proxy headers

2014-11-25 15:13:11 -05:00 · 2014-11-25 15:13:11 -05:00 · 7d4f28f52d
commit 7d4f28f52d
parent e14c5adf55
4 changed files with 77 additions and 6 deletions
--- a/docbook/reference/en/en-US/modules/proxy.xml
+++ b/docbook/reference/en/en-US/modules/proxy.xml
@ -274,4 +274,46 @@ $ java -jar bin/launcher.jar [your-config.json]
        </section>
        </section>
    </section>
+    <section>
+        <title>Keycloak Identity Headers</title>
+        <para>
+            When forwarding requests to the proxied server, Keycloak Proxy will set some additional headers with values from the
+            OIDC identity token it received for authentication.
+            <variablelist>
+                <varlistentry>
+                    <term>KEYCLOAK_SUBJECT</term>
+                    <listitem>
+                        <para>
+                            User id. Corresponds to JWT <literal>sub</literal> and will be the user id Keycloak uses to store
+                            this user.
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>KEYCLOAK_USERNAME</term>
+                    <listitem>
+                        <para>
+                            Username. Corresponds to JWT <literal>preferred_username</literal>
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>KEYCLOAK_EMAIL</term>
+                    <listitem>
+                        <para>
+                            Email address of user if set.
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>KEYCLOAK_NAME</term>
+                    <listitem>
+                        <para>
+                            Full name of user if set.
+                        </para>
+                    </listitem>
+                </varlistentry>
+            </variablelist>
+        </para>
+    </section>
 </chapter>
--- a/pom.xml
+++ b/pom.xml
@ -18,8 +18,8 @@
        <keycloak.apache.httpcomponents.version>4.2.1</keycloak.apache.httpcomponents.version>
        <resteasy.version>2.3.7.Final</resteasy.version>
        <resteasy.version.latest>3.0.9.Final</resteasy.version.latest>
+        <!-- <undertow.version>1.1.0.Final</undertow.version> -->
        <undertow.version>1.0.15.Final</undertow.version>
-<!--        <picketlink.version>2.7.0.CR1-20140924</picketlink.version>  -->
        <picketlink.version>2.7.0.CR2</picketlink.version>
        <picketbox.ldap.version>1.0.2.Final</picketbox.ldap.version>
        <mongo.driver.version>2.11.3</mongo.driver.version>
@ -108,7 +108,7 @@
        <module>events</module>
        <module>model</module>
        <module>integration</module>
-        <module>proxy</module>
+        <module>proxy/proxy-server</module>
        <module>picketlink</module>
        <module>federation</module>
        <module>services</module>
--- a/proxy/proxy-server/src/main/java/org/keycloak/proxy/ConstraintAuthorizationHandler.java
+++ b/proxy/proxy-server/src/main/java/org/keycloak/proxy/ConstraintAuthorizationHandler.java
@ -2,7 +2,9 @@ package org.keycloak.proxy;

 import io.undertow.server.HttpHandler;
 import io.undertow.server.HttpServerExchange;
+import io.undertow.util.HttpString;
 import org.keycloak.adapters.undertow.KeycloakUndertowAccount;
+import org.keycloak.representations.IDToken;

 import java.util.Collection;

@ -11,6 +13,10 @@ import java.util.Collection;
 * @version $Revision: 1 $
 */
 public class ConstraintAuthorizationHandler implements HttpHandler {
+    public static final HttpString KEYCLOAK_SUBJECT = new HttpString("KEYCLOAK_SUBJECT");
+    public static final HttpString KEYCLOAK_USERNAME = new HttpString("KEYCLOAK_USERNAME");
+    public static final HttpString KEYCLOAK_EMAIL = new HttpString("KEYCLOAK_EMAIL");
+    public static final HttpString KEYCLOAK_NAME = new HttpString("KEYCLOAK_NAME");

    protected HttpHandler next;
    protected String errorPage;
@ -25,13 +31,13 @@ public class ConstraintAuthorizationHandler implements HttpHandler {
        KeycloakUndertowAccount account = (KeycloakUndertowAccount)exchange.getSecurityContext().getAuthenticatedAccount();
        SingleConstraintMatch match = exchange.getAttachment(ConstraintMatcherHandler.CONSTRAINT_KEY);
        if (match == null || (match.getRequiredRoles().isEmpty() && match.getEmptyRoleSemantic() == SecurityInfo.EmptyRoleSemantic.AUTHENTICATE)) {
-            next.handleRequest(exchange);
+            authenticatedRequest(account, exchange);
            return;
        }
        if (match != null) {
            for (String role : match.getRequiredRoles()) {
                if (account.getRoles().contains(role)) {
-                    next.handleRequest(exchange);
+                    authenticatedRequest(account, exchange);
                    return;
                }
            }
@ -48,4 +54,23 @@ public class ConstraintAuthorizationHandler implements HttpHandler {
        exchange.endExchange();

    }
+
+    public void authenticatedRequest(KeycloakUndertowAccount account, HttpServerExchange exchange) throws Exception {
+        if (account != null) {
+            IDToken idToken = account.getKeycloakSecurityContext().getIdToken();
+            if (idToken.getSubject() != null) {
+                exchange.getRequestHeaders().put(KEYCLOAK_SUBJECT, idToken.getSubject());
+            }
+            if (idToken.getPreferredUsername() != null) {
+                exchange.getRequestHeaders().put(KEYCLOAK_USERNAME, idToken.getPreferredUsername());
+            }
+            if (idToken.getEmail() != null) {
+                exchange.getRequestHeaders().put(KEYCLOAK_EMAIL, idToken.getEmail());
+            }
+            if (idToken.getName() != null) {
+                exchange.getRequestHeaders().put(KEYCLOAK_NAME, idToken.getName());
+            }
+        }
+        next.handleRequest(exchange);
+    }
 }
--- a/testsuite/proxy/src/test/java/org/keycloak/testsuite/ProxyTest.java
+++ b/testsuite/proxy/src/test/java/org/keycloak/testsuite/ProxyTest.java
@ -70,6 +70,7 @@ import java.io.OutputStream;
 import java.net.URI;
 import java.net.URL;
 import java.security.Principal;
+import java.util.Enumeration;
 import java.util.regex.Matcher;

 /**
@ -100,8 +101,11 @@ public class ProxyTest {
            req.getSession().setAttribute("counter", new Integer(count.intValue() + 1));
            stream.write(("count:"+count).getBytes());

-
-
+            Enumeration<String> headers = req.getHeaderNames();
+            while (headers.hasMoreElements()) {
+                String name = headers.nextElement();
+                System.out.println(name +": " + req.getHeader(name));
+            }
        }
        @Override
        protected void doPost(final HttpServletRequest req, final HttpServletResponse resp) throws ServletException, IOException {