-circle"></span>
|
<span tooltip-placement="right" tooltip="Default URL to use when no redirect URI is specified. This URL will also be used when the auth server needs to link to the application for any reason." class="fa fa-info-circle"></span>
|
||||||
</div>
|
</div>
|
||||||
<div class="form-group" data-ng-hide="create">
|
<div class="form-group" data-ng-hide="create">
|
||||||
<label class="col-sm-2 control-label" for="adminUrl">Admin URL</label>
|
<label class="col-sm-2 control-label" for="adminUrl">Admin URL</label>
|
||||||
|
|
|
@ -146,7 +146,7 @@ public class SAML2PostBindingResponseBuilder {
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
public Response error(String status) throws ConfigurationException, ProcessingException, IOException {
|
public Response buildErrorResponse(String status) throws ConfigurationException, ProcessingException, IOException {
|
||||||
Document doc = getErrorResponse(status);
|
Document doc = getErrorResponse(status);
|
||||||
return buildResponse(doc);
|
return buildResponse(doc);
|
||||||
|
|
||||||
|
@ -207,7 +207,7 @@ public class SAML2PostBindingResponseBuilder {
|
||||||
return samlResponse;
|
return samlResponse;
|
||||||
}
|
}
|
||||||
|
|
||||||
public Response build() throws ConfigurationException, ProcessingException, IOException {
|
public Response buildLoginResponse() throws ConfigurationException, ProcessingException, IOException {
|
||||||
Document responseDoc = getResponse();
|
Document responseDoc = getResponse();
|
||||||
return buildResponse(responseDoc);
|
return buildResponse(responseDoc);
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,8 +1,10 @@
|
||||||
package org.keycloak.protocol.saml;
|
package org.keycloak.protocol.saml;
|
||||||
|
|
||||||
import org.jboss.logging.Logger;
|
import org.jboss.logging.Logger;
|
||||||
import org.jboss.resteasy.spi.HttpRequest;
|
import org.jboss.resteasy.client.ClientRequest;
|
||||||
import org.keycloak.ClientConnection;
|
import org.jboss.resteasy.client.ClientResponse;
|
||||||
|
import org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor;
|
||||||
|
import org.keycloak.models.ApplicationModel;
|
||||||
import org.keycloak.models.ClaimMask;
|
import org.keycloak.models.ClaimMask;
|
||||||
import org.keycloak.models.ClientModel;
|
import org.keycloak.models.ClientModel;
|
||||||
import org.keycloak.models.ClientSessionModel;
|
import org.keycloak.models.ClientSessionModel;
|
||||||
|
@ -13,17 +15,31 @@ import org.keycloak.models.UserModel;
|
||||||
import org.keycloak.models.UserSessionModel;
|
import org.keycloak.models.UserSessionModel;
|
||||||
import org.keycloak.protocol.LoginProtocol;
|
import org.keycloak.protocol.LoginProtocol;
|
||||||
import org.keycloak.services.managers.ClientSessionCode;
|
import org.keycloak.services.managers.ClientSessionCode;
|
||||||
|
import org.keycloak.services.managers.ResourceAdminManager;
|
||||||
import org.keycloak.services.resources.RealmsResource;
|
import org.keycloak.services.resources.RealmsResource;
|
||||||
import org.keycloak.services.resources.flows.Flows;
|
import org.keycloak.services.resources.flows.Flows;
|
||||||
import org.picketlink.common.constants.GeneralConstants;
|
import org.picketlink.common.constants.GeneralConstants;
|
||||||
import org.picketlink.common.constants.JBossSAMLURIConstants;
|
import org.picketlink.common.constants.JBossSAMLURIConstants;
|
||||||
import org.picketlink.common.exceptions.ConfigurationException;
|
import org.picketlink.common.exceptions.ConfigurationException;
|
||||||
|
import org.picketlink.common.exceptions.ParsingException;
|
||||||
import org.picketlink.common.exceptions.ProcessingException;
|
import org.picketlink.common.exceptions.ProcessingException;
|
||||||
|
import org.picketlink.common.util.StringUtil;
|
||||||
|
import org.picketlink.identity.federation.api.saml.v2.request.SAML2Request;
|
||||||
import org.picketlink.identity.federation.core.saml.v2.constants.X500SAMLProfileConstants;
|
import org.picketlink.identity.federation.core.saml.v2.constants.X500SAMLProfileConstants;
|
||||||
|
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
|
||||||
|
import org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil;
|
||||||
|
import org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS;
|
||||||
|
import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
|
||||||
|
import org.picketlink.identity.federation.saml.v2.protocol.LogoutRequestType;
|
||||||
|
import org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler;
|
||||||
|
import org.picketlink.identity.federation.web.util.PostBindingUtil;
|
||||||
|
import org.w3c.dom.Document;
|
||||||
|
|
||||||
import javax.ws.rs.core.Response;
|
import javax.ws.rs.core.Response;
|
||||||
import javax.ws.rs.core.UriInfo;
|
import javax.ws.rs.core.UriInfo;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
import java.net.URI;
|
||||||
|
import java.security.Principal;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
||||||
|
@ -39,11 +55,8 @@ public class SamlLogin implements LoginProtocol {
|
||||||
|
|
||||||
protected RealmModel realm;
|
protected RealmModel realm;
|
||||||
|
|
||||||
protected HttpRequest request;
|
|
||||||
|
|
||||||
protected UriInfo uriInfo;
|
protected UriInfo uriInfo;
|
||||||
|
|
||||||
protected ClientConnection clientConnection;
|
|
||||||
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -58,24 +71,12 @@ public class SamlLogin implements LoginProtocol {
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public SamlLogin setRequest(HttpRequest request) {
|
|
||||||
this.request = request;
|
|
||||||
return this;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public SamlLogin setUriInfo(UriInfo uriInfo) {
|
public SamlLogin setUriInfo(UriInfo uriInfo) {
|
||||||
this.uriInfo = uriInfo;
|
this.uriInfo = uriInfo;
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public SamlLogin setClientConnection(ClientConnection clientConnection) {
|
|
||||||
this.clientConnection = clientConnection;
|
|
||||||
return this;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Response cancelLogin(ClientSessionModel clientSession) {
|
public Response cancelLogin(ClientSessionModel clientSession) {
|
||||||
return getErrorResponse(clientSession, JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get());
|
return getErrorResponse(clientSession, JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get());
|
||||||
|
@ -100,7 +101,7 @@ public class SamlLogin implements LoginProtocol {
|
||||||
.responseIssuer(responseIssuer)
|
.responseIssuer(responseIssuer)
|
||||||
.requestIssuer(clientSession.getClient().getClientId());
|
.requestIssuer(clientSession.getClient().getClientId());
|
||||||
try {
|
try {
|
||||||
return builder.error(status);
|
return builder.buildErrorResponse(status);
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Failed to process response");
|
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Failed to process response");
|
||||||
}
|
}
|
||||||
|
@ -140,7 +141,7 @@ public class SamlLogin implements LoginProtocol {
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
return builder.build();
|
return builder.buildLoginResponse();
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
logger.error("failed", e);
|
logger.error("failed", e);
|
||||||
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Failed to process response");
|
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Failed to process response");
|
||||||
|
@ -163,6 +164,66 @@ public class SamlLogin implements LoginProtocol {
|
||||||
return getErrorResponse(clientSession, JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get());
|
return getErrorResponse(clientSession, JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void backchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) {
|
||||||
|
ClientModel client = clientSession.getClient();
|
||||||
|
if (!(client instanceof ApplicationModel)) return;
|
||||||
|
ApplicationModel app = (ApplicationModel)client;
|
||||||
|
if (app.getManagementUrl() == null) return;
|
||||||
|
|
||||||
|
String logoutRequestString = null;
|
||||||
|
try {
|
||||||
|
LogoutRequestType logoutRequest = createLogoutRequest(userSession.getUser(), client);
|
||||||
|
Document logoutRequestDocument = new SAML2Request().convert(logoutRequest);
|
||||||
|
|
||||||
|
byte[] responseBytes = DocumentUtil.getDocumentAsString(logoutRequestDocument).getBytes("UTF-8");
|
||||||
|
logoutRequestString = PostBindingUtil.base64Encode(new String(responseBytes));
|
||||||
|
} catch (Exception e) {
|
||||||
|
logger.warn("failed to send saml logout", e);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
String adminUrl = ResourceAdminManager.getManagementUrl(uriInfo.getRequestUri(), app);
|
||||||
|
|
||||||
|
ApacheHttpClient4Executor executor = ResourceAdminManager.createExecutor();
|
||||||
|
|
||||||
|
|
||||||
|
try {
|
||||||
|
ClientRequest request = executor.createRequest(adminUrl);
|
||||||
|
request.formParameter(GeneralConstants.SAML_REQUEST_KEY, logoutRequestString);
|
||||||
|
request.formParameter(SAML2LogOutHandler.BACK_CHANNEL_LOGOUT, SAML2LogOutHandler.BACK_CHANNEL_LOGOUT);
|
||||||
|
ClientResponse response = null;
|
||||||
|
try {
|
||||||
|
response = request.post();
|
||||||
|
} catch (Exception e) {
|
||||||
|
logger.warn("failed to send saml logout", e);
|
||||||
|
}
|
||||||
|
response.releaseConnection();
|
||||||
|
|
||||||
|
} finally {
|
||||||
|
executor.getHttpClient().getConnectionManager().shutdown();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
private LogoutRequestType createLogoutRequest(UserModel user, ClientModel client) throws ConfigurationException, ProcessingException {
|
||||||
|
LogoutRequestType lort = new SAML2Request().createLogoutRequest(getResponseIssuer(realm));
|
||||||
|
|
||||||
|
NameIDType nameID = new NameIDType();
|
||||||
|
nameID.setValue(user.getUsername());
|
||||||
|
//Deal with NameID Format
|
||||||
|
String nameIDFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
|
||||||
|
nameID.setFormat(URI.create(nameIDFormat));
|
||||||
|
lort.setNameID(nameID);
|
||||||
|
|
||||||
|
long assertionValidity = PicketLinkCoreSTS.instance().getConfiguration().getIssuedTokenTimeout();
|
||||||
|
|
||||||
|
lort.setNotOnOrAfter(XMLTimeUtil.add(lort.getIssueInstant(), assertionValidity));
|
||||||
|
lort.setDestination(URI.create(client.getClientId()));
|
||||||
|
return lort;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void close() {
|
public void close() {
|
||||||
|
|
||||||
|
|
|
@ -26,6 +26,7 @@ import org.picketlink.common.constants.GeneralConstants;
|
||||||
import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
|
import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
|
||||||
import org.picketlink.identity.federation.saml.v2.SAML2Object;
|
import org.picketlink.identity.federation.saml.v2.SAML2Object;
|
||||||
import org.picketlink.identity.federation.saml.v2.protocol.AuthnRequestType;
|
import org.picketlink.identity.federation.saml.v2.protocol.AuthnRequestType;
|
||||||
|
import org.picketlink.identity.federation.saml.v2.protocol.LogoutRequestType;
|
||||||
|
|
||||||
import javax.ws.rs.Consumes;
|
import javax.ws.rs.Consumes;
|
||||||
import javax.ws.rs.FormParam;
|
import javax.ws.rs.FormParam;
|
||||||
|
@ -94,38 +95,66 @@ public class SamlService {
|
||||||
@Path("POST")
|
@Path("POST")
|
||||||
@POST
|
@POST
|
||||||
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
|
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
|
||||||
public Response loginPage(@FormParam(GeneralConstants.SAML_REQUEST_KEY) String samlRequest,
|
public Response postBinding(@FormParam(GeneralConstants.SAML_REQUEST_KEY) String samlRequest,
|
||||||
@FormParam(GeneralConstants.RELAY_STATE) String relayState) {
|
@FormParam(GeneralConstants.SAML_RESPONSE_KEY) String samlResponse,
|
||||||
event.event(EventType.LOGIN);
|
@FormParam(GeneralConstants.RELAY_STATE) String relayState) {
|
||||||
if (!checkSsl()) {
|
if (!checkSsl()) {
|
||||||
|
event.event(EventType.LOGIN_ERROR);
|
||||||
event.error(Errors.SSL_REQUIRED);
|
event.error(Errors.SSL_REQUIRED);
|
||||||
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "HTTPS required");
|
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "HTTPS required");
|
||||||
}
|
}
|
||||||
if (!realm.isEnabled()) {
|
if (!realm.isEnabled()) {
|
||||||
|
event.event(EventType.LOGIN_ERROR);
|
||||||
event.error(Errors.REALM_DISABLED);
|
event.error(Errors.REALM_DISABLED);
|
||||||
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Realm not enabled");
|
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Realm not enabled");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (samlRequest == null) {
|
if (samlRequest == null && samlResponse == null) {
|
||||||
|
event.event(EventType.LOGIN_ERROR);
|
||||||
event.error(Errors.INVALID_TOKEN);
|
event.error(Errors.INVALID_TOKEN);
|
||||||
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid Request");
|
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid Request");
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (samlRequest != null) return handleSamlRequest(samlRequest, relayState);
|
||||||
|
else return handleSamlResponse(samlResponse, relayState);
|
||||||
|
}
|
||||||
|
|
||||||
|
protected Response handleSamlResponse(String samleResponse, String relayState) {
|
||||||
|
event.event(EventType.LOGIN_ERROR);
|
||||||
|
event.error(Errors.INVALID_TOKEN);
|
||||||
|
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid Request");
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
protected Response handleSamlRequest(String samlRequest, String relayState) {
|
||||||
SAMLDocumentHolder documentHolder = SAMLRequestParser.parsePostBinding(samlRequest);
|
SAMLDocumentHolder documentHolder = SAMLRequestParser.parsePostBinding(samlRequest);
|
||||||
if (documentHolder == null) {
|
if (documentHolder == null) {
|
||||||
|
event.event(EventType.LOGIN_ERROR);
|
||||||
event.error(Errors.INVALID_TOKEN);
|
event.error(Errors.INVALID_TOKEN);
|
||||||
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid Request");
|
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid Request");
|
||||||
}
|
}
|
||||||
|
|
||||||
SAML2Object samlObject = documentHolder.getSamlObject();
|
SAML2Object samlObject = documentHolder.getSamlObject();
|
||||||
if (!(samlObject instanceof AuthnRequestType)) {
|
|
||||||
|
if (samlObject instanceof AuthnRequestType) {
|
||||||
|
event.event(EventType.LOGIN);
|
||||||
|
// Get the SAML Request Message
|
||||||
|
AuthnRequestType requestAbstractType = (AuthnRequestType) samlObject;
|
||||||
|
return loginRequest(relayState, requestAbstractType);
|
||||||
|
} else if (samlObject instanceof LogoutRequestType) {
|
||||||
|
event.event(EventType.LOGOUT);
|
||||||
|
LogoutRequestType requestAbstractType = (LogoutRequestType) samlObject;
|
||||||
|
return logoutRequest(relayState, requestAbstractType);
|
||||||
|
|
||||||
|
} else {
|
||||||
|
event.event(EventType.LOGIN_ERROR);
|
||||||
event.error(Errors.INVALID_TOKEN);
|
event.error(Errors.INVALID_TOKEN);
|
||||||
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid Request");
|
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid Request");
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Get the SAML Request Message
|
protected Response loginRequest(String relayState, AuthnRequestType requestAbstractType) {
|
||||||
AuthnRequestType requestAbstractType = (AuthnRequestType) samlObject;
|
|
||||||
String issuer = requestAbstractType.getIssuer().getValue();
|
String issuer = requestAbstractType.getIssuer().getValue();
|
||||||
ClientModel client = realm.findClient(issuer);
|
ClientModel client = realm.findClient(issuer);
|
||||||
|
|
||||||
|
@ -189,29 +218,42 @@ public class SamlService {
|
||||||
return forms.createLogin();
|
return forms.createLogin();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected Response logoutRequest(String relayState, LogoutRequestType requestAbstractType) {
|
||||||
|
String issuer = requestAbstractType.getIssuer().getValue();
|
||||||
|
ClientModel client = realm.findClient(issuer);
|
||||||
|
|
||||||
/**
|
if (client == null) {
|
||||||
* Logout user session. User must be logged in via a session cookie.
|
event.error(Errors.CLIENT_NOT_FOUND);
|
||||||
*
|
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown login requester.");
|
||||||
* @param redirectUri
|
|
||||||
* @return
|
|
||||||
*/
|
|
||||||
@Path("logout")
|
|
||||||
@GET
|
|
||||||
@NoCache
|
|
||||||
public Response logout(final @QueryParam("shit") String redirectUri) {
|
|
||||||
event.event(EventType.LOGOUT);
|
|
||||||
if (redirectUri != null) {
|
|
||||||
event.detail(Details.REDIRECT_URI, redirectUri);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!client.isEnabled()) {
|
||||||
|
event.error(Errors.CLIENT_DISABLED);
|
||||||
|
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Login requester not enabled.");
|
||||||
|
}
|
||||||
|
if ((client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) {
|
||||||
|
event.error(Errors.NOT_ALLOWED);
|
||||||
|
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Bearer-only applications are not allowed to initiate browser login");
|
||||||
|
}
|
||||||
|
if (client.isDirectGrantsOnly()) {
|
||||||
|
event.error(Errors.NOT_ALLOWED);
|
||||||
|
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "direct-grants-only clients are not allowed to initiate browser login");
|
||||||
|
}
|
||||||
|
|
||||||
// authenticate identity cookie, but ignore an access token timeout as we're logging out anyways.
|
// authenticate identity cookie, but ignore an access token timeout as we're logging out anyways.
|
||||||
AuthenticationManager.AuthResult authResult = authManager.authenticateIdentityCookie(session, realm, uriInfo, clientConnection, headers, false);
|
AuthenticationManager.AuthResult authResult = authManager.authenticateIdentityCookie(session, realm, uriInfo, clientConnection, headers, false);
|
||||||
if (authResult != null) {
|
if (authResult != null) {
|
||||||
logout(authResult.getSession());
|
logout(authResult.getSession());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
String redirectUri = null;
|
||||||
|
|
||||||
|
if (client instanceof ApplicationModel) {
|
||||||
|
redirectUri = ((ApplicationModel)client).getBaseUrl();
|
||||||
|
}
|
||||||
|
|
||||||
if (redirectUri != null) {
|
if (redirectUri != null) {
|
||||||
String validatedRedirect = OpenIDConnectService.verifyRealmRedirectUri(uriInfo, redirectUri, realm);
|
String validatedRedirect = OpenIDConnectService.verifyRedirectUri(uriInfo, redirectUri, realm, client);;
|
||||||
if (validatedRedirect == null) {
|
if (validatedRedirect == null) {
|
||||||
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid redirect uri.");
|
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid redirect uri.");
|
||||||
}
|
}
|
||||||
|
@ -219,6 +261,7 @@ public class SamlService {
|
||||||
} else {
|
} else {
|
||||||
return Response.ok().build();
|
return Response.ok().build();
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private void logout(UserSessionModel userSession) {
|
private void logout(UserSessionModel userSession) {
|
||||||
|
@ -233,14 +276,4 @@ public class SamlService {
|
||||||
return !realm.getSslRequired().isRequired(clientConnection);
|
return !realm.getSslRequired().isRequired(clientConnection);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private Response createError(String error, String errorDescription, Response.Status status) {
|
|
||||||
Map<String, String> e = new HashMap<String, String>();
|
|
||||||
e.put(OAuth2Constants.ERROR, error);
|
|
||||||
if (errorDescription != null) {
|
|
||||||
e.put(OAuth2Constants.ERROR_DESCRIPTION, errorDescription);
|
|
||||||
}
|
|
||||||
return Response.status(status).entity(e).type("application/json").build();
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -22,14 +22,12 @@ public interface LoginProtocol extends Provider {
|
||||||
|
|
||||||
LoginProtocol setRealm(RealmModel realm);
|
LoginProtocol setRealm(RealmModel realm);
|
||||||
|
|
||||||
LoginProtocol setRequest(HttpRequest request);
|
|
||||||
|
|
||||||
LoginProtocol setUriInfo(UriInfo uriInfo);
|
LoginProtocol setUriInfo(UriInfo uriInfo);
|
||||||
|
|
||||||
LoginProtocol setClientConnection(ClientConnection clientConnection);
|
|
||||||
|
|
||||||
Response cancelLogin(ClientSessionModel clientSession);
|
Response cancelLogin(ClientSessionModel clientSession);
|
||||||
Response invalidSessionError(ClientSessionModel clientSession);
|
Response invalidSessionError(ClientSessionModel clientSession);
|
||||||
Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode);
|
Response authenticated(UserSessionModel userSession, ClientSessionCode accessCode);
|
||||||
Response consentDenied(ClientSessionModel clientSession);
|
Response consentDenied(ClientSessionModel clientSession);
|
||||||
|
|
||||||
|
void backchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession);
|
||||||
}
|
}
|
||||||
|
|
|
@ -22,15 +22,18 @@
|
||||||
package org.keycloak.protocol.oidc;
|
package org.keycloak.protocol.oidc;
|
||||||
|
|
||||||
import org.jboss.logging.Logger;
|
import org.jboss.logging.Logger;
|
||||||
|
import org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor;
|
||||||
import org.jboss.resteasy.spi.HttpRequest;
|
import org.jboss.resteasy.spi.HttpRequest;
|
||||||
import org.keycloak.ClientConnection;
|
import org.keycloak.ClientConnection;
|
||||||
import org.keycloak.OAuth2Constants;
|
import org.keycloak.OAuth2Constants;
|
||||||
|
import org.keycloak.models.ApplicationModel;
|
||||||
import org.keycloak.models.ClientSessionModel;
|
import org.keycloak.models.ClientSessionModel;
|
||||||
import org.keycloak.models.KeycloakSession;
|
import org.keycloak.models.KeycloakSession;
|
||||||
import org.keycloak.models.RealmModel;
|
import org.keycloak.models.RealmModel;
|
||||||
import org.keycloak.models.UserSessionModel;
|
import org.keycloak.models.UserSessionModel;
|
||||||
import org.keycloak.protocol.LoginProtocol;
|
import org.keycloak.protocol.LoginProtocol;
|
||||||
import org.keycloak.services.managers.ClientSessionCode;
|
import org.keycloak.services.managers.ClientSessionCode;
|
||||||
|
import org.keycloak.services.managers.ResourceAdminManager;
|
||||||
|
|
||||||
import javax.ws.rs.core.Response;
|
import javax.ws.rs.core.Response;
|
||||||
import javax.ws.rs.core.UriBuilder;
|
import javax.ws.rs.core.UriBuilder;
|
||||||
|
@ -56,19 +59,12 @@ public class OpenIDConnect implements LoginProtocol {
|
||||||
|
|
||||||
protected RealmModel realm;
|
protected RealmModel realm;
|
||||||
|
|
||||||
protected HttpRequest request;
|
|
||||||
|
|
||||||
protected UriInfo uriInfo;
|
protected UriInfo uriInfo;
|
||||||
|
|
||||||
protected ClientConnection clientConnection;
|
public OpenIDConnect(KeycloakSession session, RealmModel realm, UriInfo uriInfo) {
|
||||||
|
|
||||||
public OpenIDConnect(KeycloakSession session, RealmModel realm, HttpRequest request, UriInfo uriInfo,
|
|
||||||
ClientConnection clientConnection) {
|
|
||||||
this.session = session;
|
this.session = session;
|
||||||
this.realm = realm;
|
this.realm = realm;
|
||||||
this.request = request;
|
|
||||||
this.uriInfo = uriInfo;
|
this.uriInfo = uriInfo;
|
||||||
this.clientConnection = clientConnection;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public OpenIDConnect() {
|
public OpenIDConnect() {
|
||||||
|
@ -86,24 +82,12 @@ public class OpenIDConnect implements LoginProtocol {
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public OpenIDConnect setRequest(HttpRequest request) {
|
|
||||||
this.request = request;
|
|
||||||
return this;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public OpenIDConnect setUriInfo(UriInfo uriInfo) {
|
public OpenIDConnect setUriInfo(UriInfo uriInfo) {
|
||||||
this.uriInfo = uriInfo;
|
this.uriInfo = uriInfo;
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public OpenIDConnect setClientConnection(ClientConnection clientConnection) {
|
|
||||||
this.clientConnection = clientConnection;
|
|
||||||
return this;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Response cancelLogin(ClientSessionModel clientSession) {
|
public Response cancelLogin(ClientSessionModel clientSession) {
|
||||||
String redirect = clientSession.getRedirectUri();
|
String redirect = clientSession.getRedirectUri();
|
||||||
|
@ -151,6 +135,19 @@ public class OpenIDConnect implements LoginProtocol {
|
||||||
return Response.status(302).location(redirectUri.build()).build();
|
return Response.status(302).location(redirectUri.build()).build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void backchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) {
|
||||||
|
if (!(clientSession.getClient() instanceof ApplicationModel)) return;
|
||||||
|
ApplicationModel app = (ApplicationModel)clientSession.getClient();
|
||||||
|
ApacheHttpClient4Executor executor = ResourceAdminManager.createExecutor();
|
||||||
|
|
||||||
|
try {
|
||||||
|
new ResourceAdminManager().logoutApplication(uriInfo.getRequestUri(), realm, app, null, userSession.getId(), executor, 0);
|
||||||
|
} finally {
|
||||||
|
executor.getHttpClient().getConnectionManager().shutdown();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void close() {
|
public void close() {
|
||||||
|
|
||||||
|
|
|
@ -800,7 +800,7 @@ public class OpenIDConnectService {
|
||||||
if (response != null) return response;
|
if (response != null) return response;
|
||||||
|
|
||||||
if (prompt != null && prompt.equals("none")) {
|
if (prompt != null && prompt.equals("none")) {
|
||||||
OpenIDConnect oauth = new OpenIDConnect(session, realm, request, uriInfo, clientConnection);
|
OpenIDConnect oauth = new OpenIDConnect(session, realm, uriInfo);
|
||||||
return oauth.cancelLogin(clientSession);
|
return oauth.cancelLogin(clientSession);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -86,7 +86,17 @@ public class AuthenticationManager {
|
||||||
expireIdentityCookie(realm, uriInfo, connection);
|
expireIdentityCookie(realm, uriInfo, connection);
|
||||||
expireRememberMeCookie(realm, uriInfo, connection);
|
expireRememberMeCookie(realm, uriInfo, connection);
|
||||||
|
|
||||||
new ResourceAdminManager().logoutUser(uriInfo.getRequestUri(), realm, user.getId(), userSession);
|
for (ClientSessionModel clientSession : userSession.getClientSessions()) {
|
||||||
|
ClientModel client = clientSession.getClient();
|
||||||
|
if (client instanceof ApplicationModel) {
|
||||||
|
String authMethod = clientSession.getAuthMethod();
|
||||||
|
if (authMethod == null) continue; // must be a keycloak service like account
|
||||||
|
LoginProtocol protocol = session.getProvider(LoginProtocol.class, authMethod);
|
||||||
|
protocol.setRealm(realm)
|
||||||
|
.setUriInfo(uriInfo);
|
||||||
|
protocol.backchannelLogout(userSession, clientSession);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
session.sessions().removeUserSession(realm, userSession);
|
session.sessions().removeUserSession(realm, userSession);
|
||||||
}
|
}
|
||||||
|
@ -235,9 +245,7 @@ public class AuthenticationManager {
|
||||||
if (userSession.isRememberMe()) createRememberMeCookie(realm, userSession.getUser().getUsername(), uriInfo, clientConnection);
|
if (userSession.isRememberMe()) createRememberMeCookie(realm, userSession.getUser().getUsername(), uriInfo, clientConnection);
|
||||||
LoginProtocol protocol = session.getProvider(LoginProtocol.class, clientSession.getAuthMethod());
|
LoginProtocol protocol = session.getProvider(LoginProtocol.class, clientSession.getAuthMethod());
|
||||||
protocol.setRealm(realm)
|
protocol.setRealm(realm)
|
||||||
.setRequest(request)
|
.setUriInfo(uriInfo);
|
||||||
.setUriInfo(uriInfo)
|
|
||||||
.setClientConnection(clientConnection);
|
|
||||||
return protocol.authenticated(userSession, new ClientSessionCode(realm, clientSession));
|
return protocol.authenticated(userSession, new ClientSessionCode(realm, clientSession));
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -101,7 +101,7 @@ public class ResourceAdminManager {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
protected String getManagementUrl(URI requestUri, ApplicationModel application) {
|
public static String getManagementUrl(URI requestUri, ApplicationModel application) {
|
||||||
String mgmtUrl = application.getManagementUrl();
|
String mgmtUrl = application.getManagementUrl();
|
||||||
if (mgmtUrl == null || mgmtUrl.equals("")) {
|
if (mgmtUrl == null || mgmtUrl.equals("")) {
|
||||||
return null;
|
return null;
|
||||||
|
@ -231,7 +231,7 @@ public class ResourceAdminManager {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
protected boolean logoutApplication(URI requestUri, RealmModel realm, ApplicationModel resource, String user, String session, ApacheHttpClient4Executor client, int notBefore) {
|
public boolean logoutApplication(URI requestUri, RealmModel realm, ApplicationModel resource, String user, String session, ApacheHttpClient4Executor client, int notBefore) {
|
||||||
String managementUrl = getManagementUrl(requestUri, resource);
|
String managementUrl = getManagementUrl(requestUri, resource);
|
||||||
if (managementUrl != null) {
|
if (managementUrl != null) {
|
||||||
LogoutAction adminAction = new LogoutAction(TokenIdGenerator.generateId(), Time.currentTime() + 30, resource.getName(), user, session, notBefore);
|
LogoutAction adminAction = new LogoutAction(TokenIdGenerator.generateId(), Time.currentTime() + 30, resource.getName(), user, session, notBefore);
|
||||||
|
|
|
@ -309,9 +309,7 @@ public class LoginActionsService {
|
||||||
event.error(Errors.REJECTED_BY_USER);
|
event.error(Errors.REJECTED_BY_USER);
|
||||||
LoginProtocol protocol = session.getProvider(LoginProtocol.class, clientSession.getAuthMethod());
|
LoginProtocol protocol = session.getProvider(LoginProtocol.class, clientSession.getAuthMethod());
|
||||||
protocol.setRealm(realm)
|
protocol.setRealm(realm)
|
||||||
.setRequest(request)
|
.setUriInfo(uriInfo);
|
||||||
.setUriInfo(uriInfo)
|
|
||||||
.setClientConnection(clientConnection);
|
|
||||||
return protocol.cancelLogin(clientSession);
|
return protocol.cancelLogin(clientSession);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -565,9 +563,7 @@ public class LoginActionsService {
|
||||||
|
|
||||||
LoginProtocol protocol = session.getProvider(LoginProtocol.class, clientSession.getAuthMethod());
|
LoginProtocol protocol = session.getProvider(LoginProtocol.class, clientSession.getAuthMethod());
|
||||||
protocol.setRealm(realm)
|
protocol.setRealm(realm)
|
||||||
.setRequest(request)
|
.setUriInfo(uriInfo);
|
||||||
.setUriInfo(uriInfo)
|
|
||||||
.setClientConnection(clientConnection);
|
|
||||||
if (formData.containsKey("cancel")) {
|
if (formData.containsKey("cancel")) {
|
||||||
event.error(Errors.REJECTED_BY_USER);
|
event.error(Errors.REJECTED_BY_USER);
|
||||||
return protocol.consentDenied(clientSession);
|
return protocol.consentDenied(clientSession);
|
||||||
|
|
|
@ -41,6 +41,7 @@ import org.keycloak.representations.AccessToken;
|
||||||
import org.keycloak.representations.adapters.action.SessionStats;
|
import org.keycloak.representations.adapters.action.SessionStats;
|
||||||
import org.keycloak.representations.idm.RealmRepresentation;
|
import org.keycloak.representations.idm.RealmRepresentation;
|
||||||
import org.keycloak.services.managers.RealmManager;
|
import org.keycloak.services.managers.RealmManager;
|
||||||
|
import org.keycloak.services.managers.ResourceAdminManager;
|
||||||
import org.keycloak.services.resources.admin.AdminRoot;
|
import org.keycloak.services.resources.admin.AdminRoot;
|
||||||
import org.keycloak.testsuite.OAuthClient;
|
import org.keycloak.testsuite.OAuthClient;
|
||||||
import org.keycloak.testsuite.pages.LoginPage;
|
import org.keycloak.testsuite.pages.LoginPage;
|
||||||
|
@ -288,11 +289,18 @@ public class AdapterTest {
|
||||||
driver.navigate().to("http://localhost:8081/product-portal");
|
driver.navigate().to("http://localhost:8081/product-portal");
|
||||||
Assert.assertTrue(driver.getCurrentUrl().startsWith(LOGIN_URL));
|
Assert.assertTrue(driver.getCurrentUrl().startsWith(LOGIN_URL));
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
session = keycloakRule.startSession();
|
session = keycloakRule.startSession();
|
||||||
realm = session.realms().getRealmByName("demo");
|
realm = session.realms().getRealmByName("demo");
|
||||||
|
// need to cleanup so other tests don't fail, so invalidate http sessions on remote clients.
|
||||||
|
UserModel user = session.users().getUserByUsername("bburke@redhat.com", realm);
|
||||||
|
new ResourceAdminManager().logoutUser(null, realm, user.getId(), null);
|
||||||
realm.setSsoSessionIdleTimeout(originalIdle);
|
realm.setSsoSessionIdleTimeout(originalIdle);
|
||||||
session.getTransaction().commit();
|
session.getTransaction().commit();
|
||||||
session.close();
|
session.close();
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|
|
@ -32,6 +32,8 @@
|
||||||
"name": "http://localhost:8080/sales-post/",
|
"name": "http://localhost:8080/sales-post/",
|
||||||
"enabled": true,
|
"enabled": true,
|
||||||
"fullScopeAllowed": true,
|
"fullScopeAllowed": true,
|
||||||
|
"baseUrl": "http://localhost:8080/sales-post/",
|
||||||
|
"adminUrl": "http://localhost:8080/sales-post/",
|
||||||
"redirectUris": [
|
"redirectUris": [
|
||||||
"http://localhost:8080/sales-post/*"
|
"http://localhost:8080/sales-post/*"
|
||||||
]
|
]
|
||||||
|
|
Loading…
Reference in a new issue