From 7395d6585c5f48744272424e32c04e632358b64e Mon Sep 17 00:00:00 2001 From: Bill Burke Date: Fri, 24 Apr 2015 15:03:20 -0400 Subject: [PATCH] filter oidc broker import keys --- .../oidc/OIDCIdentityProviderFactory.java | 7 ++++- .../broker/oidc/OIDCIdentityProviderTest.java | 26 +++++++++++++++++++ 2 files changed, 32 insertions(+), 1 deletion(-) create mode 100755 broker/oidc/src/test/java/org/keycloak/broker/oidc/OIDCIdentityProviderTest.java diff --git a/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java b/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java index 7c3335ee39..6c572745d2 100755 --- a/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java +++ b/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java @@ -21,6 +21,7 @@ import org.keycloak.broker.oidc.util.SimpleHttp; import org.keycloak.broker.provider.AbstractIdentityProviderFactory; import org.keycloak.jose.jwk.JWK; import org.keycloak.jose.jwk.JWKParser; +import org.keycloak.jose.jws.Algorithm; import org.keycloak.models.IdentityProviderModel; import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.protocol.oidc.representations.JSONWebKeySet; @@ -80,7 +81,7 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory JSONWebKeySet keySet = JsonSerialization.readValue(keySetString, JSONWebKeySet.class); for (JWK jwk : keySet.getKeys()) { JWKParser parse = JWKParser.create(jwk); - if (parse.getJwk().getPublicKeyUse().equals(JWK.SIG_USE)) { + if (parse.getJwk().getPublicKeyUse().equals(JWK.SIG_USE) && keyTypeSupported(jwk.getKeyType())) { PublicKey key = parse.toPublicKey(); config.setPublicKeySignatureVerifier(KeycloakModelUtils.getPemFromKey(key)); config.setValidateSignature(true); @@ -95,4 +96,8 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory } return config.getConfig(); } + + protected static boolean keyTypeSupported(String type) { + return type != null && type.equals("RSA"); + } } diff --git a/broker/oidc/src/test/java/org/keycloak/broker/oidc/OIDCIdentityProviderTest.java b/broker/oidc/src/test/java/org/keycloak/broker/oidc/OIDCIdentityProviderTest.java new file mode 100755 index 0000000000..5de115ed18 --- /dev/null +++ b/broker/oidc/src/test/java/org/keycloak/broker/oidc/OIDCIdentityProviderTest.java @@ -0,0 +1,26 @@ +package org.keycloak.broker.oidc; + +import org.junit.Test; + +/** + * @author Bill Burke + * @version $Revision: 1 $ + */ +public class OIDCIdentityProviderTest { + + @Test + public void testUnsupportedKeyInput() throws Exception { + String json = "{" + + "\"version\":\"3.0\"," + + "\"issuer\":\"https://server.com:443\"," + + "\"authorization_endpoint\":\"https://server.com:443/oauth2\"," + + "\"token_endpoint\":\"https://server.com:443/token\"," + + "\"revocation_endpoint\":\"https://server.com:443/revoke\"," + + "\"userinfo_endpoint\":\"https://server.com:443/userinfo\"," + + "\"jwks_uri\":\"https://server.com:443/JWKS\"," + + "\"scopes_supported\"[\"phone\",\"address\",\"email\",\"openid\",\"profile\"]," + + "\"response_types_supported\":[\"code\",\"token\",\"id_token\",\"code token\",\"code id_token\",\"token id_token\",\"code token id_token\"]," + + "\"subject_types_supported\":[\"public\"]," + + "\"id_token_signing_alg_values_supported\":[\"HS256\",\"HS384\",\"HS512\",\"RS256\",\"RS384\",\"RS512\",\"ES256\",\"ES84\",\"ES512\"]} "; + } +}