filter oidc broker import keys

2015-04-24 15:03:20 -04:00 · 2015-04-24 15:03:20 -04:00 · 7395d6585c
commit 7395d6585c
parent b8d23829aa
2 changed files with 32 additions and 1 deletions
--- a/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java
+++ b/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java
@ -21,6 +21,7 @@ import org.keycloak.broker.oidc.util.SimpleHttp;
 import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
 import org.keycloak.jose.jwk.JWK;
 import org.keycloak.jose.jwk.JWKParser;
+import org.keycloak.jose.jws.Algorithm;
 import org.keycloak.models.IdentityProviderModel;
 import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.protocol.oidc.representations.JSONWebKeySet;
@ -80,7 +81,7 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory
                JSONWebKeySet keySet = JsonSerialization.readValue(keySetString, JSONWebKeySet.class);
                for (JWK jwk : keySet.getKeys()) {
                    JWKParser parse = JWKParser.create(jwk);
-                    if (parse.getJwk().getPublicKeyUse().equals(JWK.SIG_USE)) {
+                    if (parse.getJwk().getPublicKeyUse().equals(JWK.SIG_USE) && keyTypeSupported(jwk.getKeyType())) {
                        PublicKey key = parse.toPublicKey();
                        config.setPublicKeySignatureVerifier(KeycloakModelUtils.getPemFromKey(key));
                        config.setValidateSignature(true);
@ -95,4 +96,8 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory
        }
        return config.getConfig();
    }
+
+    protected static boolean keyTypeSupported(String type) {
+        return type != null && type.equals("RSA");
+    }
 }
--- a/broker/oidc/src/test/java/org/keycloak/broker/oidc/OIDCIdentityProviderTest.java
+++ b/broker/oidc/src/test/java/org/keycloak/broker/oidc/OIDCIdentityProviderTest.java
@ -0,0 +1,26 @@
+package org.keycloak.broker.oidc;
+
+import org.junit.Test;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class OIDCIdentityProviderTest {
+
+    @Test
+    public void testUnsupportedKeyInput() throws Exception {
+        String json = "{" +
+                "\"version\":\"3.0\"," +
+                "\"issuer\":\"https://server.com:443\"," +
+                "\"authorization_endpoint\":\"https://server.com:443/oauth2\"," +
+                "\"token_endpoint\":\"https://server.com:443/token\"," +
+                "\"revocation_endpoint\":\"https://server.com:443/revoke\"," +
+                "\"userinfo_endpoint\":\"https://server.com:443/userinfo\"," +
+                "\"jwks_uri\":\"https://server.com:443/JWKS\"," +
+                "\"scopes_supported\"[\"phone\",\"address\",\"email\",\"openid\",\"profile\"]," +
+                "\"response_types_supported\":[\"code\",\"token\",\"id_token\",\"code token\",\"code id_token\",\"token id_token\",\"code token id_token\"]," +
+                "\"subject_types_supported\":[\"public\"]," +
+                "\"id_token_signing_alg_values_supported\":[\"HS256\",\"HS384\",\"HS512\",\"RS256\",\"RS384\",\"RS512\",\"ES256\",\"ES84\",\"ES512\"]} ";
+    }
+}