Merge pull request #4515 from mposolda/jwe
JWE, KEYCLOAK-5007 Used single-use cache for tracke OAuth code.
This commit is contained in:
commit
7fc94b8cad
76 changed files with 2739 additions and 410 deletions
|
@ -40,8 +40,8 @@ public class KeyUtils {
|
||||||
private KeyUtils() {
|
private KeyUtils() {
|
||||||
}
|
}
|
||||||
|
|
||||||
public static SecretKey loadSecretKey(byte[] secret) {
|
public static SecretKey loadSecretKey(byte[] secret, String javaAlgorithmName) {
|
||||||
return new SecretKeySpec(secret, "HmacSHA256");
|
return new SecretKeySpec(secret, javaAlgorithmName);
|
||||||
}
|
}
|
||||||
|
|
||||||
public static KeyPair generateRsaKeyPair(int keysize) {
|
public static KeyPair generateRsaKeyPair(int keysize) {
|
||||||
|
|
|
@ -16,7 +16,7 @@ public class KeyUtilsTest {
|
||||||
byte[] secretBytes = new byte[32];
|
byte[] secretBytes = new byte[32];
|
||||||
ThreadLocalRandom.current().nextBytes(secretBytes);
|
ThreadLocalRandom.current().nextBytes(secretBytes);
|
||||||
SecretKeySpec expected = new SecretKeySpec(secretBytes, "HmacSHA256");
|
SecretKeySpec expected = new SecretKeySpec(secretBytes, "HmacSHA256");
|
||||||
SecretKey actual = KeyUtils.loadSecretKey(secretBytes);
|
SecretKey actual = KeyUtils.loadSecretKey(secretBytes, "HmacSHA256");
|
||||||
assertEquals(expected.getAlgorithm(), actual.getAlgorithm());
|
assertEquals(expected.getAlgorithm(), actual.getAlgorithm());
|
||||||
assertArrayEquals(expected.getEncoded(), actual.getEncoded());
|
assertArrayEquals(expected.getEncoded(), actual.getEncoded());
|
||||||
}
|
}
|
||||||
|
|
197
core/src/main/java/org/keycloak/jose/jwe/JWE.java
Normal file
197
core/src/main/java/org/keycloak/jose/jwe/JWE.java
Normal file
|
@ -0,0 +1,197 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.jose.jwe;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.security.GeneralSecurityException;
|
||||||
|
|
||||||
|
import org.keycloak.common.util.Base64Url;
|
||||||
|
import org.keycloak.common.util.BouncyIntegration;
|
||||||
|
import org.keycloak.jose.jwe.alg.JWEAlgorithmProvider;
|
||||||
|
import org.keycloak.jose.jwe.enc.JWEEncryptionProvider;
|
||||||
|
import org.keycloak.util.JsonSerialization;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class JWE {
|
||||||
|
|
||||||
|
static {
|
||||||
|
BouncyIntegration.init();
|
||||||
|
}
|
||||||
|
|
||||||
|
private JWEHeader header;
|
||||||
|
private String base64Header;
|
||||||
|
|
||||||
|
private JWEKeyStorage keyStorage = new JWEKeyStorage();
|
||||||
|
private String base64Cek;
|
||||||
|
|
||||||
|
private byte[] initializationVector;
|
||||||
|
|
||||||
|
private byte[] content;
|
||||||
|
private byte[] encryptedContent;
|
||||||
|
|
||||||
|
private byte[] authenticationTag;
|
||||||
|
|
||||||
|
public JWE header(JWEHeader header) {
|
||||||
|
this.header = header;
|
||||||
|
this.base64Header = null;
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
JWEHeader getHeader() {
|
||||||
|
if (header == null && base64Header != null) {
|
||||||
|
try {
|
||||||
|
byte[] decodedHeader = Base64Url.decode(base64Header);
|
||||||
|
header = JsonSerialization.readValue(decodedHeader, JWEHeader.class);
|
||||||
|
} catch (IOException ioe) {
|
||||||
|
throw new RuntimeException(ioe);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return header;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getBase64Header() throws IOException {
|
||||||
|
if (base64Header == null && header != null) {
|
||||||
|
byte[] contentBytes = JsonSerialization.writeValueAsBytes(header);
|
||||||
|
base64Header = Base64Url.encode(contentBytes);
|
||||||
|
}
|
||||||
|
return base64Header;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public JWEKeyStorage getKeyStorage() {
|
||||||
|
return keyStorage;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public byte[] getInitializationVector() {
|
||||||
|
return initializationVector;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public JWE content(byte[] content) {
|
||||||
|
this.content = content;
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
public byte[] getContent() {
|
||||||
|
return content;
|
||||||
|
}
|
||||||
|
|
||||||
|
public byte[] getEncryptedContent() {
|
||||||
|
return encryptedContent;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public byte[] getAuthenticationTag() {
|
||||||
|
return authenticationTag;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public void setEncryptedContentInfo(byte[] initializationVector, byte[] encryptedContent, byte[] authenticationTag) {
|
||||||
|
this.initializationVector = initializationVector;
|
||||||
|
this.encryptedContent = encryptedContent;
|
||||||
|
this.authenticationTag = authenticationTag;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public String encodeJwe() throws JWEException {
|
||||||
|
try {
|
||||||
|
if (header == null) {
|
||||||
|
throw new IllegalStateException("Header must be set");
|
||||||
|
}
|
||||||
|
if (content == null) {
|
||||||
|
throw new IllegalStateException("Content must be set");
|
||||||
|
}
|
||||||
|
|
||||||
|
JWEAlgorithmProvider algorithmProvider = JWERegistry.getAlgProvider(header.getAlgorithm());
|
||||||
|
if (algorithmProvider == null) {
|
||||||
|
throw new IllegalArgumentException("No provider for alg '" + header.getAlgorithm() + "'");
|
||||||
|
}
|
||||||
|
|
||||||
|
JWEEncryptionProvider encryptionProvider = JWERegistry.getEncProvider(header.getEncryptionAlgorithm());
|
||||||
|
if (encryptionProvider == null) {
|
||||||
|
throw new IllegalArgumentException("No provider for enc '" + header.getAlgorithm() + "'");
|
||||||
|
}
|
||||||
|
|
||||||
|
keyStorage.setEncryptionProvider(encryptionProvider);
|
||||||
|
keyStorage.getCEKKey(JWEKeyStorage.KeyUse.ENCRYPTION, true); // Will generate CEK if it's not already present
|
||||||
|
|
||||||
|
byte[] encodedCEK = algorithmProvider.encodeCek(encryptionProvider, keyStorage, keyStorage.getEncryptionKey());
|
||||||
|
base64Cek = Base64Url.encode(encodedCEK);
|
||||||
|
|
||||||
|
encryptionProvider.encodeJwe(this);
|
||||||
|
|
||||||
|
return getEncodedJweString();
|
||||||
|
} catch (Exception e) {
|
||||||
|
throw new JWEException(e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private String getEncodedJweString() {
|
||||||
|
StringBuilder builder = new StringBuilder();
|
||||||
|
builder.append(base64Header).append(".")
|
||||||
|
.append(base64Cek).append(".")
|
||||||
|
.append(Base64Url.encode(initializationVector)).append(".")
|
||||||
|
.append(Base64Url.encode(encryptedContent)).append(".")
|
||||||
|
.append(Base64Url.encode(authenticationTag));
|
||||||
|
|
||||||
|
return builder.toString();
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public JWE verifyAndDecodeJwe(String jweStr) throws JWEException {
|
||||||
|
try {
|
||||||
|
String[] parts = jweStr.split("\\.");
|
||||||
|
if (parts.length != 5) {
|
||||||
|
throw new IllegalStateException("Not a JWE String");
|
||||||
|
}
|
||||||
|
|
||||||
|
this.base64Header = parts[0];
|
||||||
|
this.base64Cek = parts[1];
|
||||||
|
this.initializationVector = Base64Url.decode(parts[2]);
|
||||||
|
this.encryptedContent = Base64Url.decode(parts[3]);
|
||||||
|
this.authenticationTag = Base64Url.decode(parts[4]);
|
||||||
|
|
||||||
|
this.header = getHeader();
|
||||||
|
JWEAlgorithmProvider algorithmProvider = JWERegistry.getAlgProvider(header.getAlgorithm());
|
||||||
|
if (algorithmProvider == null) {
|
||||||
|
throw new IllegalArgumentException("No provider for alg '" + header.getAlgorithm() + "'");
|
||||||
|
}
|
||||||
|
|
||||||
|
JWEEncryptionProvider encryptionProvider = JWERegistry.getEncProvider(header.getEncryptionAlgorithm());
|
||||||
|
if (encryptionProvider == null) {
|
||||||
|
throw new IllegalArgumentException("No provider for enc '" + header.getAlgorithm() + "'");
|
||||||
|
}
|
||||||
|
|
||||||
|
keyStorage.setEncryptionProvider(encryptionProvider);
|
||||||
|
|
||||||
|
byte[] decodedCek = algorithmProvider.decodeCek(Base64Url.decode(base64Cek), keyStorage.getEncryptionKey());
|
||||||
|
keyStorage.setCEKBytes(decodedCek);
|
||||||
|
|
||||||
|
encryptionProvider.verifyAndDecodeJwe(this);
|
||||||
|
|
||||||
|
return this;
|
||||||
|
} catch (Exception e) {
|
||||||
|
throw new JWEException(e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
32
core/src/main/java/org/keycloak/jose/jwe/JWEConstants.java
Normal file
32
core/src/main/java/org/keycloak/jose/jwe/JWEConstants.java
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.jose.jwe;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class JWEConstants {
|
||||||
|
|
||||||
|
public static final String DIR = "dir";
|
||||||
|
public static final String A128KW = "A128KW";
|
||||||
|
|
||||||
|
public static final String A128CBC_HS256 = "A128CBC-HS256";
|
||||||
|
public static final String A192CBC_HS384 = "A192CBC-HS384";
|
||||||
|
public static final String A256CBC_HS512 = "A256CBC-HS512";
|
||||||
|
|
||||||
|
}
|
35
core/src/main/java/org/keycloak/jose/jwe/JWEException.java
Normal file
35
core/src/main/java/org/keycloak/jose/jwe/JWEException.java
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.jose.jwe;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class JWEException extends Exception {
|
||||||
|
|
||||||
|
public JWEException(String s) {
|
||||||
|
super(s);
|
||||||
|
}
|
||||||
|
|
||||||
|
public JWEException() {
|
||||||
|
}
|
||||||
|
|
||||||
|
public JWEException(Throwable throwable) {
|
||||||
|
super(throwable);
|
||||||
|
}
|
||||||
|
}
|
103
core/src/main/java/org/keycloak/jose/jwe/JWEHeader.java
Normal file
103
core/src/main/java/org/keycloak/jose/jwe/JWEHeader.java
Normal file
|
@ -0,0 +1,103 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.jose.jwe;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.io.Serializable;
|
||||||
|
|
||||||
|
import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
|
||||||
|
import com.fasterxml.jackson.annotation.JsonInclude;
|
||||||
|
import com.fasterxml.jackson.annotation.JsonProperty;
|
||||||
|
import com.fasterxml.jackson.databind.ObjectMapper;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
@JsonIgnoreProperties(ignoreUnknown = true)
|
||||||
|
public class JWEHeader implements Serializable {
|
||||||
|
|
||||||
|
@JsonProperty("alg")
|
||||||
|
private String algorithm;
|
||||||
|
|
||||||
|
@JsonProperty("enc")
|
||||||
|
private String encryptionAlgorithm;
|
||||||
|
|
||||||
|
@JsonProperty("zip")
|
||||||
|
private String compressionAlgorithm;
|
||||||
|
|
||||||
|
|
||||||
|
@JsonProperty("typ")
|
||||||
|
private String type;
|
||||||
|
|
||||||
|
@JsonProperty("cty")
|
||||||
|
private String contentType;
|
||||||
|
|
||||||
|
@JsonProperty("kid")
|
||||||
|
private String keyId;
|
||||||
|
|
||||||
|
public JWEHeader() {
|
||||||
|
}
|
||||||
|
|
||||||
|
public JWEHeader(String algorithm, String encryptionAlgorithm, String compressionAlgorithm) {
|
||||||
|
this.algorithm = algorithm;
|
||||||
|
this.encryptionAlgorithm = encryptionAlgorithm;
|
||||||
|
this.compressionAlgorithm = compressionAlgorithm;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getAlgorithm() {
|
||||||
|
return algorithm;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getEncryptionAlgorithm() {
|
||||||
|
return encryptionAlgorithm;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getCompressionAlgorithm() {
|
||||||
|
return compressionAlgorithm;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getType() {
|
||||||
|
return type;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getContentType() {
|
||||||
|
return contentType;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getKeyId() {
|
||||||
|
return keyId;
|
||||||
|
}
|
||||||
|
|
||||||
|
private static final ObjectMapper mapper = new ObjectMapper();
|
||||||
|
|
||||||
|
static {
|
||||||
|
mapper.setSerializationInclusion(JsonInclude.Include.NON_NULL);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
public String toString() {
|
||||||
|
try {
|
||||||
|
return mapper.writeValueAsString(this);
|
||||||
|
} catch (IOException e) {
|
||||||
|
throw new RuntimeException(e);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
103
core/src/main/java/org/keycloak/jose/jwe/JWEKeyStorage.java
Normal file
103
core/src/main/java/org/keycloak/jose/jwe/JWEKeyStorage.java
Normal file
|
@ -0,0 +1,103 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.jose.jwe;
|
||||||
|
|
||||||
|
import java.security.Key;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
import org.keycloak.jose.jwe.enc.JWEEncryptionProvider;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class JWEKeyStorage {
|
||||||
|
|
||||||
|
private Key encryptionKey;
|
||||||
|
|
||||||
|
private byte[] cekBytes;
|
||||||
|
|
||||||
|
private Map<KeyUse, Key> decodedCEK = new HashMap<>();
|
||||||
|
|
||||||
|
private JWEEncryptionProvider encryptionProvider;
|
||||||
|
|
||||||
|
|
||||||
|
public Key getEncryptionKey() {
|
||||||
|
return encryptionKey;
|
||||||
|
}
|
||||||
|
|
||||||
|
public JWEKeyStorage setEncryptionKey(Key encryptionKey) {
|
||||||
|
this.encryptionKey = encryptionKey;
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public void setCEKBytes(byte[] cekBytes) {
|
||||||
|
this.cekBytes = cekBytes;
|
||||||
|
}
|
||||||
|
|
||||||
|
public byte[] getCekBytes() {
|
||||||
|
if (cekBytes == null) {
|
||||||
|
cekBytes = encryptionProvider.serializeCEK(this);
|
||||||
|
}
|
||||||
|
return cekBytes;
|
||||||
|
}
|
||||||
|
|
||||||
|
public JWEKeyStorage setCEKKey(Key key, KeyUse keyUse) {
|
||||||
|
decodedCEK.put(keyUse, key);
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public Key getCEKKey(KeyUse keyUse, boolean generateIfNotPresent) {
|
||||||
|
Key key = decodedCEK.get(keyUse);
|
||||||
|
if (key == null) {
|
||||||
|
if (encryptionProvider != null) {
|
||||||
|
|
||||||
|
if (cekBytes == null && generateIfNotPresent) {
|
||||||
|
generateCekBytes();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (cekBytes != null) {
|
||||||
|
encryptionProvider.deserializeCEK(this);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
throw new IllegalStateException("encryptionProvider needs to be set");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return decodedCEK.get(keyUse);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private void generateCekBytes() {
|
||||||
|
int cekLength = encryptionProvider.getExpectedCEKLength();
|
||||||
|
cekBytes = JWEUtils.generateSecret(cekLength);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public void setEncryptionProvider(JWEEncryptionProvider encryptionProvider) {
|
||||||
|
this.encryptionProvider = encryptionProvider;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public enum KeyUse {
|
||||||
|
ENCRYPTION,
|
||||||
|
SIGNATURE
|
||||||
|
}
|
||||||
|
}
|
66
core/src/main/java/org/keycloak/jose/jwe/JWERegistry.java
Normal file
66
core/src/main/java/org/keycloak/jose/jwe/JWERegistry.java
Normal file
|
@ -0,0 +1,66 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.jose.jwe;
|
||||||
|
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
import org.keycloak.jose.jwe.alg.AesKeyWrapAlgorithmProvider;
|
||||||
|
import org.keycloak.jose.jwe.alg.DirectAlgorithmProvider;
|
||||||
|
import org.keycloak.jose.jwe.alg.JWEAlgorithmProvider;
|
||||||
|
import org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider;
|
||||||
|
import org.keycloak.jose.jwe.enc.JWEEncryptionProvider;
|
||||||
|
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
class JWERegistry {
|
||||||
|
|
||||||
|
// https://tools.ietf.org/html/rfc7518#page-12
|
||||||
|
// Registry not pluggable for now. Just supported algorithms included
|
||||||
|
private static final Map<String, JWEEncryptionProvider> ENC_PROVIDERS = new HashMap<>();
|
||||||
|
|
||||||
|
// https://tools.ietf.org/html/rfc7518#page-22
|
||||||
|
// Registry not pluggable for now. Just supported algorithms included
|
||||||
|
private static final Map<String, JWEAlgorithmProvider> ALG_PROVIDERS = new HashMap<>();
|
||||||
|
|
||||||
|
|
||||||
|
static {
|
||||||
|
// Provider 'dir' just directly uses encryption keys for encrypt/decrypt content.
|
||||||
|
ALG_PROVIDERS.put(JWEConstants.DIR, new DirectAlgorithmProvider());
|
||||||
|
ALG_PROVIDERS.put(JWEConstants.A128KW, new AesKeyWrapAlgorithmProvider());
|
||||||
|
|
||||||
|
|
||||||
|
ENC_PROVIDERS.put(JWEConstants.A128CBC_HS256, new AesCbcHmacShaEncryptionProvider.Aes128CbcHmacSha256Provider());
|
||||||
|
ENC_PROVIDERS.put(JWEConstants.A192CBC_HS384, new AesCbcHmacShaEncryptionProvider.Aes192CbcHmacSha384Provider());
|
||||||
|
ENC_PROVIDERS.put(JWEConstants.A256CBC_HS512, new AesCbcHmacShaEncryptionProvider.Aes256CbcHmacSha512Provider());
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static JWEAlgorithmProvider getAlgProvider(String alg) {
|
||||||
|
return ALG_PROVIDERS.get(alg);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static JWEEncryptionProvider getEncProvider(String enc) {
|
||||||
|
return ENC_PROVIDERS.get(enc);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
35
core/src/main/java/org/keycloak/jose/jwe/JWEUtils.java
Normal file
35
core/src/main/java/org/keycloak/jose/jwe/JWEUtils.java
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.jose.jwe;
|
||||||
|
|
||||||
|
import java.security.SecureRandom;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class JWEUtils {
|
||||||
|
|
||||||
|
private JWEUtils() {
|
||||||
|
}
|
||||||
|
|
||||||
|
public static byte[] generateSecret(int bytes) {
|
||||||
|
byte[] buf = new byte[bytes];
|
||||||
|
new SecureRandom().nextBytes(buf);
|
||||||
|
return buf;
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,52 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.jose.jwe.alg;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.security.GeneralSecurityException;
|
||||||
|
import java.security.Key;
|
||||||
|
|
||||||
|
import org.bouncycastle.crypto.InvalidCipherTextException;
|
||||||
|
import org.bouncycastle.crypto.Wrapper;
|
||||||
|
import org.bouncycastle.crypto.engines.AESWrapEngine;
|
||||||
|
import org.bouncycastle.crypto.params.KeyParameter;
|
||||||
|
import org.keycloak.jose.jwe.JWEKeyStorage;
|
||||||
|
import org.keycloak.jose.jwe.enc.JWEEncryptionProvider;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class AesKeyWrapAlgorithmProvider implements JWEAlgorithmProvider {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public byte[] decodeCek(byte[] encodedCek, Key encryptionKey) throws Exception {
|
||||||
|
Wrapper encrypter = new AESWrapEngine();
|
||||||
|
encrypter.init(false, new KeyParameter(encryptionKey.getEncoded()));
|
||||||
|
return encrypter.unwrap(encodedCek, 0, encodedCek.length);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public byte[] encodeCek(JWEEncryptionProvider encryptionProvider, JWEKeyStorage keyStorage, Key encryptionKey) throws Exception {
|
||||||
|
Wrapper encrypter = new AESWrapEngine();
|
||||||
|
encrypter.init(true, new KeyParameter(encryptionKey.getEncoded()));
|
||||||
|
byte[] cekBytes = keyStorage.getCekBytes();
|
||||||
|
return encrypter.wrap(cekBytes, 0, cekBytes.length);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,41 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.jose.jwe.alg;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.security.GeneralSecurityException;
|
||||||
|
import java.security.Key;
|
||||||
|
|
||||||
|
import org.keycloak.jose.jwe.JWEKeyStorage;
|
||||||
|
import org.keycloak.jose.jwe.enc.JWEEncryptionProvider;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class DirectAlgorithmProvider implements JWEAlgorithmProvider {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public byte[] decodeCek(byte[] encodedCek, Key encryptionKey) {
|
||||||
|
return new byte[0];
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public byte[] encodeCek(JWEEncryptionProvider encryptionProvider, JWEKeyStorage keyStorage, Key encryptionKey) {
|
||||||
|
return new byte[0];
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,36 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.jose.jwe.alg;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.security.GeneralSecurityException;
|
||||||
|
import java.security.Key;
|
||||||
|
|
||||||
|
import org.keycloak.jose.jwe.JWEKeyStorage;
|
||||||
|
import org.keycloak.jose.jwe.enc.JWEEncryptionProvider;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public interface JWEAlgorithmProvider {
|
||||||
|
|
||||||
|
byte[] decodeCek(byte[] encodedCek, Key encryptionKey) throws Exception;
|
||||||
|
|
||||||
|
byte[] encodeCek(JWEEncryptionProvider encryptionProvider, JWEKeyStorage keyStorage, Key encryptionKey) throws Exception;
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,272 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.jose.jwe.enc;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.nio.ByteBuffer;
|
||||||
|
import java.nio.ByteOrder;
|
||||||
|
import java.security.GeneralSecurityException;
|
||||||
|
import java.security.InvalidKeyException;
|
||||||
|
import java.security.Key;
|
||||||
|
import java.security.MessageDigest;
|
||||||
|
import java.security.NoSuchAlgorithmException;
|
||||||
|
import java.security.spec.AlgorithmParameterSpec;
|
||||||
|
import java.util.Arrays;
|
||||||
|
|
||||||
|
import javax.crypto.Cipher;
|
||||||
|
import javax.crypto.Mac;
|
||||||
|
import javax.crypto.spec.IvParameterSpec;
|
||||||
|
import javax.crypto.spec.SecretKeySpec;
|
||||||
|
|
||||||
|
import org.keycloak.jose.jwe.JWE;
|
||||||
|
import org.keycloak.jose.jwe.JWEKeyStorage;
|
||||||
|
import org.keycloak.jose.jwe.JWEUtils;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public abstract class AesCbcHmacShaEncryptionProvider implements JWEEncryptionProvider {
|
||||||
|
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void encodeJwe(JWE jwe) throws IOException, GeneralSecurityException {
|
||||||
|
|
||||||
|
byte[] contentBytes = jwe.getContent();
|
||||||
|
|
||||||
|
byte[] initializationVector = JWEUtils.generateSecret(16);
|
||||||
|
|
||||||
|
Key aesKey = jwe.getKeyStorage().getCEKKey(JWEKeyStorage.KeyUse.ENCRYPTION, false);
|
||||||
|
if (aesKey == null) {
|
||||||
|
throw new IllegalArgumentException("AES CEK key not present");
|
||||||
|
}
|
||||||
|
|
||||||
|
Key hmacShaKey = jwe.getKeyStorage().getCEKKey(JWEKeyStorage.KeyUse.SIGNATURE, false);
|
||||||
|
if (hmacShaKey == null) {
|
||||||
|
throw new IllegalArgumentException("HMAC CEK key not present");
|
||||||
|
}
|
||||||
|
|
||||||
|
int expectedAesKeyLength = getExpectedAesKeyLength();
|
||||||
|
if (expectedAesKeyLength != aesKey.getEncoded().length) {
|
||||||
|
throw new IllegalStateException("Length of aes key should be " + expectedAesKeyLength +", but was " + aesKey.getEncoded().length);
|
||||||
|
}
|
||||||
|
|
||||||
|
byte[] cipherBytes = encryptBytes(contentBytes, initializationVector, aesKey);
|
||||||
|
|
||||||
|
byte[] aad = jwe.getBase64Header().getBytes("UTF-8");
|
||||||
|
byte[] authenticationTag = computeAuthenticationTag(aad, initializationVector, cipherBytes, hmacShaKey);
|
||||||
|
|
||||||
|
jwe.setEncryptedContentInfo(initializationVector, cipherBytes, authenticationTag);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void verifyAndDecodeJwe(JWE jwe) throws IOException, GeneralSecurityException {
|
||||||
|
Key aesKey = jwe.getKeyStorage().getCEKKey(JWEKeyStorage.KeyUse.ENCRYPTION, false);
|
||||||
|
if (aesKey == null) {
|
||||||
|
throw new IllegalArgumentException("AES CEK key not present");
|
||||||
|
}
|
||||||
|
|
||||||
|
Key hmacShaKey = jwe.getKeyStorage().getCEKKey(JWEKeyStorage.KeyUse.SIGNATURE, false);
|
||||||
|
if (hmacShaKey == null) {
|
||||||
|
throw new IllegalArgumentException("HMAC CEK key not present");
|
||||||
|
}
|
||||||
|
|
||||||
|
int expectedAesKeyLength = getExpectedAesKeyLength();
|
||||||
|
if (expectedAesKeyLength != aesKey.getEncoded().length) {
|
||||||
|
throw new IllegalStateException("Length of aes key should be " + expectedAesKeyLength +", but was " + aesKey.getEncoded().length);
|
||||||
|
}
|
||||||
|
|
||||||
|
byte[] aad = jwe.getBase64Header().getBytes("UTF-8");
|
||||||
|
byte[] authenticationTag = computeAuthenticationTag(aad, jwe.getInitializationVector(), jwe.getEncryptedContent(), hmacShaKey);
|
||||||
|
|
||||||
|
byte[] expectedAuthTag = jwe.getAuthenticationTag();
|
||||||
|
boolean digitsEqual = MessageDigest.isEqual(expectedAuthTag, authenticationTag);
|
||||||
|
|
||||||
|
if (!digitsEqual) {
|
||||||
|
throw new IllegalArgumentException("Signature validations failed");
|
||||||
|
}
|
||||||
|
|
||||||
|
byte[] contentBytes = decryptBytes(jwe.getEncryptedContent(), jwe.getInitializationVector(), aesKey);
|
||||||
|
|
||||||
|
jwe.content(contentBytes);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
protected abstract int getExpectedAesKeyLength();
|
||||||
|
|
||||||
|
protected abstract String getHmacShaAlgorithm();
|
||||||
|
|
||||||
|
protected abstract int getAuthenticationTagLength();
|
||||||
|
|
||||||
|
|
||||||
|
private byte[] encryptBytes(byte[] contentBytes, byte[] ivBytes, Key aesKey) throws GeneralSecurityException {
|
||||||
|
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "BC");
|
||||||
|
AlgorithmParameterSpec ivParamSpec = new IvParameterSpec(ivBytes);
|
||||||
|
cipher.init(Cipher.ENCRYPT_MODE, aesKey, ivParamSpec);
|
||||||
|
return cipher.doFinal(contentBytes);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private byte[] decryptBytes(byte[] encryptedBytes, byte[] ivBytes, Key aesKey) throws GeneralSecurityException {
|
||||||
|
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "BC");
|
||||||
|
AlgorithmParameterSpec ivParamSpec = new IvParameterSpec(ivBytes);
|
||||||
|
cipher.init(Cipher.DECRYPT_MODE, aesKey, ivParamSpec);
|
||||||
|
return cipher.doFinal(encryptedBytes);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private byte[] computeAuthenticationTag(byte[] aadBytes, byte[] ivBytes, byte[] cipherBytes, Key hmacKeySpec) throws NoSuchAlgorithmException, InvalidKeyException {
|
||||||
|
// Compute "al"
|
||||||
|
ByteBuffer b = ByteBuffer.allocate(4);
|
||||||
|
b.order(ByteOrder.BIG_ENDIAN); // optional, the initial order of a byte buffer is always BIG_ENDIAN.
|
||||||
|
int aadLengthInBits = aadBytes.length * 8;
|
||||||
|
b.putInt(aadLengthInBits);
|
||||||
|
byte[] result1 = b.array();
|
||||||
|
byte[] al = new byte[8];
|
||||||
|
System.arraycopy(result1, 0, al, 4, 4);
|
||||||
|
|
||||||
|
byte[] concatenatedHmacInput = new byte[aadBytes.length + ivBytes.length + cipherBytes.length + al.length];
|
||||||
|
System.arraycopy(aadBytes, 0, concatenatedHmacInput, 0, aadBytes.length);
|
||||||
|
System.arraycopy(ivBytes, 0, concatenatedHmacInput, aadBytes.length, ivBytes.length );
|
||||||
|
System.arraycopy(cipherBytes, 0, concatenatedHmacInput, aadBytes.length + ivBytes.length , cipherBytes.length);
|
||||||
|
System.arraycopy(al, 0, concatenatedHmacInput, aadBytes.length + ivBytes.length + cipherBytes.length, al.length);
|
||||||
|
|
||||||
|
String hmacShaAlg = getHmacShaAlgorithm();
|
||||||
|
Mac macImpl = Mac.getInstance(hmacShaAlg);
|
||||||
|
macImpl.init(hmacKeySpec);
|
||||||
|
macImpl.update(concatenatedHmacInput);
|
||||||
|
byte[] macEncoded = macImpl.doFinal();
|
||||||
|
|
||||||
|
int authTagLength = getAuthenticationTagLength();
|
||||||
|
return Arrays.copyOf(macEncoded, authTagLength);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void deserializeCEK(JWEKeyStorage keyStorage) {
|
||||||
|
byte[] cekBytes = keyStorage.getCekBytes();
|
||||||
|
|
||||||
|
int cekLength = getExpectedCEKLength();
|
||||||
|
byte[] cekMacKey = Arrays.copyOf(cekBytes, cekLength / 2);
|
||||||
|
byte[] cekAesKey = Arrays.copyOfRange(cekBytes, cekLength / 2, cekLength);
|
||||||
|
|
||||||
|
SecretKeySpec aesKey = new SecretKeySpec(cekAesKey, "AES");
|
||||||
|
SecretKeySpec hmacKey = new SecretKeySpec(cekMacKey, "HMACSHA2");
|
||||||
|
|
||||||
|
keyStorage.setCEKKey(aesKey, JWEKeyStorage.KeyUse.ENCRYPTION);
|
||||||
|
keyStorage.setCEKKey(hmacKey, JWEKeyStorage.KeyUse.SIGNATURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public byte[] serializeCEK(JWEKeyStorage keyStorage) {
|
||||||
|
Key aesKey = keyStorage.getCEKKey(JWEKeyStorage.KeyUse.ENCRYPTION, false);
|
||||||
|
if (aesKey == null) {
|
||||||
|
throw new IllegalArgumentException("AES CEK key not present");
|
||||||
|
}
|
||||||
|
|
||||||
|
Key hmacShaKey = keyStorage.getCEKKey(JWEKeyStorage.KeyUse.SIGNATURE, false);
|
||||||
|
if (hmacShaKey == null) {
|
||||||
|
throw new IllegalArgumentException("HMAC CEK key not present");
|
||||||
|
}
|
||||||
|
|
||||||
|
byte[] hmacBytes = hmacShaKey.getEncoded();
|
||||||
|
byte[] aesBytes = aesKey.getEncoded();
|
||||||
|
|
||||||
|
byte[] result = new byte[hmacBytes.length + aesBytes.length];
|
||||||
|
System.arraycopy(hmacBytes, 0, result, 0, hmacBytes.length);
|
||||||
|
System.arraycopy(aesBytes, 0, result, hmacBytes.length, aesBytes.length);
|
||||||
|
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
public static class Aes128CbcHmacSha256Provider extends AesCbcHmacShaEncryptionProvider {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected int getExpectedAesKeyLength() {
|
||||||
|
return 16;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected String getHmacShaAlgorithm() {
|
||||||
|
return "HMACSHA256";
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected int getAuthenticationTagLength() {
|
||||||
|
return 16;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public int getExpectedCEKLength() {
|
||||||
|
return 32;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public static class Aes192CbcHmacSha384Provider extends AesCbcHmacShaEncryptionProvider {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected int getExpectedAesKeyLength() {
|
||||||
|
return 24;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected String getHmacShaAlgorithm() {
|
||||||
|
return "HMACSHA384";
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected int getAuthenticationTagLength() {
|
||||||
|
return 24;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public int getExpectedCEKLength() {
|
||||||
|
return 48;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public static class Aes256CbcHmacSha512Provider extends AesCbcHmacShaEncryptionProvider {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected int getExpectedAesKeyLength() {
|
||||||
|
return 32;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected String getHmacShaAlgorithm() {
|
||||||
|
return "HMACSHA512";
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected int getAuthenticationTagLength() {
|
||||||
|
return 32;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public int getExpectedCEKLength() {
|
||||||
|
return 64;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,75 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.jose.jwe.enc;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.security.GeneralSecurityException;
|
||||||
|
import java.security.Key;
|
||||||
|
|
||||||
|
import org.keycloak.jose.jwe.JWE;
|
||||||
|
import org.keycloak.jose.jwe.JWEKeyStorage;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public interface JWEEncryptionProvider {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This method usually has 3 outputs:
|
||||||
|
* - generated initialization vector
|
||||||
|
* - encrypted content
|
||||||
|
* - authenticationTag for MAC validation
|
||||||
|
*
|
||||||
|
* It is supposed to call {@link JWE#setEncryptedContentInfo(byte[], byte[], byte[])} after it's finished
|
||||||
|
*
|
||||||
|
* @param jwe
|
||||||
|
* @throws IOException
|
||||||
|
* @throws GeneralSecurityException
|
||||||
|
*/
|
||||||
|
void encodeJwe(JWE jwe) throws Exception;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This method is supposed to verify checksums and decrypt content. Then it needs to call {@link JWE#content(byte[])} after it's finished
|
||||||
|
*
|
||||||
|
* @param jwe
|
||||||
|
* @throws IOException
|
||||||
|
* @throws GeneralSecurityException
|
||||||
|
*/
|
||||||
|
void verifyAndDecodeJwe(JWE jwe) throws Exception;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This method requires that decoded CEK keys are present in the keyStorage.decodedCEK map before it's called
|
||||||
|
*
|
||||||
|
* @param keyStorage
|
||||||
|
* @return
|
||||||
|
*/
|
||||||
|
byte[] serializeCEK(JWEKeyStorage keyStorage);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This method is supposed to deserialize keys. It requires that {@link JWEKeyStorage#getCekBytes()} is set. After keys are deserialized,
|
||||||
|
* this method needs to call {@link JWEKeyStorage#setCEKKey(Key, JWEKeyStorage.KeyUse)} according to all uses, which this encryption algorithm requires.
|
||||||
|
*
|
||||||
|
* @param keyStorage
|
||||||
|
*/
|
||||||
|
void deserializeCEK(JWEKeyStorage keyStorage);
|
||||||
|
|
||||||
|
int getExpectedCEKLength();
|
||||||
|
|
||||||
|
}
|
|
@ -25,6 +25,7 @@ public enum AlgorithmType {
|
||||||
|
|
||||||
RSA,
|
RSA,
|
||||||
HMAC,
|
HMAC,
|
||||||
|
AES,
|
||||||
ECDSA
|
ECDSA
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
39
core/src/main/java/org/keycloak/representations/CodeJWT.java
Normal file
39
core/src/main/java/org/keycloak/representations/CodeJWT.java
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.representations;
|
||||||
|
|
||||||
|
import com.fasterxml.jackson.annotation.JsonProperty;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class CodeJWT extends JsonWebToken {
|
||||||
|
|
||||||
|
@JsonProperty("uss")
|
||||||
|
protected String userSessionId;
|
||||||
|
|
||||||
|
public String getUserSessionId() {
|
||||||
|
return userSessionId;
|
||||||
|
}
|
||||||
|
|
||||||
|
public CodeJWT userSessionId(String userSessionId) {
|
||||||
|
this.userSessionId = userSessionId;
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -18,11 +18,18 @@
|
||||||
package org.keycloak.util;
|
package org.keycloak.util;
|
||||||
|
|
||||||
import org.keycloak.OAuth2Constants;
|
import org.keycloak.OAuth2Constants;
|
||||||
|
import org.keycloak.jose.jwe.JWE;
|
||||||
|
import org.keycloak.jose.jwe.JWEConstants;
|
||||||
|
import org.keycloak.jose.jwe.JWEException;
|
||||||
|
import org.keycloak.jose.jwe.JWEHeader;
|
||||||
|
import org.keycloak.jose.jwe.JWEKeyStorage;
|
||||||
import org.keycloak.jose.jws.JWSInput;
|
import org.keycloak.jose.jws.JWSInput;
|
||||||
import org.keycloak.jose.jws.JWSInputException;
|
import org.keycloak.jose.jws.JWSInputException;
|
||||||
|
import org.keycloak.representations.JsonWebToken;
|
||||||
import org.keycloak.representations.RefreshToken;
|
import org.keycloak.representations.RefreshToken;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
import java.security.Key;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
@ -115,4 +122,52 @@ public class TokenUtil {
|
||||||
return token.getType().equals(TOKEN_TYPE_OFFLINE);
|
return token.getType().equals(TOKEN_TYPE_OFFLINE);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public static String jweDirectEncode(Key aesKey, Key hmacKey, JsonWebToken jwt) throws JWEException {
|
||||||
|
int keyLength = aesKey.getEncoded().length;
|
||||||
|
String encAlgorithm;
|
||||||
|
switch (keyLength) {
|
||||||
|
case 16: encAlgorithm = JWEConstants.A128CBC_HS256;
|
||||||
|
break;
|
||||||
|
case 24: encAlgorithm = JWEConstants.A192CBC_HS384;
|
||||||
|
break;
|
||||||
|
case 32: encAlgorithm = JWEConstants.A256CBC_HS512;
|
||||||
|
break;
|
||||||
|
default: throw new IllegalArgumentException("Bad size for Encryption key: " + aesKey + ". Valid sizes are 16, 24, 32.");
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
byte[] contentBytes = JsonSerialization.writeValueAsBytes(jwt);
|
||||||
|
|
||||||
|
JWEHeader jweHeader = new JWEHeader(JWEConstants.DIR, encAlgorithm, null);
|
||||||
|
JWE jwe = new JWE()
|
||||||
|
.header(jweHeader)
|
||||||
|
.content(contentBytes);
|
||||||
|
|
||||||
|
jwe.getKeyStorage()
|
||||||
|
.setCEKKey(aesKey, JWEKeyStorage.KeyUse.ENCRYPTION)
|
||||||
|
.setCEKKey(hmacKey, JWEKeyStorage.KeyUse.SIGNATURE);
|
||||||
|
|
||||||
|
return jwe.encodeJwe();
|
||||||
|
} catch (IOException ioe) {
|
||||||
|
throw new JWEException(ioe);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public static <T extends JsonWebToken> T jweDirectVerifyAndDecode(Key aesKey, Key hmacKey, String jweStr, Class<T> expectedClass) throws JWEException {
|
||||||
|
JWE jwe = new JWE();
|
||||||
|
jwe.getKeyStorage()
|
||||||
|
.setCEKKey(aesKey, JWEKeyStorage.KeyUse.ENCRYPTION)
|
||||||
|
.setCEKKey(hmacKey, JWEKeyStorage.KeyUse.SIGNATURE);
|
||||||
|
|
||||||
|
jwe.verifyAndDecodeJwe(jweStr);
|
||||||
|
|
||||||
|
try {
|
||||||
|
return JsonSerialization.readValue(jwe.getContent(), expectedClass);
|
||||||
|
} catch (IOException ioe) {
|
||||||
|
throw new JWEException(ioe);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
213
core/src/test/java/org/keycloak/jose/JWETest.java
Normal file
213
core/src/test/java/org/keycloak/jose/JWETest.java
Normal file
|
@ -0,0 +1,213 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.jose;
|
||||||
|
|
||||||
|
import java.io.UnsupportedEncodingException;
|
||||||
|
import java.security.Key;
|
||||||
|
|
||||||
|
import javax.crypto.SecretKey;
|
||||||
|
import javax.crypto.spec.SecretKeySpec;
|
||||||
|
|
||||||
|
import org.junit.Assert;
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.keycloak.common.util.Base64Url;
|
||||||
|
import org.keycloak.jose.jwe.JWE;
|
||||||
|
import org.keycloak.jose.jwe.JWEConstants;
|
||||||
|
import org.keycloak.jose.jwe.JWEException;
|
||||||
|
import org.keycloak.jose.jwe.JWEHeader;
|
||||||
|
import org.keycloak.jose.jwe.JWEKeyStorage;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class JWETest {
|
||||||
|
|
||||||
|
private static final String PAYLOAD = "Hello world! How are you man? I hope you are fine. This is some quite a long text, which is much longer than just simple 'Hello World'";
|
||||||
|
|
||||||
|
private static final byte[] HMAC_SHA256_KEY = new byte[] { 10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 110, 120, 13, 14, 15, 16 };
|
||||||
|
private static final byte[] AES_128_KEY = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
|
||||||
|
|
||||||
|
private static final byte[] HMAC_SHA512_KEY = new byte[] { 10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 110, 120, 13, 14, 15, 16, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
|
||||||
|
private static final byte[] AES_256_KEY = new byte[] { 10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 110, 120, 13, 14, 15, 16, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDirect_Aes128CbcHmacSha256() throws Exception {
|
||||||
|
SecretKey aesKey = new SecretKeySpec(AES_128_KEY, "AES");
|
||||||
|
SecretKey hmacKey = new SecretKeySpec(HMAC_SHA256_KEY, "HMACSHA2");
|
||||||
|
|
||||||
|
testDirectEncryptAndDecrypt(aesKey, hmacKey, JWEConstants.A128CBC_HS256, PAYLOAD, true);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
// Works just on OpenJDK 8. Other JDKs (IBM, Oracle) have restrictions on maximum key size of AES to be 128
|
||||||
|
// @Test
|
||||||
|
public void testDirect_Aes256CbcHmacSha512() throws Exception {
|
||||||
|
final SecretKey aesKey = new SecretKeySpec(AES_256_KEY, "AES");
|
||||||
|
final SecretKey hmacKey = new SecretKeySpec(HMAC_SHA512_KEY, "HMACSHA2");
|
||||||
|
|
||||||
|
testDirectEncryptAndDecrypt(aesKey, hmacKey, JWEConstants.A256CBC_HS512, PAYLOAD, true);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private void testDirectEncryptAndDecrypt(Key aesKey, Key hmacKey, String encAlgorithm, String payload, boolean sysout) throws Exception {
|
||||||
|
JWEHeader jweHeader = new JWEHeader(JWEConstants.DIR, encAlgorithm, null);
|
||||||
|
JWE jwe = new JWE()
|
||||||
|
.header(jweHeader)
|
||||||
|
.content(payload.getBytes("UTF-8"));
|
||||||
|
|
||||||
|
jwe.getKeyStorage()
|
||||||
|
.setCEKKey(aesKey, JWEKeyStorage.KeyUse.ENCRYPTION)
|
||||||
|
.setCEKKey(hmacKey, JWEKeyStorage.KeyUse.SIGNATURE);
|
||||||
|
|
||||||
|
String encodedContent = jwe.encodeJwe();
|
||||||
|
|
||||||
|
if (sysout) {
|
||||||
|
System.out.println("Encoded content: " + encodedContent);
|
||||||
|
System.out.println("Encoded content length: " + encodedContent.length());
|
||||||
|
}
|
||||||
|
|
||||||
|
jwe = new JWE();
|
||||||
|
jwe.getKeyStorage()
|
||||||
|
.setCEKKey(aesKey, JWEKeyStorage.KeyUse.ENCRYPTION)
|
||||||
|
.setCEKKey(hmacKey, JWEKeyStorage.KeyUse.SIGNATURE);
|
||||||
|
|
||||||
|
jwe.verifyAndDecodeJwe(encodedContent);
|
||||||
|
|
||||||
|
String decodedContent = new String(jwe.getContent(), "UTF-8");
|
||||||
|
|
||||||
|
Assert.assertEquals(payload, decodedContent);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
// @Test
|
||||||
|
public void testPerfDirect() throws Exception {
|
||||||
|
int iterations = 50000;
|
||||||
|
|
||||||
|
long start = System.currentTimeMillis();
|
||||||
|
for (int i=0 ; i<iterations ; i++) {
|
||||||
|
// took around 2950 ms with 50000 iterations
|
||||||
|
SecretKey aesKey = new SecretKeySpec(AES_128_KEY, "AES");
|
||||||
|
SecretKey hmacKey = new SecretKeySpec(HMAC_SHA256_KEY, "HMACSHA2");
|
||||||
|
String encAlg = JWEConstants.A128CBC_HS256;
|
||||||
|
|
||||||
|
// Similar perf like AES128CBC_HS256
|
||||||
|
//SecretKey aesKey = new SecretKeySpec(AES_256_KEY, "AES");
|
||||||
|
//SecretKey hmacKey = new SecretKeySpec(HMAC_SHA512_KEY, "HMACSHA2");
|
||||||
|
//String encAlg = JWEConstants.A256CBC_HS512;
|
||||||
|
|
||||||
|
String payload = PAYLOAD + i;
|
||||||
|
testDirectEncryptAndDecrypt(aesKey, hmacKey, encAlg, payload, false);
|
||||||
|
}
|
||||||
|
|
||||||
|
long took = System.currentTimeMillis() - start;
|
||||||
|
System.out.println("Iterations: " + iterations + ", took: " + took);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testAesKW_Aes128CbcHmacSha256() throws Exception {
|
||||||
|
SecretKey aesKey = new SecretKeySpec(AES_128_KEY, "AES");
|
||||||
|
|
||||||
|
JWEHeader jweHeader = new JWEHeader(JWEConstants.A128KW, JWEConstants.A128CBC_HS256, null);
|
||||||
|
JWE jwe = new JWE()
|
||||||
|
.header(jweHeader)
|
||||||
|
.content(PAYLOAD.getBytes("UTF-8"));
|
||||||
|
|
||||||
|
jwe.getKeyStorage()
|
||||||
|
.setEncryptionKey(aesKey);
|
||||||
|
|
||||||
|
String encodedContent = jwe.encodeJwe();
|
||||||
|
|
||||||
|
System.out.println("Encoded content: " + encodedContent);
|
||||||
|
System.out.println("Encoded content length: " + encodedContent.length());
|
||||||
|
|
||||||
|
jwe = new JWE();
|
||||||
|
jwe.getKeyStorage()
|
||||||
|
.setEncryptionKey(aesKey);
|
||||||
|
|
||||||
|
jwe.verifyAndDecodeJwe(encodedContent);
|
||||||
|
|
||||||
|
String decodedContent = new String(jwe.getContent(), "UTF-8");
|
||||||
|
|
||||||
|
Assert.assertEquals(PAYLOAD, decodedContent);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void externalJweAes128CbcHmacSha256Test() throws UnsupportedEncodingException, JWEException {
|
||||||
|
String externalJwe = "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiZGlyIn0..qysUrI1iVtiG4Z4jyr7XXg.apdNSQhR7WDMg6IHf5aLVI0gGp6JuOHYmIUtflns4WHmyxOOnh_GShLI6DWaK_SiywTV5gZvZYtl8H8Iv5fTfLkc4tiDDjbdtmsOP7tqyRxVh069gU5UvEAgmCXbIKALutgYXcYe2WM4E6BIHPTSt8jXdkktFcm7XHiD7mpakZyjXsG8p3XVkQJ72WbJI_t6.Ks6gHeko7BRTZ4CFs5ijRA";
|
||||||
|
System.out.println("External encoded content length: " + externalJwe.length());
|
||||||
|
|
||||||
|
final SecretKey aesKey = new SecretKeySpec(AES_128_KEY, "AES");
|
||||||
|
final SecretKey hmacKey = new SecretKeySpec(HMAC_SHA256_KEY, "HMACSHA2");
|
||||||
|
|
||||||
|
JWE jwe = new JWE();
|
||||||
|
jwe.getKeyStorage()
|
||||||
|
.setCEKKey(aesKey, JWEKeyStorage.KeyUse.ENCRYPTION)
|
||||||
|
.setCEKKey(hmacKey, JWEKeyStorage.KeyUse.SIGNATURE);
|
||||||
|
|
||||||
|
jwe.verifyAndDecodeJwe(externalJwe);
|
||||||
|
|
||||||
|
String decodedContent = new String(jwe.getContent(), "UTF-8");
|
||||||
|
|
||||||
|
Assert.assertEquals(PAYLOAD, decodedContent);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
// Works just on OpenJDK 8. Other JDKs (IBM, Oracle) have restrictions on maximum key size of AES to be 128
|
||||||
|
// @Test
|
||||||
|
public void externalJweAes256CbcHmacSha512Test() throws UnsupportedEncodingException, JWEException {
|
||||||
|
String externalJwe = "eyJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiYWxnIjoiZGlyIn0..xUPndQ5U69CYaWMKr4nyeg.AzSzba6OdNsvTIoNpub8d2TmYnkY7W8Sd-1S33DjJwJsSaNcfvfXBq5bqXAGVAnLHrLZJKWoEYsmOrYHz3Nao-kpLtUpc4XZI8yiYUqkHTjmxZnfD02R6hz31a5KBCnDTtUEv23VSxm8yUyQKoUTpVHbJ3b2VQvycg2XFUXPsA6oaSSEpz-uwe1Vmun2hUBB.Qal4rMYn1RrXQ9AQ9ONUjUXvlS2ow8np-T8QWMBR0ns";
|
||||||
|
System.out.println("External encoded content length: " + externalJwe.length());
|
||||||
|
|
||||||
|
final SecretKey aesKey = new SecretKeySpec(AES_256_KEY, "AES");
|
||||||
|
final SecretKey hmacKey = new SecretKeySpec(HMAC_SHA512_KEY, "HMACSHA2");
|
||||||
|
|
||||||
|
JWE jwe = new JWE();
|
||||||
|
jwe.getKeyStorage()
|
||||||
|
.setCEKKey(aesKey, JWEKeyStorage.KeyUse.ENCRYPTION)
|
||||||
|
.setCEKKey(hmacKey, JWEKeyStorage.KeyUse.SIGNATURE);
|
||||||
|
|
||||||
|
jwe.verifyAndDecodeJwe(externalJwe);
|
||||||
|
|
||||||
|
String decodedContent = new String(jwe.getContent(), "UTF-8");
|
||||||
|
|
||||||
|
Assert.assertEquals(PAYLOAD, decodedContent);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void externalJweAes128KeyWrapTest() throws Exception {
|
||||||
|
// See example "A.3" from JWE specification - https://tools.ietf.org/html/rfc7516#page-41
|
||||||
|
String externalJwe = "eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ.AxY8DCtDaGlsbGljb3RoZQ.KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY.U0m_YmjN04DJvceFICbCVQ";
|
||||||
|
|
||||||
|
byte[] aesKey = Base64Url.decode("GawgguFyGrWKav7AX4VKUg");
|
||||||
|
SecretKeySpec aesKeySpec = new SecretKeySpec(aesKey, "AES");
|
||||||
|
|
||||||
|
JWE jwe = new JWE();
|
||||||
|
jwe.getKeyStorage()
|
||||||
|
.setEncryptionKey(aesKeySpec);
|
||||||
|
|
||||||
|
jwe.verifyAndDecodeJwe(externalJwe);
|
||||||
|
|
||||||
|
String decodedContent = new String(jwe.getContent(), "UTF-8");
|
||||||
|
|
||||||
|
Assert.assertEquals("Live long and prosper.", decodedContent);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -24,12 +24,10 @@ import java.util.Set;
|
||||||
|
|
||||||
import org.keycloak.models.AuthenticatedClientSessionModel;
|
import org.keycloak.models.AuthenticatedClientSessionModel;
|
||||||
import org.keycloak.models.ClientModel;
|
import org.keycloak.models.ClientModel;
|
||||||
import org.keycloak.models.KeycloakSession;
|
|
||||||
import org.keycloak.models.RealmModel;
|
import org.keycloak.models.RealmModel;
|
||||||
import org.keycloak.models.UserSessionModel;
|
import org.keycloak.models.UserSessionModel;
|
||||||
import org.keycloak.models.sessions.infinispan.changes.InfinispanChangelogBasedTransaction;
|
import org.keycloak.models.sessions.infinispan.changes.InfinispanChangelogBasedTransaction;
|
||||||
import org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper;
|
import org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper;
|
||||||
import org.keycloak.models.sessions.infinispan.changes.SessionUpdateTask;
|
|
||||||
import org.keycloak.models.sessions.infinispan.changes.UserSessionClientSessionUpdateTask;
|
import org.keycloak.models.sessions.infinispan.changes.UserSessionClientSessionUpdateTask;
|
||||||
import org.keycloak.models.sessions.infinispan.changes.UserSessionUpdateTask;
|
import org.keycloak.models.sessions.infinispan.changes.UserSessionUpdateTask;
|
||||||
import org.keycloak.models.sessions.infinispan.entities.AuthenticatedClientSessionEntity;
|
import org.keycloak.models.sessions.infinispan.entities.AuthenticatedClientSessionEntity;
|
||||||
|
@ -40,7 +38,7 @@ import org.keycloak.models.sessions.infinispan.entities.UserSessionEntity;
|
||||||
*/
|
*/
|
||||||
public class AuthenticatedClientSessionAdapter implements AuthenticatedClientSessionModel {
|
public class AuthenticatedClientSessionAdapter implements AuthenticatedClientSessionModel {
|
||||||
|
|
||||||
private final AuthenticatedClientSessionEntity entity;
|
private AuthenticatedClientSessionEntity entity;
|
||||||
private final ClientModel client;
|
private final ClientModel client;
|
||||||
private final InfinispanUserSessionProvider provider;
|
private final InfinispanUserSessionProvider provider;
|
||||||
private final InfinispanChangelogBasedTransaction updateTx;
|
private final InfinispanChangelogBasedTransaction updateTx;
|
||||||
|
@ -63,7 +61,6 @@ public class AuthenticatedClientSessionAdapter implements AuthenticatedClientSes
|
||||||
@Override
|
@Override
|
||||||
public void setUserSession(UserSessionModel userSession) {
|
public void setUserSession(UserSessionModel userSession) {
|
||||||
String clientUUID = client.getId();
|
String clientUUID = client.getId();
|
||||||
UserSessionEntity sessionEntity = this.userSession.getEntity();
|
|
||||||
|
|
||||||
// Dettach userSession
|
// Dettach userSession
|
||||||
if (userSession == null) {
|
if (userSession == null) {
|
||||||
|
@ -83,7 +80,11 @@ public class AuthenticatedClientSessionAdapter implements AuthenticatedClientSes
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void runUpdate(UserSessionEntity sessionEntity) {
|
public void runUpdate(UserSessionEntity sessionEntity) {
|
||||||
sessionEntity.getAuthenticatedClientSessions().put(clientUUID, entity);
|
AuthenticatedClientSessionEntity current = sessionEntity.getAuthenticatedClientSessions().putIfAbsent(clientUUID, entity);
|
||||||
|
if (current != null) {
|
||||||
|
// It may happen when 2 concurrent HTTP requests trying SSO login against same client
|
||||||
|
entity = current;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
|
@ -0,0 +1,57 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.models.sessions.infinispan;
|
||||||
|
|
||||||
|
import java.util.UUID;
|
||||||
|
import java.util.concurrent.TimeUnit;
|
||||||
|
import java.util.function.Supplier;
|
||||||
|
|
||||||
|
import org.infinispan.commons.api.BasicCache;
|
||||||
|
import org.keycloak.models.CodeToTokenStoreProvider;
|
||||||
|
import org.keycloak.models.KeycloakSession;
|
||||||
|
import org.keycloak.models.sessions.infinispan.entities.ActionTokenValueEntity;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class InfinispanCodeToTokenStoreProvider implements CodeToTokenStoreProvider {
|
||||||
|
|
||||||
|
private final Supplier<BasicCache<UUID, ActionTokenValueEntity>> codeCache;
|
||||||
|
private final KeycloakSession session;
|
||||||
|
|
||||||
|
public InfinispanCodeToTokenStoreProvider(KeycloakSession session, Supplier<BasicCache<UUID, ActionTokenValueEntity>> actionKeyCache) {
|
||||||
|
this.session = session;
|
||||||
|
this.codeCache = actionKeyCache;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean putIfAbsent(UUID codeId) {
|
||||||
|
ActionTokenValueEntity tokenValue = new ActionTokenValueEntity(null);
|
||||||
|
|
||||||
|
int lifespanInSeconds = session.getContext().getRealm().getAccessCodeLifespan();
|
||||||
|
|
||||||
|
BasicCache<UUID, ActionTokenValueEntity> cache = codeCache.get();
|
||||||
|
ActionTokenValueEntity existing = cache.putIfAbsent(codeId, tokenValue, lifespanInSeconds, TimeUnit.SECONDS);
|
||||||
|
return existing == null;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void close() {
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,98 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.models.sessions.infinispan;
|
||||||
|
|
||||||
|
import java.util.UUID;
|
||||||
|
import java.util.function.Supplier;
|
||||||
|
|
||||||
|
import org.infinispan.Cache;
|
||||||
|
import org.infinispan.client.hotrod.Flag;
|
||||||
|
import org.infinispan.client.hotrod.RemoteCache;
|
||||||
|
import org.infinispan.commons.api.BasicCache;
|
||||||
|
import org.jboss.logging.Logger;
|
||||||
|
import org.keycloak.Config;
|
||||||
|
import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
|
||||||
|
import org.keycloak.models.CodeToTokenStoreProvider;
|
||||||
|
import org.keycloak.models.CodeToTokenStoreProviderFactory;
|
||||||
|
import org.keycloak.models.KeycloakSession;
|
||||||
|
import org.keycloak.models.KeycloakSessionFactory;
|
||||||
|
import org.keycloak.models.sessions.infinispan.entities.ActionTokenValueEntity;
|
||||||
|
import org.keycloak.models.sessions.infinispan.util.InfinispanUtil;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class InfinispanCodeToTokenStoreProviderFactory implements CodeToTokenStoreProviderFactory {
|
||||||
|
|
||||||
|
private static final Logger LOG = Logger.getLogger(InfinispanCodeToTokenStoreProviderFactory.class);
|
||||||
|
|
||||||
|
// Reuse "actionTokens" infinispan cache for now
|
||||||
|
private volatile Supplier<BasicCache<UUID, ActionTokenValueEntity>> codeCache;
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public CodeToTokenStoreProvider create(KeycloakSession session) {
|
||||||
|
lazyInit(session);
|
||||||
|
return new InfinispanCodeToTokenStoreProvider(session, codeCache);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void lazyInit(KeycloakSession session) {
|
||||||
|
if (codeCache == null) {
|
||||||
|
synchronized (this) {
|
||||||
|
if (codeCache == null) {
|
||||||
|
InfinispanConnectionProvider connections = session.getProvider(InfinispanConnectionProvider.class);
|
||||||
|
Cache cache = connections.getCache(InfinispanConnectionProvider.ACTION_TOKEN_CACHE);
|
||||||
|
|
||||||
|
RemoteCache remoteCache = InfinispanUtil.getRemoteCache(cache);
|
||||||
|
|
||||||
|
if (remoteCache != null) {
|
||||||
|
LOG.debugf("Having remote stores. Using remote cache '%s' for single-use cache of code", remoteCache.getName());
|
||||||
|
this.codeCache = () -> {
|
||||||
|
// Doing this way as flag is per invocation
|
||||||
|
return remoteCache.withFlags(Flag.FORCE_RETURN_VALUE);
|
||||||
|
};
|
||||||
|
} else {
|
||||||
|
LOG.debugf("Not having remote stores. Using normal cache '%s' for single-use cache of code", cache.getName());
|
||||||
|
this.codeCache = () -> {
|
||||||
|
return cache;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void init(Config.Scope config) {
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void postInit(KeycloakSessionFactory factory) {
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void close() {
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getId() {
|
||||||
|
return "infinispan";
|
||||||
|
}
|
||||||
|
}
|
|
@ -88,6 +88,11 @@ public class InfinispanKeycloakTransaction implements KeycloakTransaction {
|
||||||
public void execute() {
|
public void execute() {
|
||||||
decorateCache(cache).put(key, value);
|
decorateCache(cache).put(key, value);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toString() {
|
||||||
|
return String.format("CacheTaskWithValue: Operation 'put' for key %s", key);
|
||||||
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -104,6 +109,11 @@ public class InfinispanKeycloakTransaction implements KeycloakTransaction {
|
||||||
public void execute() {
|
public void execute() {
|
||||||
decorateCache(cache).put(key, value, lifespan, lifespanUnit);
|
decorateCache(cache).put(key, value, lifespan, lifespanUnit);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toString() {
|
||||||
|
return String.format("CacheTaskWithValue: Operation 'put' for key %s, lifespan %d TimeUnit %s", key, lifespan, lifespanUnit.toString());
|
||||||
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -123,6 +133,11 @@ public class InfinispanKeycloakTransaction implements KeycloakTransaction {
|
||||||
throw new IllegalStateException("There is already existing value in cache for key " + key);
|
throw new IllegalStateException("There is already existing value in cache for key " + key);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toString() {
|
||||||
|
return String.format("CacheTaskWithValue: Operation 'putIfAbsent' for key %s", key);
|
||||||
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -142,6 +157,12 @@ public class InfinispanKeycloakTransaction implements KeycloakTransaction {
|
||||||
public void execute() {
|
public void execute() {
|
||||||
decorateCache(cache).replace(key, value);
|
decorateCache(cache).replace(key, value);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toString() {
|
||||||
|
return String.format("CacheTaskWithValue: Operation 'replace' for key %s", key);
|
||||||
|
}
|
||||||
|
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -162,7 +183,21 @@ public class InfinispanKeycloakTransaction implements KeycloakTransaction {
|
||||||
log.tracev("Adding cache operation: {0} on {1}", CacheOperation.REMOVE, key);
|
log.tracev("Adding cache operation: {0} on {1}", CacheOperation.REMOVE, key);
|
||||||
|
|
||||||
Object taskKey = getTaskKey(cache, key);
|
Object taskKey = getTaskKey(cache, key);
|
||||||
tasks.put(taskKey, () -> decorateCache(cache).remove(key));
|
|
||||||
|
// TODO:performance Eventual performance optimization could be to skip "cache.remove" if item was added in this transaction (EG. authenticationSession valid for single request due to automatic SSO login)
|
||||||
|
tasks.put(taskKey, new CacheTask() {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void execute() {
|
||||||
|
decorateCache(cache).remove(key);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toString() {
|
||||||
|
return String.format("CacheTask: Operation 'remove' for key %s", key);
|
||||||
|
}
|
||||||
|
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
// This is for possibility to lookup for session by id, which was created in this transaction
|
// This is for possibility to lookup for session by id, which was created in this transaction
|
||||||
|
|
|
@ -39,7 +39,7 @@ public class AuthenticatedClientSessionEntity implements Serializable {
|
||||||
|
|
||||||
private String authMethod;
|
private String authMethod;
|
||||||
private String redirectUri;
|
private String redirectUri;
|
||||||
private int timestamp;
|
private volatile int timestamp;
|
||||||
private String action;
|
private String action;
|
||||||
|
|
||||||
private Set<String> roles;
|
private Set<String> roles;
|
||||||
|
|
|
@ -48,16 +48,16 @@ public class KeycloakRemoteStoreConfiguration extends RemoteStoreConfiguration {
|
||||||
|
|
||||||
|
|
||||||
public String useConfigTemplateFromCache() {
|
public String useConfigTemplateFromCache() {
|
||||||
return useConfigTemplateFromCache==null ? null : useConfigTemplateFromCache.get();
|
return useConfigTemplateFromCache.get();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public String remoteServers() {
|
public String remoteServers() {
|
||||||
return remoteServers==null ? null : remoteServers.get();
|
return remoteServers.get();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public Boolean sessionCache() {
|
public Boolean sessionCache() {
|
||||||
return sessionCache==null ? false : sessionCache.get();
|
return sessionCache.get()==null ? false : sessionCache.get();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
#
|
||||||
|
# Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
# and other contributors as indicated by the @author tags.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
org.keycloak.models.sessions.infinispan.InfinispanCodeToTokenStoreProviderFactory
|
|
@ -0,0 +1,34 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.keys;
|
||||||
|
|
||||||
|
import org.keycloak.jose.jws.AlgorithmType;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public interface AesKeyProvider extends SecretKeyProvider {
|
||||||
|
|
||||||
|
default AlgorithmType getType() {
|
||||||
|
return AlgorithmType.AES;
|
||||||
|
}
|
||||||
|
|
||||||
|
default String getJavaAlgorithmName() {
|
||||||
|
return "AES";
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,34 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.keys;
|
||||||
|
|
||||||
|
import java.util.Collections;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
import org.keycloak.jose.jws.AlgorithmType;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public interface AesKeyProviderFactory extends KeyProviderFactory<AesKeyProvider> {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
default Map<String, Object> getTypeMetadata() {
|
||||||
|
return Collections.singletonMap("algorithmType", AlgorithmType.AES);
|
||||||
|
}
|
||||||
|
}
|
|
@ -19,34 +19,17 @@ package org.keycloak.keys;
|
||||||
|
|
||||||
import org.keycloak.jose.jws.AlgorithmType;
|
import org.keycloak.jose.jws.AlgorithmType;
|
||||||
|
|
||||||
import javax.crypto.SecretKey;
|
|
||||||
import java.security.PrivateKey;
|
|
||||||
import java.security.PublicKey;
|
|
||||||
import java.security.cert.X509Certificate;
|
|
||||||
import java.util.List;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||||
*/
|
*/
|
||||||
public interface HmacKeyProvider extends KeyProvider<HmacKeyMetadata> {
|
public interface HmacKeyProvider extends SecretKeyProvider {
|
||||||
|
|
||||||
default AlgorithmType getType() {
|
default AlgorithmType getType() {
|
||||||
return AlgorithmType.HMAC;
|
return AlgorithmType.HMAC;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
default String getJavaAlgorithmName() {
|
||||||
* Return the active secret key, or <code>null</code> if no active key is available.
|
return "HmacSHA256";
|
||||||
*
|
}
|
||||||
* @return
|
|
||||||
*/
|
|
||||||
SecretKey getSecretKey();
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Return the secret key for the specified kid, or <code>null</code> if the kid is unknown.
|
|
||||||
*
|
|
||||||
* @param kid
|
|
||||||
* @return
|
|
||||||
*/
|
|
||||||
SecretKey getSecretKey(String kid);
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -25,7 +25,7 @@ import java.util.Map;
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||||
*/
|
*/
|
||||||
public interface HmacKeyProviderFactory extends KeyProviderFactory {
|
public interface HmacKeyProviderFactory extends KeyProviderFactory<HmacKeyProvider> {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
default Map<String, Object> getTypeMetadata() {
|
default Map<String, Object> getTypeMetadata() {
|
||||||
|
|
|
@ -0,0 +1,50 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.keys;
|
||||||
|
|
||||||
|
import javax.crypto.SecretKey;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Base for secret key providers (HMAC, AES)
|
||||||
|
*
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public interface SecretKeyProvider extends KeyProvider<SecretKeyMetadata> {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return the active secret key, or <code>null</code> if no active key is available.
|
||||||
|
*
|
||||||
|
* @return
|
||||||
|
*/
|
||||||
|
SecretKey getSecretKey();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return the secret key for the specified kid, or <code>null</code> if the kid is unknown.
|
||||||
|
*
|
||||||
|
* @param kid
|
||||||
|
* @return
|
||||||
|
*/
|
||||||
|
SecretKey getSecretKey(String kid);
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return name of Java (JCA) algorithm of the key. For example: HmacSHA256
|
||||||
|
* @return
|
||||||
|
*/
|
||||||
|
String getJavaAlgorithmName();
|
||||||
|
}
|
|
@ -36,6 +36,7 @@ import org.keycloak.migration.migrators.MigrateTo3_0_0;
|
||||||
import org.keycloak.migration.migrators.MigrateTo3_1_0;
|
import org.keycloak.migration.migrators.MigrateTo3_1_0;
|
||||||
import org.keycloak.migration.migrators.MigrateTo3_2_0;
|
import org.keycloak.migration.migrators.MigrateTo3_2_0;
|
||||||
import org.keycloak.migration.migrators.MigrateTo3_3_0;
|
import org.keycloak.migration.migrators.MigrateTo3_3_0;
|
||||||
|
import org.keycloak.migration.migrators.MigrateTo3_4_0;
|
||||||
import org.keycloak.migration.migrators.Migration;
|
import org.keycloak.migration.migrators.Migration;
|
||||||
import org.keycloak.models.KeycloakSession;
|
import org.keycloak.models.KeycloakSession;
|
||||||
|
|
||||||
|
@ -64,7 +65,8 @@ public class MigrationModelManager {
|
||||||
new MigrateTo3_0_0(),
|
new MigrateTo3_0_0(),
|
||||||
new MigrateTo3_1_0(),
|
new MigrateTo3_1_0(),
|
||||||
new MigrateTo3_2_0(),
|
new MigrateTo3_2_0(),
|
||||||
new MigrateTo3_3_0()
|
new MigrateTo3_3_0(),
|
||||||
|
new MigrateTo3_4_0()
|
||||||
};
|
};
|
||||||
|
|
||||||
public static void migrate(KeycloakSession session) {
|
public static void migrate(KeycloakSession session) {
|
||||||
|
|
|
@ -0,0 +1,42 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.migration.migrators;
|
||||||
|
|
||||||
|
import org.keycloak.migration.ModelVersion;
|
||||||
|
import org.keycloak.models.KeycloakSession;
|
||||||
|
import org.keycloak.models.utils.DefaultKeyProviders;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class MigrateTo3_4_0 implements Migration {
|
||||||
|
|
||||||
|
public static final ModelVersion VERSION = new ModelVersion("3.4.0");
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void migrate(KeycloakSession session) {
|
||||||
|
session.realms().getRealms().stream().forEach(
|
||||||
|
r -> DefaultKeyProviders.createAesProvider(r)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public ModelVersion getVersion() {
|
||||||
|
return VERSION;
|
||||||
|
}
|
||||||
|
}
|
|
@ -22,6 +22,10 @@ import java.util.Map;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Internal action token store provider.
|
* Internal action token store provider.
|
||||||
|
*
|
||||||
|
* It's used for store the details about used action tokens. There is separate provider for OAuth2 codes - {@link CodeToTokenStoreProvider},
|
||||||
|
* which may reuse some components (eg. same infinispan cache)
|
||||||
|
*
|
||||||
* @author hmlnarik
|
* @author hmlnarik
|
||||||
*/
|
*/
|
||||||
public interface ActionTokenStoreProvider extends Provider {
|
public interface ActionTokenStoreProvider extends Provider {
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.models;
|
||||||
|
|
||||||
|
import java.util.UUID;
|
||||||
|
|
||||||
|
import org.keycloak.provider.Provider;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Provides single-use cache for OAuth2 code parameter. Used to ensure that particular value of code parameter is used once.
|
||||||
|
*
|
||||||
|
* For now, it is separate provider as it's a bit different use-case than {@link ActionTokenStoreProvider}, however it may reuse some components (eg. same infinispan cache)
|
||||||
|
*
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public interface CodeToTokenStoreProvider extends Provider {
|
||||||
|
|
||||||
|
boolean putIfAbsent(UUID codeId);
|
||||||
|
}
|
|
@ -0,0 +1,26 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.models;
|
||||||
|
|
||||||
|
import org.keycloak.provider.ProviderFactory;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public interface CodeToTokenStoreProviderFactory extends ProviderFactory<CodeToTokenStoreProvider> {
|
||||||
|
}
|
|
@ -0,0 +1,50 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.models;
|
||||||
|
|
||||||
|
import org.keycloak.provider.Provider;
|
||||||
|
import org.keycloak.provider.ProviderFactory;
|
||||||
|
import org.keycloak.provider.Spi;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class CodeToTokenStoreSpi implements Spi {
|
||||||
|
|
||||||
|
public static final String NAME = "codeToTokenStore";
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isInternal() {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getName() {
|
||||||
|
return NAME;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Class<? extends Provider> getProviderClass() {
|
||||||
|
return CodeToTokenStoreProvider.class;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Class<? extends ProviderFactory> getProviderFactoryClass() {
|
||||||
|
return CodeToTokenStoreProviderFactory.class;
|
||||||
|
}
|
||||||
|
}
|
|
@ -41,6 +41,7 @@ public class DefaultKeyProviders {
|
||||||
realm.addComponentModel(generated);
|
realm.addComponentModel(generated);
|
||||||
|
|
||||||
createSecretProvider(realm);
|
createSecretProvider(realm);
|
||||||
|
createAesProvider(realm);
|
||||||
}
|
}
|
||||||
|
|
||||||
public static void createSecretProvider(RealmModel realm) {
|
public static void createSecretProvider(RealmModel realm) {
|
||||||
|
@ -57,6 +58,20 @@ public class DefaultKeyProviders {
|
||||||
realm.addComponentModel(generated);
|
realm.addComponentModel(generated);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static void createAesProvider(RealmModel realm) {
|
||||||
|
ComponentModel generated = new ComponentModel();
|
||||||
|
generated.setName("aes-generated");
|
||||||
|
generated.setParentId(realm.getId());
|
||||||
|
generated.setProviderId("aes-generated");
|
||||||
|
generated.setProviderType(KeyProvider.class.getName());
|
||||||
|
|
||||||
|
MultivaluedHashMap<String, String> config = new MultivaluedHashMap<>();
|
||||||
|
config.putSingle("priority", "100");
|
||||||
|
generated.setConfig(config);
|
||||||
|
|
||||||
|
realm.addComponentModel(generated);
|
||||||
|
}
|
||||||
|
|
||||||
public static void createProviders(RealmModel realm, String privateKeyPem, String certificatePem) {
|
public static void createProviders(RealmModel realm, String privateKeyPem, String certificatePem) {
|
||||||
ComponentModel rsa = new ComponentModel();
|
ComponentModel rsa = new ComponentModel();
|
||||||
rsa.setName("rsa");
|
rsa.setName("rsa");
|
||||||
|
@ -75,6 +90,7 @@ public class DefaultKeyProviders {
|
||||||
realm.addComponentModel(rsa);
|
realm.addComponentModel(rsa);
|
||||||
|
|
||||||
createSecretProvider(realm);
|
createSecretProvider(realm);
|
||||||
|
createAesProvider(realm);
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,6 +20,7 @@ org.keycloak.storage.UserStorageProviderSpi
|
||||||
org.keycloak.storage.federated.UserFederatedStorageProviderSpi
|
org.keycloak.storage.federated.UserFederatedStorageProviderSpi
|
||||||
org.keycloak.models.RealmSpi
|
org.keycloak.models.RealmSpi
|
||||||
org.keycloak.models.ActionTokenStoreSpi
|
org.keycloak.models.ActionTokenStoreSpi
|
||||||
|
org.keycloak.models.CodeToTokenStoreSpi
|
||||||
org.keycloak.models.UserSessionSpi
|
org.keycloak.models.UserSessionSpi
|
||||||
org.keycloak.models.UserSpi
|
org.keycloak.models.UserSpi
|
||||||
org.keycloak.models.session.UserSessionPersisterSpi
|
org.keycloak.models.session.UserSessionPersisterSpi
|
||||||
|
|
|
@ -20,6 +20,6 @@ package org.keycloak.keys;
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||||
*/
|
*/
|
||||||
public class HmacKeyMetadata extends KeyMetadata {
|
public class SecretKeyMetadata extends KeyMetadata {
|
||||||
|
|
||||||
}
|
}
|
|
@ -17,7 +17,7 @@
|
||||||
|
|
||||||
package org.keycloak.models;
|
package org.keycloak.models;
|
||||||
|
|
||||||
import org.keycloak.keys.HmacKeyMetadata;
|
import org.keycloak.keys.SecretKeyMetadata;
|
||||||
import org.keycloak.keys.RsaKeyMetadata;
|
import org.keycloak.keys.RsaKeyMetadata;
|
||||||
|
|
||||||
import javax.crypto.SecretKey;
|
import javax.crypto.SecretKey;
|
||||||
|
@ -44,7 +44,13 @@ public interface KeyManager {
|
||||||
|
|
||||||
SecretKey getHmacSecretKey(RealmModel realm, String kid);
|
SecretKey getHmacSecretKey(RealmModel realm, String kid);
|
||||||
|
|
||||||
List<HmacKeyMetadata> getHmacKeys(RealmModel realm, boolean includeDisabled);
|
List<SecretKeyMetadata> getHmacKeys(RealmModel realm, boolean includeDisabled);
|
||||||
|
|
||||||
|
ActiveAesKey getActiveAesKey(RealmModel realm);
|
||||||
|
|
||||||
|
SecretKey getAesSecretKey(RealmModel realm, String kid);
|
||||||
|
|
||||||
|
List<SecretKeyMetadata> getAesKeys(RealmModel realm, boolean includeDisabled);
|
||||||
|
|
||||||
class ActiveRsaKey {
|
class ActiveRsaKey {
|
||||||
private final String kid;
|
private final String kid;
|
||||||
|
@ -94,4 +100,23 @@ public interface KeyManager {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
class ActiveAesKey {
|
||||||
|
private final String kid;
|
||||||
|
private final SecretKey secretKey;
|
||||||
|
|
||||||
|
public ActiveAesKey(String kid, SecretKey secretKey) {
|
||||||
|
this.kid = kid;
|
||||||
|
this.secretKey = secretKey;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getKid() {
|
||||||
|
return kid;
|
||||||
|
}
|
||||||
|
|
||||||
|
public SecretKey getSecretKey() {
|
||||||
|
return secretKey;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -56,7 +56,6 @@ public interface CommonClientSessionModel {
|
||||||
|
|
||||||
public static enum Action {
|
public static enum Action {
|
||||||
OAUTH_GRANT,
|
OAUTH_GRANT,
|
||||||
CODE_TO_TOKEN,
|
|
||||||
AUTHENTICATE,
|
AUTHENTICATE,
|
||||||
LOGGED_OUT,
|
LOGGED_OUT,
|
||||||
LOGGING_OUT,
|
LOGGING_OUT,
|
||||||
|
|
|
@ -223,7 +223,7 @@ public class AuthenticationProcessor {
|
||||||
public String generateCode() {
|
public String generateCode() {
|
||||||
ClientSessionCode accessCode = new ClientSessionCode(session, getRealm(), getAuthenticationSession());
|
ClientSessionCode accessCode = new ClientSessionCode(session, getRealm(), getAuthenticationSession());
|
||||||
authenticationSession.setTimestamp(Time.currentTime());
|
authenticationSession.setTimestamp(Time.currentTime());
|
||||||
return accessCode.getCode();
|
return accessCode.getOrGenerateCode();
|
||||||
}
|
}
|
||||||
|
|
||||||
public EventBuilder newEvent() {
|
public EventBuilder newEvent() {
|
||||||
|
|
|
@ -150,7 +150,7 @@ public class RequiredActionContextResult implements RequiredActionContext {
|
||||||
public String generateCode() {
|
public String generateCode() {
|
||||||
ClientSessionCode<AuthenticationSessionModel> accessCode = new ClientSessionCode<>(session, getRealm(), getAuthenticationSession());
|
ClientSessionCode<AuthenticationSessionModel> accessCode = new ClientSessionCode<>(session, getRealm(), getAuthenticationSession());
|
||||||
authenticationSession.setTimestamp(Time.currentTime());
|
authenticationSession.setTimestamp(Time.currentTime());
|
||||||
return accessCode.getCode();
|
return accessCode.getOrGenerateCode();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -63,7 +63,7 @@ public class IdentityProviderAuthenticator implements Authenticator {
|
||||||
List<IdentityProviderModel> identityProviders = context.getRealm().getIdentityProviders();
|
List<IdentityProviderModel> identityProviders = context.getRealm().getIdentityProviders();
|
||||||
for (IdentityProviderModel identityProvider : identityProviders) {
|
for (IdentityProviderModel identityProvider : identityProviders) {
|
||||||
if (identityProvider.isEnabled() && providerId.equals(identityProvider.getAlias())) {
|
if (identityProvider.isEnabled() && providerId.equals(identityProvider.getAlias())) {
|
||||||
String accessCode = new ClientSessionCode<>(context.getSession(), context.getRealm(), context.getAuthenticationSession()).getCode();
|
String accessCode = new ClientSessionCode<>(context.getSession(), context.getRealm(), context.getAuthenticationSession()).getOrGenerateCode();
|
||||||
String clientId = context.getAuthenticationSession().getClient().getClientId();
|
String clientId = context.getAuthenticationSession().getClient().getClientId();
|
||||||
Response response = Response.seeOther(
|
Response response = Response.seeOther(
|
||||||
Urls.identityProviderAuthnRequest(context.getUriInfo().getBaseUri(), providerId, context.getRealm().getName(), accessCode, clientId))
|
Urls.identityProviderAuthnRequest(context.getUriInfo().getBaseUri(), providerId, context.getRealm().getName(), accessCode, clientId))
|
||||||
|
|
|
@ -51,6 +51,8 @@ public interface Attributes {
|
||||||
String SECRET_KEY = "secret";
|
String SECRET_KEY = "secret";
|
||||||
|
|
||||||
String SECRET_SIZE_KEY = "secretSize";
|
String SECRET_SIZE_KEY = "secretSize";
|
||||||
ProviderConfigProperty SECRET_SIZE_PROPERTY = new ProviderConfigProperty(SECRET_SIZE_KEY, "Secret size", "Size in bytes for the generated secret", LIST_TYPE, "32", "32", "64", "128", "256", "512");
|
ProviderConfigProperty SECRET_SIZE_PROPERTY = new ProviderConfigProperty(SECRET_SIZE_KEY, "Secret size", "Size in bytes for the generated secret", LIST_TYPE,
|
||||||
|
String.valueOf(GeneratedHmacKeyProviderFactory.DEFAULT_HMAC_KEY_SIZE),
|
||||||
|
"16", "24", "32", "64", "128", "256", "512");
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -82,6 +82,23 @@ public class DefaultKeyManager implements KeyManager {
|
||||||
throw new RuntimeException("Failed to get keys");
|
throw new RuntimeException("Failed to get keys");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public ActiveAesKey getActiveAesKey(RealmModel realm) {
|
||||||
|
for (KeyProvider p : getProviders(realm)) {
|
||||||
|
if (p.getType().equals(AlgorithmType.AES)) {
|
||||||
|
AesKeyProvider h = (AesKeyProvider) p;
|
||||||
|
if (h.getKid() != null && h.getSecretKey() != null) {
|
||||||
|
if (logger.isTraceEnabled()) {
|
||||||
|
logger.tracev("Active AES Key realm={0} kid={1}", realm.getName(), p.getKid());
|
||||||
|
}
|
||||||
|
String kid = p.getKid();
|
||||||
|
return new ActiveAesKey(kid, h.getSecretKey());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
throw new RuntimeException("Failed to get keys");
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public PublicKey getRsaPublicKey(RealmModel realm, String kid) {
|
public PublicKey getRsaPublicKey(RealmModel realm, String kid) {
|
||||||
if (kid == null) {
|
if (kid == null) {
|
||||||
|
@ -135,7 +152,7 @@ public class DefaultKeyManager implements KeyManager {
|
||||||
@Override
|
@Override
|
||||||
public SecretKey getHmacSecretKey(RealmModel realm, String kid) {
|
public SecretKey getHmacSecretKey(RealmModel realm, String kid) {
|
||||||
if (kid == null) {
|
if (kid == null) {
|
||||||
logger.warnv("KID is null, can't find public key", realm.getName(), kid);
|
logger.warnv("KID is null, can't find secret key", realm.getName(), kid);
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -157,6 +174,31 @@ public class DefaultKeyManager implements KeyManager {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public SecretKey getAesSecretKey(RealmModel realm, String kid) {
|
||||||
|
if (kid == null) {
|
||||||
|
logger.warnv("KID is null, can't find aes key", realm.getName(), kid);
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
for (KeyProvider p : getProviders(realm)) {
|
||||||
|
if (p.getType().equals(AlgorithmType.AES)) {
|
||||||
|
AesKeyProvider h = (AesKeyProvider) p;
|
||||||
|
SecretKey s = h.getSecretKey(kid);
|
||||||
|
if (s != null) {
|
||||||
|
if (logger.isTraceEnabled()) {
|
||||||
|
logger.tracev("Found AES key realm={0} kid={1}", realm.getName(), kid);
|
||||||
|
}
|
||||||
|
return s;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (logger.isTraceEnabled()) {
|
||||||
|
logger.tracev("Failed to find AES key realm={0} kid={1}", realm.getName(), kid);
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public List<RsaKeyMetadata> getRsaKeys(RealmModel realm, boolean includeDisabled) {
|
public List<RsaKeyMetadata> getRsaKeys(RealmModel realm, boolean includeDisabled) {
|
||||||
List<RsaKeyMetadata> keys = new LinkedList<>();
|
List<RsaKeyMetadata> keys = new LinkedList<>();
|
||||||
|
@ -174,14 +216,30 @@ public class DefaultKeyManager implements KeyManager {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public List<HmacKeyMetadata> getHmacKeys(RealmModel realm, boolean includeDisabled) {
|
public List<SecretKeyMetadata> getHmacKeys(RealmModel realm, boolean includeDisabled) {
|
||||||
List<HmacKeyMetadata> keys = new LinkedList<>();
|
List<SecretKeyMetadata> keys = new LinkedList<>();
|
||||||
for (KeyProvider p : getProviders(realm)) {
|
for (KeyProvider p : getProviders(realm)) {
|
||||||
if (p instanceof HmacKeyProvider) {
|
if (p instanceof HmacKeyProvider) {
|
||||||
if (includeDisabled) {
|
if (includeDisabled) {
|
||||||
keys.addAll(p.getKeyMetadata());
|
keys.addAll(p.getKeyMetadata());
|
||||||
} else {
|
} else {
|
||||||
List<HmacKeyMetadata> metadata = p.getKeyMetadata();
|
List<SecretKeyMetadata> metadata = p.getKeyMetadata();
|
||||||
|
metadata.stream().filter(k -> k.getStatus() != KeyMetadata.Status.DISABLED).forEach(k -> keys.add(k));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return keys;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<SecretKeyMetadata> getAesKeys(RealmModel realm, boolean includeDisabled) {
|
||||||
|
List<SecretKeyMetadata> keys = new LinkedList<>();
|
||||||
|
for (KeyProvider p : getProviders(realm)) {
|
||||||
|
if (p instanceof AesKeyProvider) {
|
||||||
|
if (includeDisabled) {
|
||||||
|
keys.addAll(p.getKeyMetadata());
|
||||||
|
} else {
|
||||||
|
List<SecretKeyMetadata> metadata = p.getKeyMetadata();
|
||||||
metadata.stream().filter(k -> k.getStatus() != KeyMetadata.Status.DISABLED).forEach(k -> keys.add(k));
|
metadata.stream().filter(k -> k.getStatus() != KeyMetadata.Status.DISABLED).forEach(k -> keys.add(k));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -199,6 +257,7 @@ public class DefaultKeyManager implements KeyManager {
|
||||||
|
|
||||||
boolean activeRsa = false;
|
boolean activeRsa = false;
|
||||||
boolean activeHmac = false;
|
boolean activeHmac = false;
|
||||||
|
boolean activeAes = false;
|
||||||
|
|
||||||
for (ComponentModel c : components) {
|
for (ComponentModel c : components) {
|
||||||
try {
|
try {
|
||||||
|
@ -217,7 +276,13 @@ public class DefaultKeyManager implements KeyManager {
|
||||||
if (r.getKid() != null && r.getSecretKey() != null) {
|
if (r.getKid() != null && r.getSecretKey() != null) {
|
||||||
activeHmac = true;
|
activeHmac = true;
|
||||||
}
|
}
|
||||||
|
} else if (provider.getType().equals(AlgorithmType.AES)) {
|
||||||
|
AesKeyProvider r = (AesKeyProvider) provider;
|
||||||
|
if (r.getKid() != null && r.getSecretKey() != null) {
|
||||||
|
activeAes = true;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
} catch (Throwable t) {
|
} catch (Throwable t) {
|
||||||
logger.errorv(t, "Failed to load provider {0}", c.getId());
|
logger.errorv(t, "Failed to load provider {0}", c.getId());
|
||||||
}
|
}
|
||||||
|
@ -231,6 +296,10 @@ public class DefaultKeyManager implements KeyManager {
|
||||||
providers.add(new FailsafeHmacKeyProvider());
|
providers.add(new FailsafeHmacKeyProvider());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!activeAes) {
|
||||||
|
providers.add(new FailsafeAesKeyProvider());
|
||||||
|
}
|
||||||
|
|
||||||
providersMap.put(realm.getId(), providers);
|
providersMap.put(realm.getId(), providers);
|
||||||
}
|
}
|
||||||
return providers;
|
return providers;
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.keys;
|
||||||
|
|
||||||
|
import org.jboss.logging.Logger;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class FailsafeAesKeyProvider extends FailsafeSecretKeyProvider implements AesKeyProvider {
|
||||||
|
|
||||||
|
private static final Logger logger = Logger.getLogger(FailsafeAesKeyProvider.class);
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Logger logger() {
|
||||||
|
return logger;
|
||||||
|
}
|
||||||
|
}
|
|
@ -29,61 +29,12 @@ import java.util.List;
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||||
*/
|
*/
|
||||||
public class FailsafeHmacKeyProvider implements HmacKeyProvider {
|
public class FailsafeHmacKeyProvider extends FailsafeSecretKeyProvider implements HmacKeyProvider {
|
||||||
|
|
||||||
private static final Logger logger = Logger.getLogger(FailsafeHmacKeyProvider.class);
|
private static final Logger logger = Logger.getLogger(FailsafeHmacKeyProvider.class);
|
||||||
|
|
||||||
private static String KID;
|
|
||||||
|
|
||||||
private static SecretKey KEY;
|
|
||||||
|
|
||||||
private static long EXPIRES;
|
|
||||||
|
|
||||||
private SecretKey key;
|
|
||||||
|
|
||||||
private String kid;
|
|
||||||
|
|
||||||
public FailsafeHmacKeyProvider() {
|
|
||||||
logger.errorv("No active keys found, using failsafe provider, please login to admin console to add keys. Clustering is not supported.");
|
|
||||||
|
|
||||||
synchronized (FailsafeHmacKeyProvider.class) {
|
|
||||||
if (EXPIRES < Time.currentTime()) {
|
|
||||||
KEY = KeyUtils.loadSecretKey(KeycloakModelUtils.generateSecret(32));
|
|
||||||
KID = KeycloakModelUtils.generateId();
|
|
||||||
EXPIRES = Time.currentTime() + 60 * 10;
|
|
||||||
|
|
||||||
if (EXPIRES > 0) {
|
|
||||||
logger.warnv("Keys expired, re-generated kid={0}", KID);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
kid = KID;
|
|
||||||
key = KEY;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String getKid() {
|
protected Logger logger() {
|
||||||
return kid;
|
return logger;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public SecretKey getSecretKey() {
|
|
||||||
return key;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public SecretKey getSecretKey(String kid) {
|
|
||||||
return kid.equals(this.kid) ? key : null;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public List<HmacKeyMetadata> getKeyMetadata() {
|
|
||||||
return Collections.emptyList();
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void close() {
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,90 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.keys;
|
||||||
|
|
||||||
|
import java.util.Collections;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import javax.crypto.SecretKey;
|
||||||
|
|
||||||
|
import org.jboss.logging.Logger;
|
||||||
|
import org.keycloak.common.util.KeyUtils;
|
||||||
|
import org.keycloak.common.util.Time;
|
||||||
|
import org.keycloak.models.utils.KeycloakModelUtils;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||||
|
*/
|
||||||
|
public abstract class FailsafeSecretKeyProvider implements SecretKeyProvider {
|
||||||
|
|
||||||
|
|
||||||
|
private static String KID;
|
||||||
|
|
||||||
|
private static SecretKey KEY;
|
||||||
|
|
||||||
|
private static long EXPIRES;
|
||||||
|
|
||||||
|
private SecretKey key;
|
||||||
|
|
||||||
|
private String kid;
|
||||||
|
|
||||||
|
public FailsafeSecretKeyProvider() {
|
||||||
|
logger().errorv("No active keys found, using failsafe provider, please login to admin console to add keys. Clustering is not supported.");
|
||||||
|
|
||||||
|
synchronized (FailsafeHmacKeyProvider.class) {
|
||||||
|
if (EXPIRES < Time.currentTime()) {
|
||||||
|
KEY = KeyUtils.loadSecretKey(KeycloakModelUtils.generateSecret(32), getJavaAlgorithmName());
|
||||||
|
KID = KeycloakModelUtils.generateId();
|
||||||
|
EXPIRES = Time.currentTime() + 60 * 10;
|
||||||
|
|
||||||
|
if (EXPIRES > 0) {
|
||||||
|
logger().warnv("Keys expired, re-generated kid={0}", KID);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
kid = KID;
|
||||||
|
key = KEY;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getKid() {
|
||||||
|
return kid;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public SecretKey getSecretKey() {
|
||||||
|
return key;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public SecretKey getSecretKey(String kid) {
|
||||||
|
return kid.equals(this.kid) ? key : null;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<SecretKeyMetadata> getKeyMetadata() {
|
||||||
|
return Collections.emptyList();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void close() {
|
||||||
|
}
|
||||||
|
|
||||||
|
protected abstract Logger logger();
|
||||||
|
}
|
|
@ -0,0 +1,31 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.keys;
|
||||||
|
|
||||||
|
import org.keycloak.component.ComponentModel;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class GeneratedAesKeyProvider extends GeneratedSecretKeyProvider implements AesKeyProvider {
|
||||||
|
|
||||||
|
public GeneratedAesKeyProvider(ComponentModel model) {
|
||||||
|
super(model);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,83 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.keys;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import org.jboss.logging.Logger;
|
||||||
|
import org.keycloak.component.ComponentModel;
|
||||||
|
import org.keycloak.models.KeycloakSession;
|
||||||
|
import org.keycloak.provider.ProviderConfigProperty;
|
||||||
|
|
||||||
|
import static org.keycloak.provider.ProviderConfigProperty.LIST_TYPE;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class GeneratedAesKeyProviderFactory extends GeneratedSecretKeyProviderFactory<AesKeyProvider> implements AesKeyProviderFactory {
|
||||||
|
|
||||||
|
private static final Logger logger = Logger.getLogger(GeneratedAesKeyProviderFactory.class);
|
||||||
|
|
||||||
|
public static final String ID = "aes-generated";
|
||||||
|
|
||||||
|
private static final String HELP_TEXT = "Generates AES secret key";
|
||||||
|
|
||||||
|
private static final ProviderConfigProperty AES_KEY_SIZE_PROPERTY;
|
||||||
|
|
||||||
|
private static final int DEFAULT_AES_KEY_SIZE = 16;
|
||||||
|
|
||||||
|
static {
|
||||||
|
AES_KEY_SIZE_PROPERTY = new ProviderConfigProperty(Attributes.SECRET_SIZE_KEY, "AES Key size",
|
||||||
|
"Size in bytes for the generated AES Key. Size 16 is for AES-128, Size 24 for AES-192 and Size 32 for AES-256. WARN: Bigger keys then 128 bits are not allowed on some JDK implementations",
|
||||||
|
LIST_TYPE, String.valueOf(DEFAULT_AES_KEY_SIZE), "16", "24", "32");
|
||||||
|
}
|
||||||
|
|
||||||
|
private static final List<ProviderConfigProperty> CONFIG_PROPERTIES = SecretKeyProviderUtils.configurationBuilder()
|
||||||
|
.property(AES_KEY_SIZE_PROPERTY)
|
||||||
|
.build();
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public AesKeyProvider create(KeycloakSession session, ComponentModel model) {
|
||||||
|
return new GeneratedAesKeyProvider(model);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getHelpText() {
|
||||||
|
return HELP_TEXT;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<ProviderConfigProperty> getConfigProperties() {
|
||||||
|
return CONFIG_PROPERTIES;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getId() {
|
||||||
|
return ID;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Logger logger() {
|
||||||
|
return logger;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected int getDefaultKeySize() {
|
||||||
|
return DEFAULT_AES_KEY_SIZE;
|
||||||
|
}
|
||||||
|
}
|
|
@ -17,87 +17,16 @@
|
||||||
|
|
||||||
package org.keycloak.keys;
|
package org.keycloak.keys;
|
||||||
|
|
||||||
import org.keycloak.common.util.Base64Url;
|
|
||||||
import org.keycloak.common.util.KeyUtils;
|
|
||||||
import org.keycloak.component.ComponentModel;
|
import org.keycloak.component.ComponentModel;
|
||||||
import org.keycloak.jose.jws.AlgorithmType;
|
|
||||||
|
|
||||||
import javax.crypto.SecretKey;
|
|
||||||
import java.util.Collections;
|
|
||||||
import java.util.List;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||||
*/
|
*/
|
||||||
public class GeneratedHmacKeyProvider implements HmacKeyProvider {
|
public class GeneratedHmacKeyProvider extends GeneratedSecretKeyProvider implements HmacKeyProvider {
|
||||||
|
|
||||||
private final boolean enabled;
|
|
||||||
|
|
||||||
private final boolean active;
|
|
||||||
|
|
||||||
private final ComponentModel model;
|
|
||||||
private final String kid;
|
|
||||||
private final SecretKey secretKey;
|
|
||||||
|
|
||||||
public GeneratedHmacKeyProvider(ComponentModel model) {
|
public GeneratedHmacKeyProvider(ComponentModel model) {
|
||||||
this.enabled = model.get(Attributes.ENABLED_KEY, true);
|
super(model);
|
||||||
this.active = model.get(Attributes.ACTIVE_KEY, true);
|
|
||||||
this.kid = model.get(Attributes.KID_KEY);
|
|
||||||
this.model = model;
|
|
||||||
|
|
||||||
if (model.hasNote(SecretKey.class.getName())) {
|
|
||||||
secretKey = model.getNote(SecretKey.class.getName());
|
|
||||||
} else {
|
|
||||||
secretKey = KeyUtils.loadSecretKey(Base64Url.decode(model.get(Attributes.SECRET_KEY)));
|
|
||||||
model.setNote(SecretKey.class.getName(), secretKey);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public SecretKey getSecretKey() {
|
|
||||||
return isActive() ? secretKey : null;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public SecretKey getSecretKey(String kid) {
|
|
||||||
return isEnabled() && kid.equals(this.kid) ? secretKey : null;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getKid() {
|
|
||||||
return isActive() ? kid : null;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public List<HmacKeyMetadata> getKeyMetadata() {
|
|
||||||
if (kid != null && secretKey != null) {
|
|
||||||
HmacKeyMetadata k = new HmacKeyMetadata();
|
|
||||||
k.setProviderId(model.getId());
|
|
||||||
k.setProviderPriority(model.get(Attributes.PRIORITY_KEY, 0l));
|
|
||||||
k.setKid(kid);
|
|
||||||
if (isActive()) {
|
|
||||||
k.setStatus(KeyMetadata.Status.ACTIVE);
|
|
||||||
} else if (isEnabled()) {
|
|
||||||
k.setStatus(KeyMetadata.Status.PASSIVE);
|
|
||||||
} else {
|
|
||||||
k.setStatus(KeyMetadata.Status.DISABLED);
|
|
||||||
}
|
|
||||||
return Collections.singletonList(k);
|
|
||||||
} else {
|
|
||||||
return Collections.emptyList();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void close() {
|
|
||||||
}
|
|
||||||
|
|
||||||
private boolean isEnabled() {
|
|
||||||
return secretKey != null && enabled;
|
|
||||||
}
|
|
||||||
|
|
||||||
private boolean isActive() {
|
|
||||||
return isEnabled() && active;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,7 +34,7 @@ import java.util.List;
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||||
*/
|
*/
|
||||||
public class GeneratedHmacKeyProviderFactory extends AbstractHmacKeyProviderFactory {
|
public class GeneratedHmacKeyProviderFactory extends GeneratedSecretKeyProviderFactory<HmacKeyProvider> implements HmacKeyProviderFactory {
|
||||||
|
|
||||||
private static final Logger logger = Logger.getLogger(GeneratedHmacKeyProviderFactory.class);
|
private static final Logger logger = Logger.getLogger(GeneratedHmacKeyProviderFactory.class);
|
||||||
|
|
||||||
|
@ -42,12 +42,14 @@ public class GeneratedHmacKeyProviderFactory extends AbstractHmacKeyProviderFact
|
||||||
|
|
||||||
private static final String HELP_TEXT = "Generates HMAC secret key";
|
private static final String HELP_TEXT = "Generates HMAC secret key";
|
||||||
|
|
||||||
private static final List<ProviderConfigProperty> CONFIG_PROPERTIES = AbstractHmacKeyProviderFactory.configurationBuilder()
|
public static final int DEFAULT_HMAC_KEY_SIZE = 32;
|
||||||
|
|
||||||
|
private static final List<ProviderConfigProperty> CONFIG_PROPERTIES = SecretKeyProviderUtils.configurationBuilder()
|
||||||
.property(Attributes.SECRET_SIZE_PROPERTY)
|
.property(Attributes.SECRET_SIZE_PROPERTY)
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public KeyProvider create(KeycloakSession session, ComponentModel model) {
|
public HmacKeyProvider create(KeycloakSession session, ComponentModel model) {
|
||||||
return new GeneratedHmacKeyProvider(model);
|
return new GeneratedHmacKeyProvider(model);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -61,51 +63,18 @@ public class GeneratedHmacKeyProviderFactory extends AbstractHmacKeyProviderFact
|
||||||
return CONFIG_PROPERTIES;
|
return CONFIG_PROPERTIES;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public void validateConfiguration(KeycloakSession session, RealmModel realm, ComponentModel model) throws ComponentValidationException {
|
|
||||||
ConfigurationValidationHelper.check(model).checkList(Attributes.SECRET_SIZE_PROPERTY, false);
|
|
||||||
|
|
||||||
int size = model.get(Attributes.SECRET_SIZE_KEY, 32);
|
|
||||||
|
|
||||||
if (!(model.contains(Attributes.SECRET_KEY))) {
|
|
||||||
generateSecret(model, size);
|
|
||||||
logger.debugv("Generated secret for {0}", realm.getName());
|
|
||||||
} else {
|
|
||||||
int currentSize = Base64Url.decode(model.get(Attributes.SECRET_KEY)).length;
|
|
||||||
if (currentSize != size) {
|
|
||||||
generateSecret(model, size);
|
|
||||||
logger.debugv("Secret size changed, generating new secret for {0}", realm.getName());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
private void generateSecret(ComponentModel model, int size) {
|
|
||||||
try {
|
|
||||||
byte[] secret = KeycloakModelUtils.generateSecret(size);
|
|
||||||
model.put(Attributes.SECRET_KEY, Base64Url.encode(secret));
|
|
||||||
|
|
||||||
String kid = KeycloakModelUtils.generateId();
|
|
||||||
model.put(Attributes.KID_KEY, kid);
|
|
||||||
} catch (Throwable t) {
|
|
||||||
throw new ComponentValidationException("Failed to generate secret", t);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void init(Config.Scope config) {
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void postInit(KeycloakSessionFactory factory) {
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void close() {
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String getId() {
|
public String getId() {
|
||||||
return ID;
|
return ID;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Logger logger() {
|
||||||
|
return logger;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected int getDefaultKeySize() {
|
||||||
|
return DEFAULT_HMAC_KEY_SIZE;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,102 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.keys;
|
||||||
|
|
||||||
|
import java.util.Collections;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import javax.crypto.SecretKey;
|
||||||
|
|
||||||
|
import org.keycloak.common.util.Base64Url;
|
||||||
|
import org.keycloak.common.util.KeyUtils;
|
||||||
|
import org.keycloak.component.ComponentModel;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||||
|
*/
|
||||||
|
public abstract class GeneratedSecretKeyProvider implements SecretKeyProvider {
|
||||||
|
|
||||||
|
private final boolean enabled;
|
||||||
|
|
||||||
|
private final boolean active;
|
||||||
|
|
||||||
|
private final ComponentModel model;
|
||||||
|
private final String kid;
|
||||||
|
private final SecretKey secretKey;
|
||||||
|
|
||||||
|
public GeneratedSecretKeyProvider(ComponentModel model) {
|
||||||
|
this.enabled = model.get(Attributes.ENABLED_KEY, true);
|
||||||
|
this.active = model.get(Attributes.ACTIVE_KEY, true);
|
||||||
|
this.kid = model.get(Attributes.KID_KEY);
|
||||||
|
this.model = model;
|
||||||
|
|
||||||
|
if (model.hasNote(SecretKey.class.getName())) {
|
||||||
|
secretKey = model.getNote(SecretKey.class.getName());
|
||||||
|
} else {
|
||||||
|
secretKey = KeyUtils.loadSecretKey(Base64Url.decode(model.get(Attributes.SECRET_KEY)), getJavaAlgorithmName());
|
||||||
|
model.setNote(SecretKey.class.getName(), secretKey);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public SecretKey getSecretKey() {
|
||||||
|
return isActive() ? secretKey : null;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public SecretKey getSecretKey(String kid) {
|
||||||
|
return isEnabled() && kid.equals(this.kid) ? secretKey : null;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getKid() {
|
||||||
|
return isActive() ? kid : null;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<SecretKeyMetadata> getKeyMetadata() {
|
||||||
|
if (kid != null && secretKey != null) {
|
||||||
|
SecretKeyMetadata k = new SecretKeyMetadata();
|
||||||
|
k.setProviderId(model.getId());
|
||||||
|
k.setProviderPriority(model.get(Attributes.PRIORITY_KEY, 0l));
|
||||||
|
k.setKid(kid);
|
||||||
|
if (isActive()) {
|
||||||
|
k.setStatus(KeyMetadata.Status.ACTIVE);
|
||||||
|
} else if (isEnabled()) {
|
||||||
|
k.setStatus(KeyMetadata.Status.PASSIVE);
|
||||||
|
} else {
|
||||||
|
k.setStatus(KeyMetadata.Status.DISABLED);
|
||||||
|
}
|
||||||
|
return Collections.singletonList(k);
|
||||||
|
} else {
|
||||||
|
return Collections.emptyList();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void close() {
|
||||||
|
}
|
||||||
|
|
||||||
|
private boolean isEnabled() {
|
||||||
|
return secretKey != null && enabled;
|
||||||
|
}
|
||||||
|
|
||||||
|
private boolean isActive() {
|
||||||
|
return isEnabled() && active;
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,82 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.keys;
|
||||||
|
|
||||||
|
import org.jboss.logging.Logger;
|
||||||
|
import org.keycloak.Config;
|
||||||
|
import org.keycloak.common.util.Base64Url;
|
||||||
|
import org.keycloak.component.ComponentModel;
|
||||||
|
import org.keycloak.component.ComponentValidationException;
|
||||||
|
import org.keycloak.models.KeycloakSession;
|
||||||
|
import org.keycloak.models.KeycloakSessionFactory;
|
||||||
|
import org.keycloak.models.RealmModel;
|
||||||
|
import org.keycloak.models.utils.KeycloakModelUtils;
|
||||||
|
import org.keycloak.provider.ConfigurationValidationHelper;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||||
|
*/
|
||||||
|
public abstract class GeneratedSecretKeyProviderFactory<T extends KeyProvider> implements KeyProviderFactory<T> {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void validateConfiguration(KeycloakSession session, RealmModel realm, ComponentModel model) throws ComponentValidationException {
|
||||||
|
ConfigurationValidationHelper validation = SecretKeyProviderUtils.validateConfiguration(model);
|
||||||
|
validation.checkList(Attributes.SECRET_SIZE_PROPERTY, false);
|
||||||
|
|
||||||
|
int size = model.get(Attributes.SECRET_SIZE_KEY, getDefaultKeySize());
|
||||||
|
|
||||||
|
if (!(model.contains(Attributes.SECRET_KEY))) {
|
||||||
|
generateSecret(model, size);
|
||||||
|
logger().debugv("Generated secret for {0}", realm.getName());
|
||||||
|
} else {
|
||||||
|
int currentSize = Base64Url.decode(model.get(Attributes.SECRET_KEY)).length;
|
||||||
|
if (currentSize != size) {
|
||||||
|
generateSecret(model, size);
|
||||||
|
logger().debugv("Secret size changed, generating new secret for {0}", realm.getName());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private void generateSecret(ComponentModel model, int size) {
|
||||||
|
try {
|
||||||
|
byte[] secret = KeycloakModelUtils.generateSecret(size);
|
||||||
|
model.put(Attributes.SECRET_KEY, Base64Url.encode(secret));
|
||||||
|
|
||||||
|
String kid = KeycloakModelUtils.generateId();
|
||||||
|
model.put(Attributes.KID_KEY, kid);
|
||||||
|
} catch (Throwable t) {
|
||||||
|
throw new ComponentValidationException("Failed to generate secret", t);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
protected abstract Logger logger();
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void init(Config.Scope config) {
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void postInit(KeycloakSessionFactory factory) {
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void close() {
|
||||||
|
}
|
||||||
|
|
||||||
|
protected abstract int getDefaultKeySize();
|
||||||
|
}
|
|
@ -27,18 +27,17 @@ import org.keycloak.provider.ProviderConfigurationBuilder;
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||||
*/
|
*/
|
||||||
public abstract class AbstractHmacKeyProviderFactory implements HmacKeyProviderFactory {
|
public abstract class SecretKeyProviderUtils {
|
||||||
|
|
||||||
public final static ProviderConfigurationBuilder configurationBuilder() {
|
public static ProviderConfigurationBuilder configurationBuilder() {
|
||||||
return ProviderConfigurationBuilder.create()
|
return ProviderConfigurationBuilder.create()
|
||||||
.property(Attributes.PRIORITY_PROPERTY)
|
.property(Attributes.PRIORITY_PROPERTY)
|
||||||
.property(Attributes.ENABLED_PROPERTY)
|
.property(Attributes.ENABLED_PROPERTY)
|
||||||
.property(Attributes.ACTIVE_PROPERTY);
|
.property(Attributes.ACTIVE_PROPERTY);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
public static ConfigurationValidationHelper validateConfiguration(ComponentModel model) throws ComponentValidationException {
|
||||||
public void validateConfiguration(KeycloakSession session, RealmModel realm, ComponentModel model) throws ComponentValidationException {
|
return ConfigurationValidationHelper.check(model)
|
||||||
ConfigurationValidationHelper.check(model)
|
|
||||||
.checkLong(Attributes.PRIORITY_PROPERTY, false)
|
.checkLong(Attributes.PRIORITY_PROPERTY, false)
|
||||||
.checkBoolean(Attributes.ENABLED_PROPERTY, false)
|
.checkBoolean(Attributes.ENABLED_PROPERTY, false)
|
||||||
.checkBoolean(Attributes.ACTIVE_PROPERTY, false);
|
.checkBoolean(Attributes.ACTIVE_PROPERTY, false);
|
|
@ -29,7 +29,6 @@ import org.keycloak.models.KeycloakSession;
|
||||||
import org.keycloak.models.RealmModel;
|
import org.keycloak.models.RealmModel;
|
||||||
import org.keycloak.models.UserSessionModel;
|
import org.keycloak.models.UserSessionModel;
|
||||||
import org.keycloak.protocol.LoginProtocol;
|
import org.keycloak.protocol.LoginProtocol;
|
||||||
import org.keycloak.protocol.RestartLoginCookie;
|
|
||||||
import org.keycloak.protocol.oidc.utils.OIDCRedirectUriBuilder;
|
import org.keycloak.protocol.oidc.utils.OIDCRedirectUriBuilder;
|
||||||
import org.keycloak.protocol.oidc.utils.OIDCResponseMode;
|
import org.keycloak.protocol.oidc.utils.OIDCResponseMode;
|
||||||
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
|
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
|
||||||
|
@ -39,7 +38,6 @@ import org.keycloak.services.managers.AuthenticationManager;
|
||||||
import org.keycloak.services.managers.AuthenticationSessionManager;
|
import org.keycloak.services.managers.AuthenticationSessionManager;
|
||||||
import org.keycloak.services.managers.ClientSessionCode;
|
import org.keycloak.services.managers.ClientSessionCode;
|
||||||
import org.keycloak.services.managers.ResourceAdminManager;
|
import org.keycloak.services.managers.ResourceAdminManager;
|
||||||
import org.keycloak.sessions.CommonClientSessionModel;
|
|
||||||
import org.keycloak.sessions.AuthenticationSessionModel;
|
import org.keycloak.sessions.AuthenticationSessionModel;
|
||||||
import org.keycloak.util.TokenUtil;
|
import org.keycloak.util.TokenUtil;
|
||||||
|
|
||||||
|
@ -185,9 +183,10 @@ public class OIDCLoginProtocol implements LoginProtocol {
|
||||||
redirectUri.addParam(OAuth2Constants.STATE, state);
|
redirectUri.addParam(OAuth2Constants.STATE, state);
|
||||||
|
|
||||||
// Standard or hybrid flow
|
// Standard or hybrid flow
|
||||||
|
String code = null;
|
||||||
if (responseType.hasResponseType(OIDCResponseType.CODE)) {
|
if (responseType.hasResponseType(OIDCResponseType.CODE)) {
|
||||||
accessCode.setAction(CommonClientSessionModel.Action.CODE_TO_TOKEN.name());
|
code = accessCode.getOrGenerateCode();
|
||||||
redirectUri.addParam(OAuth2Constants.CODE, accessCode.getCode());
|
redirectUri.addParam(OAuth2Constants.CODE, code);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Implicit or hybrid flow
|
// Implicit or hybrid flow
|
||||||
|
@ -205,7 +204,7 @@ public class OIDCLoginProtocol implements LoginProtocol {
|
||||||
}
|
}
|
||||||
|
|
||||||
if (responseType.hasResponseType(OIDCResponseType.CODE)) {
|
if (responseType.hasResponseType(OIDCResponseType.CODE)) {
|
||||||
responseBuilder.generateCodeHash(accessCode.getCode());
|
responseBuilder.generateCodeHash(code);
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -245,35 +245,27 @@ public class TokenEndpoint {
|
||||||
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Missing parameter: " + OAuth2Constants.CODE, Response.Status.BAD_REQUEST);
|
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Missing parameter: " + OAuth2Constants.CODE, Response.Status.BAD_REQUEST);
|
||||||
}
|
}
|
||||||
|
|
||||||
String[] parts = code.split("\\.");
|
ClientSessionCode.ParseResult<AuthenticatedClientSessionModel> parseResult = ClientSessionCode.parseResult(code, session, realm, event, AuthenticatedClientSessionModel.class);
|
||||||
if (parts.length == 4) {
|
|
||||||
event.detail(Details.CODE_ID, parts[2]);
|
|
||||||
}
|
|
||||||
|
|
||||||
ClientSessionCode.ParseResult<AuthenticatedClientSessionModel> parseResult = ClientSessionCode.parseResult(code, session, realm, AuthenticatedClientSessionModel.class);
|
|
||||||
if (parseResult.isAuthSessionNotFound() || parseResult.isIllegalHash()) {
|
if (parseResult.isAuthSessionNotFound() || parseResult.isIllegalHash()) {
|
||||||
event.error(Errors.INVALID_CODE);
|
AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();
|
||||||
|
|
||||||
// Attempt to use same code twice should invalidate existing clientSession
|
// Attempt to use same code twice should invalidate existing clientSession
|
||||||
AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();
|
|
||||||
if (clientSession != null) {
|
if (clientSession != null) {
|
||||||
clientSession.setUserSession(null);
|
clientSession.setUserSession(null);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
event.error(Errors.INVALID_CODE);
|
||||||
|
|
||||||
throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Code not valid", Response.Status.BAD_REQUEST);
|
throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Code not valid", Response.Status.BAD_REQUEST);
|
||||||
}
|
}
|
||||||
|
|
||||||
AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();
|
AuthenticatedClientSessionModel clientSession = parseResult.getClientSession();
|
||||||
|
|
||||||
if (!parseResult.getCode().isValid(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name(), ClientSessionCode.ActionType.CLIENT)) {
|
if (parseResult.isExpiredToken()) {
|
||||||
event.error(Errors.INVALID_CODE);
|
event.error(Errors.EXPIRED_CODE);
|
||||||
throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Code is expired", Response.Status.BAD_REQUEST);
|
throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Code is expired", Response.Status.BAD_REQUEST);
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: This shouldn't be needed to write into the AuthenticatedClientSessionModel itself
|
|
||||||
parseResult.getCode().setAction(null);
|
|
||||||
|
|
||||||
// TODO: Maybe rather create userSession even at this stage?
|
|
||||||
UserSessionModel userSession = clientSession.getUserSession();
|
UserSessionModel userSession = clientSession.getUserSession();
|
||||||
|
|
||||||
if (userSession == null) {
|
if (userSession == null) {
|
||||||
|
@ -281,20 +273,20 @@ public class TokenEndpoint {
|
||||||
throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "User session not found", Response.Status.BAD_REQUEST);
|
throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "User session not found", Response.Status.BAD_REQUEST);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
UserModel user = userSession.getUser();
|
UserModel user = userSession.getUser();
|
||||||
if (user == null) {
|
if (user == null) {
|
||||||
event.error(Errors.USER_NOT_FOUND);
|
event.error(Errors.USER_NOT_FOUND);
|
||||||
throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "User not found", Response.Status.BAD_REQUEST);
|
throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "User not found", Response.Status.BAD_REQUEST);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
event.user(userSession.getUser());
|
||||||
|
|
||||||
if (!user.isEnabled()) {
|
if (!user.isEnabled()) {
|
||||||
event.error(Errors.USER_DISABLED);
|
event.error(Errors.USER_DISABLED);
|
||||||
throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "User disabled", Response.Status.BAD_REQUEST);
|
throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "User disabled", Response.Status.BAD_REQUEST);
|
||||||
}
|
}
|
||||||
|
|
||||||
event.user(userSession.getUser());
|
|
||||||
|
|
||||||
event.session(userSession.getId());
|
|
||||||
|
|
||||||
String redirectUri = clientSession.getNote(OIDCLoginProtocol.REDIRECT_URI_PARAM);
|
String redirectUri = clientSession.getNote(OIDCLoginProtocol.REDIRECT_URI_PARAM);
|
||||||
String formParam = formParams.getFirst(OAuth2Constants.REDIRECT_URI);
|
String formParam = formParams.getFirst(OAuth2Constants.REDIRECT_URI);
|
||||||
if (redirectUri != null && !redirectUri.equals(formParam)) {
|
if (redirectUri != null && !redirectUri.equals(formParam)) {
|
||||||
|
|
|
@ -849,7 +849,7 @@ public class AuthenticationManager {
|
||||||
|
|
||||||
return session.getProvider(LoginFormsProvider.class)
|
return session.getProvider(LoginFormsProvider.class)
|
||||||
.setExecution(execution)
|
.setExecution(execution)
|
||||||
.setClientSessionCode(accessCode.getCode())
|
.setClientSessionCode(accessCode.getOrGenerateCode())
|
||||||
.setAccessRequest(realmRoles, resourceRoles, protocolMappers)
|
.setAccessRequest(realmRoles, resourceRoles, protocolMappers)
|
||||||
.createOAuthGrant();
|
.createOAuthGrant();
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -17,19 +17,16 @@
|
||||||
|
|
||||||
package org.keycloak.services.managers;
|
package org.keycloak.services.managers;
|
||||||
|
|
||||||
import org.jboss.logging.Logger;
|
|
||||||
import org.keycloak.common.util.Base64Url;
|
|
||||||
import org.keycloak.common.util.Time;
|
import org.keycloak.common.util.Time;
|
||||||
|
import org.keycloak.events.EventBuilder;
|
||||||
import org.keycloak.models.ClientModel;
|
import org.keycloak.models.ClientModel;
|
||||||
import org.keycloak.models.ClientTemplateModel;
|
import org.keycloak.models.ClientTemplateModel;
|
||||||
import org.keycloak.models.KeycloakSession;
|
import org.keycloak.models.KeycloakSession;
|
||||||
import org.keycloak.models.ProtocolMapperModel;
|
import org.keycloak.models.ProtocolMapperModel;
|
||||||
import org.keycloak.models.RealmModel;
|
import org.keycloak.models.RealmModel;
|
||||||
import org.keycloak.models.RoleModel;
|
import org.keycloak.models.RoleModel;
|
||||||
import org.keycloak.models.utils.KeycloakModelUtils;
|
|
||||||
import org.keycloak.sessions.CommonClientSessionModel;
|
import org.keycloak.sessions.CommonClientSessionModel;
|
||||||
|
|
||||||
import java.security.MessageDigest;
|
|
||||||
import java.util.HashSet;
|
import java.util.HashSet;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
|
||||||
|
@ -39,10 +36,6 @@ import java.util.Set;
|
||||||
*/
|
*/
|
||||||
public class ClientSessionCode<CLIENT_SESSION extends CommonClientSessionModel> {
|
public class ClientSessionCode<CLIENT_SESSION extends CommonClientSessionModel> {
|
||||||
|
|
||||||
private static final String ACTIVE_CODE = "active_code";
|
|
||||||
|
|
||||||
private static final Logger logger = Logger.getLogger(ClientSessionCode.class);
|
|
||||||
|
|
||||||
private KeycloakSession session;
|
private KeycloakSession session;
|
||||||
private final RealmModel realm;
|
private final RealmModel realm;
|
||||||
private final CLIENT_SESSION commonLoginSession;
|
private final CLIENT_SESSION commonLoginSession;
|
||||||
|
@ -63,6 +56,7 @@ public class ClientSessionCode<CLIENT_SESSION extends CommonClientSessionModel>
|
||||||
ClientSessionCode<CLIENT_SESSION> code;
|
ClientSessionCode<CLIENT_SESSION> code;
|
||||||
boolean authSessionNotFound;
|
boolean authSessionNotFound;
|
||||||
boolean illegalHash;
|
boolean illegalHash;
|
||||||
|
boolean expiredToken;
|
||||||
CLIENT_SESSION clientSession;
|
CLIENT_SESSION clientSession;
|
||||||
|
|
||||||
public ClientSessionCode<CLIENT_SESSION> getCode() {
|
public ClientSessionCode<CLIENT_SESSION> getCode() {
|
||||||
|
@ -77,29 +71,39 @@ public class ClientSessionCode<CLIENT_SESSION extends CommonClientSessionModel>
|
||||||
return illegalHash;
|
return illegalHash;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public boolean isExpiredToken() {
|
||||||
|
return expiredToken;
|
||||||
|
}
|
||||||
|
|
||||||
public CLIENT_SESSION getClientSession() {
|
public CLIENT_SESSION getClientSession() {
|
||||||
return clientSession;
|
return clientSession;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static <CLIENT_SESSION extends CommonClientSessionModel> ParseResult<CLIENT_SESSION> parseResult(String code, KeycloakSession session, RealmModel realm, Class<CLIENT_SESSION> sessionClass) {
|
public static <CLIENT_SESSION extends CommonClientSessionModel> ParseResult<CLIENT_SESSION> parseResult(String code, KeycloakSession session, RealmModel realm, EventBuilder event, Class<CLIENT_SESSION> sessionClass) {
|
||||||
ParseResult<CLIENT_SESSION> result = new ParseResult<>();
|
ParseResult<CLIENT_SESSION> result = new ParseResult<>();
|
||||||
if (code == null) {
|
if (code == null) {
|
||||||
result.illegalHash = true;
|
result.illegalHash = true;
|
||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
result.clientSession = getClientSession(code, session, realm, sessionClass);
|
CodeGenerateUtil.ClientSessionParser<CLIENT_SESSION> clientSessionParser = CodeGenerateUtil.getParser(sessionClass);
|
||||||
|
result.clientSession = getClientSession(code, session, realm, event, clientSessionParser);
|
||||||
if (result.clientSession == null) {
|
if (result.clientSession == null) {
|
||||||
result.authSessionNotFound = true;
|
result.authSessionNotFound = true;
|
||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!verifyCode(code, result.clientSession)) {
|
if (!clientSessionParser.verifyCode(session, code, result.clientSession)) {
|
||||||
result.illegalHash = true;
|
result.illegalHash = true;
|
||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (clientSessionParser.isExpired(session, code, result.clientSession)) {
|
||||||
|
result.expiredToken = true;
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
result.code = new ClientSessionCode<CLIENT_SESSION>(session, realm, result.clientSession);
|
result.code = new ClientSessionCode<CLIENT_SESSION>(session, realm, result.clientSession);
|
||||||
return result;
|
return result;
|
||||||
} catch (RuntimeException e) {
|
} catch (RuntimeException e) {
|
||||||
|
@ -108,13 +112,19 @@ public class ClientSessionCode<CLIENT_SESSION extends CommonClientSessionModel>
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static <CLIENT_SESSION extends CommonClientSessionModel> CLIENT_SESSION getClientSession(String code, KeycloakSession session, RealmModel realm, Class<CLIENT_SESSION> sessionClass) {
|
|
||||||
CommonClientSessionModel clientSessionn = CodeGenerateUtil.getParser(sessionClass).parseSession(code, session, realm);;
|
|
||||||
CLIENT_SESSION clientSession = sessionClass.cast(clientSessionn);
|
|
||||||
|
|
||||||
return clientSession;
|
public static <CLIENT_SESSION extends CommonClientSessionModel> CLIENT_SESSION getClientSession(String code, KeycloakSession session, RealmModel realm, EventBuilder event, Class<CLIENT_SESSION> sessionClass) {
|
||||||
|
CodeGenerateUtil.ClientSessionParser<CLIENT_SESSION> clientSessionParser = CodeGenerateUtil.getParser(sessionClass);
|
||||||
|
return getClientSession(code, session, realm, event, clientSessionParser);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private static <CLIENT_SESSION extends CommonClientSessionModel> CLIENT_SESSION getClientSession(String code, KeycloakSession session, RealmModel realm, EventBuilder event,
|
||||||
|
CodeGenerateUtil.ClientSessionParser<CLIENT_SESSION> clientSessionParser) {
|
||||||
|
return clientSessionParser.parseSession(code, session, realm, event);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
public CLIENT_SESSION getClientSession() {
|
public CLIENT_SESSION getClientSession() {
|
||||||
return commonLoginSession;
|
return commonLoginSession;
|
||||||
}
|
}
|
||||||
|
@ -203,52 +213,9 @@ public class ClientSessionCode<CLIENT_SESSION extends CommonClientSessionModel>
|
||||||
commonLoginSession.setTimestamp(Time.currentTime());
|
commonLoginSession.setTimestamp(Time.currentTime());
|
||||||
}
|
}
|
||||||
|
|
||||||
public String getCode() {
|
public String getOrGenerateCode() {
|
||||||
CodeGenerateUtil.ClientSessionParser parser = CodeGenerateUtil.getParser(commonLoginSession.getClass());
|
CodeGenerateUtil.ClientSessionParser parser = CodeGenerateUtil.getParser(commonLoginSession.getClass());
|
||||||
String nextCode = parser.getNote(commonLoginSession, ACTIVE_CODE);
|
return parser.retrieveCode(session, commonLoginSession);
|
||||||
if (nextCode == null) {
|
|
||||||
nextCode = generateCode(commonLoginSession);
|
|
||||||
} else {
|
|
||||||
logger.debug("Code already generated for session, using same code");
|
|
||||||
}
|
|
||||||
return nextCode;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private static String generateCode(CommonClientSessionModel authSession) {
|
|
||||||
try {
|
|
||||||
String actionId = Base64Url.encode(KeycloakModelUtils.generateSecret());
|
|
||||||
|
|
||||||
StringBuilder sb = new StringBuilder();
|
|
||||||
sb.append(actionId);
|
|
||||||
sb.append('.');
|
|
||||||
sb.append(authSession.getId());
|
|
||||||
|
|
||||||
CodeGenerateUtil.ClientSessionParser parser = CodeGenerateUtil.getParser(authSession.getClass());
|
|
||||||
|
|
||||||
String code = parser.generateCode(authSession, actionId);
|
|
||||||
parser.setNote(authSession, ACTIVE_CODE, code);
|
|
||||||
|
|
||||||
return code;
|
|
||||||
} catch (Exception e) {
|
|
||||||
throw new RuntimeException(e);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
public static boolean verifyCode(String code, CommonClientSessionModel authSession) {
|
|
||||||
try {
|
|
||||||
CodeGenerateUtil.ClientSessionParser parser = CodeGenerateUtil.getParser(authSession.getClass());
|
|
||||||
|
|
||||||
String activeCode = parser.getNote(authSession, ACTIVE_CODE);
|
|
||||||
if (activeCode == null) {
|
|
||||||
logger.debug("Active code not found in client session");
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
parser.removeNote(authSession, ACTIVE_CODE);
|
|
||||||
|
|
||||||
return MessageDigest.isEqual(code.getBytes(), activeCode.getBytes());
|
|
||||||
} catch (Exception e) {
|
|
||||||
throw new RuntimeException(e);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -17,16 +17,30 @@
|
||||||
|
|
||||||
package org.keycloak.services.managers;
|
package org.keycloak.services.managers;
|
||||||
|
|
||||||
|
import java.security.MessageDigest;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
import java.util.UUID;
|
||||||
|
import java.util.function.Supplier;
|
||||||
|
|
||||||
|
import javax.crypto.SecretKey;
|
||||||
|
|
||||||
import org.jboss.logging.Logger;
|
import org.jboss.logging.Logger;
|
||||||
|
import org.keycloak.common.util.Base64Url;
|
||||||
|
import org.keycloak.common.util.Time;
|
||||||
|
import org.keycloak.events.Details;
|
||||||
|
import org.keycloak.events.EventBuilder;
|
||||||
|
import org.keycloak.jose.jwe.JWEException;
|
||||||
import org.keycloak.models.AuthenticatedClientSessionModel;
|
import org.keycloak.models.AuthenticatedClientSessionModel;
|
||||||
|
import org.keycloak.models.CodeToTokenStoreProvider;
|
||||||
import org.keycloak.models.KeycloakSession;
|
import org.keycloak.models.KeycloakSession;
|
||||||
import org.keycloak.models.RealmModel;
|
import org.keycloak.models.RealmModel;
|
||||||
import org.keycloak.models.UserSessionModel;
|
import org.keycloak.models.UserSessionModel;
|
||||||
|
import org.keycloak.models.utils.KeycloakModelUtils;
|
||||||
|
import org.keycloak.representations.CodeJWT;
|
||||||
import org.keycloak.sessions.CommonClientSessionModel;
|
import org.keycloak.sessions.CommonClientSessionModel;
|
||||||
import org.keycloak.sessions.AuthenticationSessionModel;
|
import org.keycloak.sessions.AuthenticationSessionModel;
|
||||||
|
import org.keycloak.util.TokenUtil;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
|
@ -36,11 +50,18 @@ class CodeGenerateUtil {
|
||||||
|
|
||||||
private static final Logger logger = Logger.getLogger(CodeGenerateUtil.class);
|
private static final Logger logger = Logger.getLogger(CodeGenerateUtil.class);
|
||||||
|
|
||||||
private static final Map<Class<? extends CommonClientSessionModel>, ClientSessionParser> PARSERS = new HashMap<>();
|
private static final String ACTIVE_CODE = "active_code";
|
||||||
|
|
||||||
|
private static final Map<Class<? extends CommonClientSessionModel>, Supplier<ClientSessionParser>> PARSERS = new HashMap<>();
|
||||||
|
|
||||||
static {
|
static {
|
||||||
PARSERS.put(AuthenticationSessionModel.class, new AuthenticationSessionModelParser());
|
PARSERS.put(AuthenticationSessionModel.class, () -> {
|
||||||
PARSERS.put(AuthenticatedClientSessionModel.class, new AuthenticatedClientSessionModelParser());
|
return new AuthenticationSessionModelParser();
|
||||||
|
});
|
||||||
|
|
||||||
|
PARSERS.put(AuthenticatedClientSessionModel.class, () -> {
|
||||||
|
return new AuthenticatedClientSessionModelParser();
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -48,7 +69,7 @@ class CodeGenerateUtil {
|
||||||
static <CS extends CommonClientSessionModel> ClientSessionParser<CS> getParser(Class<CS> clientSessionClass) {
|
static <CS extends CommonClientSessionModel> ClientSessionParser<CS> getParser(Class<CS> clientSessionClass) {
|
||||||
for (Class<?> c : PARSERS.keySet()) {
|
for (Class<?> c : PARSERS.keySet()) {
|
||||||
if (c.isAssignableFrom(clientSessionClass)) {
|
if (c.isAssignableFrom(clientSessionClass)) {
|
||||||
return PARSERS.get(c);
|
return PARSERS.get(c).get();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return null;
|
return null;
|
||||||
|
@ -57,17 +78,15 @@ class CodeGenerateUtil {
|
||||||
|
|
||||||
interface ClientSessionParser<CS extends CommonClientSessionModel> {
|
interface ClientSessionParser<CS extends CommonClientSessionModel> {
|
||||||
|
|
||||||
CS parseSession(String code, KeycloakSession session, RealmModel realm);
|
CS parseSession(String code, KeycloakSession session, RealmModel realm, EventBuilder event);
|
||||||
|
|
||||||
String generateCode(CS clientSession, String actionId);
|
String retrieveCode(KeycloakSession session, CS clientSession);
|
||||||
|
|
||||||
void removeExpiredSession(KeycloakSession session, CS clientSession);
|
void removeExpiredSession(KeycloakSession session, CS clientSession);
|
||||||
|
|
||||||
String getNote(CS clientSession, String name);
|
boolean verifyCode(KeycloakSession session, String code, CS clientSession);
|
||||||
|
|
||||||
void removeNote(CS clientSession, String name);
|
boolean isExpired(KeycloakSession session, String code, CS clientSession);
|
||||||
|
|
||||||
void setNote(CS clientSession, String name, String value);
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -78,95 +97,149 @@ class CodeGenerateUtil {
|
||||||
private static class AuthenticationSessionModelParser implements ClientSessionParser<AuthenticationSessionModel> {
|
private static class AuthenticationSessionModelParser implements ClientSessionParser<AuthenticationSessionModel> {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public AuthenticationSessionModel parseSession(String code, KeycloakSession session, RealmModel realm) {
|
public AuthenticationSessionModel parseSession(String code, KeycloakSession session, RealmModel realm, EventBuilder event) {
|
||||||
// Read authSessionID from cookie. Code is ignored for now
|
// Read authSessionID from cookie. Code is ignored for now
|
||||||
return new AuthenticationSessionManager(session).getCurrentAuthenticationSession(realm);
|
return new AuthenticationSessionManager(session).getCurrentAuthenticationSession(realm);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String generateCode(AuthenticationSessionModel clientSession, String actionId) {
|
public String retrieveCode(KeycloakSession session, AuthenticationSessionModel authSession) {
|
||||||
return actionId;
|
String nextCode = authSession.getAuthNote(ACTIVE_CODE);
|
||||||
|
if (nextCode == null) {
|
||||||
|
String actionId = Base64Url.encode(KeycloakModelUtils.generateSecret());
|
||||||
|
authSession.setAuthNote(ACTIVE_CODE, actionId);
|
||||||
|
nextCode = actionId;
|
||||||
|
} else {
|
||||||
|
logger.debug("Code already generated for authentication session, using same code");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return nextCode;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void removeExpiredSession(KeycloakSession session, AuthenticationSessionModel clientSession) {
|
public void removeExpiredSession(KeycloakSession session, AuthenticationSessionModel clientSession) {
|
||||||
new AuthenticationSessionManager(session).removeAuthenticationSession(clientSession.getRealm(), clientSession, true);
|
new AuthenticationSessionManager(session).removeAuthenticationSession(clientSession.getRealm(), clientSession, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getNote(AuthenticationSessionModel clientSession, String name) {
|
|
||||||
return clientSession.getAuthNote(name);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void removeNote(AuthenticationSessionModel clientSession, String name) {
|
public boolean verifyCode(KeycloakSession session, String code, AuthenticationSessionModel authSession) {
|
||||||
clientSession.removeAuthNote(name);
|
String activeCode = authSession.getAuthNote(ACTIVE_CODE);
|
||||||
|
if (activeCode == null) {
|
||||||
|
logger.debug("Active code not found in authentication session");
|
||||||
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
authSession.removeAuthNote(ACTIVE_CODE);
|
||||||
|
|
||||||
|
return MessageDigest.isEqual(code.getBytes(), activeCode.getBytes());
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void setNote(AuthenticationSessionModel clientSession, String name, String value) {
|
public boolean isExpired(KeycloakSession session, String code, AuthenticationSessionModel clientSession) {
|
||||||
clientSession.setAuthNote(name, value);
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
private static class AuthenticatedClientSessionModelParser implements ClientSessionParser<AuthenticatedClientSessionModel> {
|
private static class AuthenticatedClientSessionModelParser implements ClientSessionParser<AuthenticatedClientSessionModel> {
|
||||||
|
|
||||||
@Override
|
private CodeJWT codeJWT;
|
||||||
public AuthenticatedClientSessionModel parseSession(String code, KeycloakSession session, RealmModel realm) {
|
|
||||||
try {
|
|
||||||
String[] parts = code.split("\\.");
|
|
||||||
String userSessionId = parts[2];
|
|
||||||
String clientUUID = parts[3];
|
|
||||||
|
|
||||||
UserSessionModel userSession = new UserSessionCrossDCManager(session).getUserSessionWithClientAndCodeToTokenAction(realm, userSessionId, clientUUID);
|
@Override
|
||||||
|
public AuthenticatedClientSessionModel parseSession(String code, KeycloakSession session, RealmModel realm, EventBuilder event) {
|
||||||
|
SecretKey aesKey = session.keys().getActiveAesKey(realm).getSecretKey();
|
||||||
|
SecretKey hmacKey = session.keys().getActiveHmacKey(realm).getSecretKey();
|
||||||
|
|
||||||
|
try {
|
||||||
|
codeJWT = TokenUtil.jweDirectVerifyAndDecode(aesKey, hmacKey, code, CodeJWT.class);
|
||||||
|
} catch (JWEException jweException) {
|
||||||
|
logger.error("Exception during JWE Verification or decode", jweException);
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
event.detail(Details.CODE_ID, codeJWT.getUserSessionId());
|
||||||
|
event.session(codeJWT.getUserSessionId());
|
||||||
|
|
||||||
|
UserSessionModel userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, codeJWT.getUserSessionId(), codeJWT.getIssuedFor());
|
||||||
if (userSession == null) {
|
if (userSession == null) {
|
||||||
// TODO:mposolda Temporary workaround needed to track if code is invalid or was already used. Will be good to remove once used OAuth codes are tracked through one-time cache
|
// TODO:mposolda Temporary workaround needed to track if code is invalid or was already used. Will be good to remove once used OAuth codes are tracked through one-time cache
|
||||||
userSession = session.sessions().getUserSession(realm, userSessionId);
|
userSession = session.sessions().getUserSession(realm, codeJWT.getUserSessionId());
|
||||||
if (userSession == null) {
|
if (userSession == null) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return userSession.getAuthenticatedClientSessions().get(clientUUID);
|
return userSession.getAuthenticatedClientSessions().get(codeJWT.getIssuedFor());
|
||||||
} catch (ArrayIndexOutOfBoundsException e) {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String generateCode(AuthenticatedClientSessionModel clientSession, String actionId) {
|
public String retrieveCode(KeycloakSession session, AuthenticatedClientSessionModel clientSession) {
|
||||||
String userSessionId = clientSession.getUserSession().getId();
|
String actionId = KeycloakModelUtils.generateId();
|
||||||
String clientUUID = clientSession.getClient().getId();
|
|
||||||
StringBuilder sb = new StringBuilder();
|
|
||||||
sb.append("uss.");
|
|
||||||
sb.append(actionId);
|
|
||||||
sb.append('.');
|
|
||||||
sb.append(userSessionId);
|
|
||||||
sb.append('.');
|
|
||||||
sb.append(clientUUID);
|
|
||||||
|
|
||||||
return sb.toString();
|
CodeJWT codeJWT = new CodeJWT();
|
||||||
|
codeJWT.id(actionId);
|
||||||
|
codeJWT.issuedFor(clientSession.getClient().getId());
|
||||||
|
codeJWT.userSessionId(clientSession.getUserSession().getId());
|
||||||
|
|
||||||
|
RealmModel realm = clientSession.getRealm();
|
||||||
|
|
||||||
|
int issuedAt = Time.currentTime();
|
||||||
|
codeJWT.issuedAt(issuedAt);
|
||||||
|
codeJWT.expiration(issuedAt + realm.getAccessCodeLifespan());
|
||||||
|
|
||||||
|
SecretKey aesKey = session.keys().getActiveAesKey(realm).getSecretKey();
|
||||||
|
SecretKey hmacKey = session.keys().getActiveHmacKey(realm).getSecretKey();
|
||||||
|
|
||||||
|
if (logger.isTraceEnabled()) {
|
||||||
|
logger.tracef("Using AES key of length '%d' bytes and HMAC key of length '%d' bytes . Client: '%s', User Session: '%s'", aesKey.getEncoded().length,
|
||||||
|
hmacKey.getEncoded().length, clientSession.getClient().getClientId(), clientSession.getUserSession().getId());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
return TokenUtil.jweDirectEncode(aesKey, hmacKey, codeJWT);
|
||||||
|
} catch (JWEException jweEx) {
|
||||||
|
throw new RuntimeException(jweEx);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean verifyCode(KeycloakSession session, String code, AuthenticatedClientSessionModel clientSession) {
|
||||||
|
if (codeJWT == null) {
|
||||||
|
throw new IllegalStateException("Illegal use. codeJWT not yet set");
|
||||||
|
}
|
||||||
|
|
||||||
|
UUID codeId = UUID.fromString(codeJWT.getId());
|
||||||
|
CodeToTokenStoreProvider singleUseCache = session.getProvider(CodeToTokenStoreProvider.class);
|
||||||
|
|
||||||
|
if (singleUseCache.putIfAbsent(codeId)) {
|
||||||
|
|
||||||
|
if (logger.isTraceEnabled()) {
|
||||||
|
logger.tracef("Added code '%s' to single-use cache. User session: %s, client: %s", codeJWT.getId(), codeJWT.getUserSessionId(), codeJWT.getIssuedFor());
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
} else {
|
||||||
|
logger.warnf("Code '%s' already used for userSession '%s' and client '%s'.", codeJWT.getId(), codeJWT.getUserSessionId(), codeJWT.getIssuedFor());
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void removeExpiredSession(KeycloakSession session, AuthenticatedClientSessionModel clientSession) {
|
public void removeExpiredSession(KeycloakSession session, AuthenticatedClientSessionModel clientSession) {
|
||||||
throw new IllegalStateException("Not yet implemented");
|
throw new IllegalStateException("Not yet implemented");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getNote(AuthenticatedClientSessionModel clientSession, String name) {
|
|
||||||
return clientSession.getNote(name);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void removeNote(AuthenticatedClientSessionModel clientSession, String name) {
|
public boolean isExpired(KeycloakSession session, String code, AuthenticatedClientSessionModel clientSession) {
|
||||||
clientSession.removeNote(name);
|
return !codeJWT.isActive();
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void setNote(AuthenticatedClientSessionModel clientSession, String name, String value) {
|
|
||||||
clientSession.setNote(name, value);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -46,19 +46,14 @@ public class UserSessionCrossDCManager {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
// get userSession if it has "authenticatedClientSession" of specified client attached to it and there is "CODE_TO_TOKEN" action. Otherwise download it from remoteCache
|
// get userSession if it has "authenticatedClientSession" of specified client attached to it. Otherwise download it from remoteCache
|
||||||
// TODO Probably remove this method once AuthenticatedClientSession.getAction is removed and information is moved to OAuth code JWT instead
|
// TODO Probably remove this method once AuthenticatedClientSession.getAction is removed and information is moved to OAuth code JWT instead
|
||||||
public UserSessionModel getUserSessionWithClientAndCodeToTokenAction(RealmModel realm, String id, String clientUUID) {
|
public UserSessionModel getUserSessionWithClient(RealmModel realm, String id, String clientUUID) {
|
||||||
|
|
||||||
return kcSession.sessions().getUserSessionWithPredicate(realm, id, false, (UserSessionModel userSession) -> {
|
return kcSession.sessions().getUserSessionWithPredicate(realm, id, false, (UserSessionModel userSession) -> {
|
||||||
|
|
||||||
Map<String, AuthenticatedClientSessionModel> authSessions = userSession.getAuthenticatedClientSessions();
|
Map<String, AuthenticatedClientSessionModel> authSessions = userSession.getAuthenticatedClientSessions();
|
||||||
if (!authSessions.containsKey(clientUUID)) {
|
return authSessions.containsKey(clientUUID);
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
AuthenticatedClientSessionModel authSession = authSessions.get(clientUUID);
|
|
||||||
return CommonClientSessionModel.Action.CODE_TO_TOKEN.toString().equals(authSession.getAction());
|
|
||||||
|
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
|
@ -297,7 +297,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
|
||||||
|
|
||||||
ClientSessionCode<AuthenticationSessionModel> clientSessionCode = new ClientSessionCode<>(session, realmModel, authSession);
|
ClientSessionCode<AuthenticationSessionModel> clientSessionCode = new ClientSessionCode<>(session, realmModel, authSession);
|
||||||
clientSessionCode.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
|
clientSessionCode.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
|
||||||
clientSessionCode.getCode();
|
clientSessionCode.getOrGenerateCode();
|
||||||
authSession.setProtocol(client.getProtocol());
|
authSession.setProtocol(client.getProtocol());
|
||||||
authSession.setRedirectUri(redirectUri);
|
authSession.setRedirectUri(redirectUri);
|
||||||
authSession.setClientNote(OIDCLoginProtocol.STATE_PARAM, UUID.randomUUID().toString());
|
authSession.setClientNote(OIDCLoginProtocol.STATE_PARAM, UUID.randomUUID().toString());
|
||||||
|
@ -1046,7 +1046,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
|
||||||
|
|
||||||
if (clientSessionCode != null) {
|
if (clientSessionCode != null) {
|
||||||
authSession = clientSessionCode.getClientSession();
|
authSession = clientSessionCode.getClientSession();
|
||||||
String relayState = clientSessionCode.getCode();
|
String relayState = clientSessionCode.getOrGenerateCode();
|
||||||
encodedState = IdentityBrokerState.decoded(relayState, authSession.getClient().getClientId());
|
encodedState = IdentityBrokerState.decoded(relayState, authSession.getClient().getClientId());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -740,8 +740,8 @@ public class LoginActionsService {
|
||||||
authSession.setTimestamp(Time.currentTime());
|
authSession.setTimestamp(Time.currentTime());
|
||||||
|
|
||||||
String clientId = authSession.getClient().getClientId();
|
String clientId = authSession.getClient().getClientId();
|
||||||
URI redirect = firstBrokerLogin ? Urls.identityProviderAfterFirstBrokerLogin(uriInfo.getBaseUri(), realm.getName(), accessCode.getCode(), clientId) :
|
URI redirect = firstBrokerLogin ? Urls.identityProviderAfterFirstBrokerLogin(uriInfo.getBaseUri(), realm.getName(), accessCode.getOrGenerateCode(), clientId) :
|
||||||
Urls.identityProviderAfterPostBrokerLogin(uriInfo.getBaseUri(), realm.getName(), accessCode.getCode(), clientId) ;
|
Urls.identityProviderAfterPostBrokerLogin(uriInfo.getBaseUri(), realm.getName(), accessCode.getOrGenerateCode(), clientId) ;
|
||||||
logger.debugf("Redirecting to '%s' ", redirect);
|
logger.debugf("Redirecting to '%s' ", redirect);
|
||||||
|
|
||||||
return Response.status(302).location(redirect).build();
|
return Response.status(302).location(redirect).build();
|
||||||
|
|
|
@ -133,7 +133,7 @@ public class SessionCodeChecks {
|
||||||
}
|
}
|
||||||
|
|
||||||
// object retrieve
|
// object retrieve
|
||||||
AuthenticationSessionModel authSession = ClientSessionCode.getClientSession(code, session, realm, AuthenticationSessionModel.class);
|
AuthenticationSessionModel authSession = ClientSessionCode.getClientSession(code, session, realm, event, AuthenticationSessionModel.class);
|
||||||
if (authSession != null) {
|
if (authSession != null) {
|
||||||
return authSession;
|
return authSession;
|
||||||
}
|
}
|
||||||
|
@ -240,7 +240,7 @@ public class SessionCodeChecks {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
ClientSessionCode.ParseResult<AuthenticationSessionModel> result = ClientSessionCode.parseResult(code, session, realm, AuthenticationSessionModel.class);
|
ClientSessionCode.ParseResult<AuthenticationSessionModel> result = ClientSessionCode.parseResult(code, session, realm, event, AuthenticationSessionModel.class);
|
||||||
clientCode = result.getCode();
|
clientCode = result.getCode();
|
||||||
if (clientCode == null) {
|
if (clientCode == null) {
|
||||||
|
|
||||||
|
|
|
@ -20,7 +20,7 @@ package org.keycloak.services.resources.admin;
|
||||||
import org.jboss.resteasy.annotations.cache.NoCache;
|
import org.jboss.resteasy.annotations.cache.NoCache;
|
||||||
import org.keycloak.common.util.PemUtils;
|
import org.keycloak.common.util.PemUtils;
|
||||||
import org.keycloak.jose.jws.AlgorithmType;
|
import org.keycloak.jose.jws.AlgorithmType;
|
||||||
import org.keycloak.keys.HmacKeyMetadata;
|
import org.keycloak.keys.SecretKeyMetadata;
|
||||||
import org.keycloak.keys.RsaKeyMetadata;
|
import org.keycloak.keys.RsaKeyMetadata;
|
||||||
import org.keycloak.models.KeycloakSession;
|
import org.keycloak.models.KeycloakSession;
|
||||||
import org.keycloak.models.KeyManager;
|
import org.keycloak.models.KeyManager;
|
||||||
|
@ -65,6 +65,7 @@ public class KeyResource {
|
||||||
Map<String, String> active = new HashMap<>();
|
Map<String, String> active = new HashMap<>();
|
||||||
active.put(AlgorithmType.RSA.name(), keystore.getActiveRsaKey(realm).getKid());
|
active.put(AlgorithmType.RSA.name(), keystore.getActiveRsaKey(realm).getKid());
|
||||||
active.put(AlgorithmType.HMAC.name(), keystore.getActiveHmacKey(realm).getKid());
|
active.put(AlgorithmType.HMAC.name(), keystore.getActiveHmacKey(realm).getKid());
|
||||||
|
active.put(AlgorithmType.AES.name(), keystore.getActiveAesKey(realm).getKid());
|
||||||
keys.setActive(active);
|
keys.setActive(active);
|
||||||
|
|
||||||
List<KeysMetadataRepresentation.KeyMetadataRepresentation> l = new LinkedList<>();
|
List<KeysMetadataRepresentation.KeyMetadataRepresentation> l = new LinkedList<>();
|
||||||
|
@ -79,7 +80,7 @@ public class KeyResource {
|
||||||
r.setCertificate(PemUtils.encodeCertificate(m.getCertificate()));
|
r.setCertificate(PemUtils.encodeCertificate(m.getCertificate()));
|
||||||
l.add(r);
|
l.add(r);
|
||||||
}
|
}
|
||||||
for (HmacKeyMetadata m : session.keys().getHmacKeys(realm, true)) {
|
for (SecretKeyMetadata m : session.keys().getHmacKeys(realm, true)) {
|
||||||
KeysMetadataRepresentation.KeyMetadataRepresentation r = new KeysMetadataRepresentation.KeyMetadataRepresentation();
|
KeysMetadataRepresentation.KeyMetadataRepresentation r = new KeysMetadataRepresentation.KeyMetadataRepresentation();
|
||||||
r.setProviderId(m.getProviderId());
|
r.setProviderId(m.getProviderId());
|
||||||
r.setProviderPriority(m.getProviderPriority());
|
r.setProviderPriority(m.getProviderPriority());
|
||||||
|
@ -88,6 +89,15 @@ public class KeyResource {
|
||||||
r.setType(AlgorithmType.HMAC.name());
|
r.setType(AlgorithmType.HMAC.name());
|
||||||
l.add(r);
|
l.add(r);
|
||||||
}
|
}
|
||||||
|
for (SecretKeyMetadata m : session.keys().getAesKeys(realm, true)) {
|
||||||
|
KeysMetadataRepresentation.KeyMetadataRepresentation r = new KeysMetadataRepresentation.KeyMetadataRepresentation();
|
||||||
|
r.setProviderId(m.getProviderId());
|
||||||
|
r.setProviderPriority(m.getProviderPriority());
|
||||||
|
r.setKid(m.getKid());
|
||||||
|
r.setStatus(m.getStatus() != null ? m.getStatus().name() : null);
|
||||||
|
r.setType(AlgorithmType.AES.name());
|
||||||
|
l.add(r);
|
||||||
|
}
|
||||||
|
|
||||||
keys.setKeys(l);
|
keys.setKeys(l);
|
||||||
|
|
||||||
|
|
|
@ -77,7 +77,7 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Object callback(RealmModel realm, AuthenticationCallback callback, EventBuilder event) {
|
public Object callback(RealmModel realm, AuthenticationCallback callback, EventBuilder event) {
|
||||||
return new Endpoint(realm, callback);
|
return new Endpoint(realm, callback, event);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -161,6 +161,7 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
|
||||||
protected class Endpoint {
|
protected class Endpoint {
|
||||||
protected RealmModel realm;
|
protected RealmModel realm;
|
||||||
protected AuthenticationCallback callback;
|
protected AuthenticationCallback callback;
|
||||||
|
protected EventBuilder event;
|
||||||
|
|
||||||
@Context
|
@Context
|
||||||
protected KeycloakSession session;
|
protected KeycloakSession session;
|
||||||
|
@ -174,9 +175,12 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
|
||||||
@Context
|
@Context
|
||||||
protected UriInfo uriInfo;
|
protected UriInfo uriInfo;
|
||||||
|
|
||||||
public Endpoint(RealmModel realm, AuthenticationCallback callback) {
|
|
||||||
|
|
||||||
|
public Endpoint(RealmModel realm, AuthenticationCallback callback, EventBuilder event) {
|
||||||
this.realm = realm;
|
this.realm = realm;
|
||||||
this.callback = callback;
|
this.callback = callback;
|
||||||
|
this.event = event;
|
||||||
}
|
}
|
||||||
|
|
||||||
@GET
|
@GET
|
||||||
|
@ -194,7 +198,7 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
|
||||||
|
|
||||||
twitter.setOAuthConsumer(getConfig().getClientId(), getConfig().getClientSecret());
|
twitter.setOAuthConsumer(getConfig().getClientId(), getConfig().getClientSecret());
|
||||||
|
|
||||||
AuthenticationSessionModel authSession = ClientSessionCode.getClientSession(state, session, realm, AuthenticationSessionModel.class);
|
AuthenticationSessionModel authSession = ClientSessionCode.getClientSession(state, session, realm, event, AuthenticationSessionModel.class);
|
||||||
|
|
||||||
String twitterToken = authSession.getAuthNote(TWITTER_TOKEN);
|
String twitterToken = authSession.getAuthNote(TWITTER_TOKEN);
|
||||||
String twitterSecret = authSession.getAuthNote(TWITTER_TOKENSECRET);
|
String twitterSecret = authSession.getAuthNote(TWITTER_TOKENSECRET);
|
||||||
|
@ -240,7 +244,6 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
|
||||||
}
|
}
|
||||||
|
|
||||||
private void sendErrorEvent() {
|
private void sendErrorEvent() {
|
||||||
EventBuilder event = new EventBuilder(realm, session, clientConnection);
|
|
||||||
event.event(EventType.LOGIN);
|
event.event(EventType.LOGIN);
|
||||||
event.error("twitter_login_failed");
|
event.error("twitter_login_failed");
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,6 +16,7 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
org.keycloak.keys.GeneratedHmacKeyProviderFactory
|
org.keycloak.keys.GeneratedHmacKeyProviderFactory
|
||||||
|
org.keycloak.keys.GeneratedAesKeyProviderFactory
|
||||||
org.keycloak.keys.GeneratedRsaKeyProviderFactory
|
org.keycloak.keys.GeneratedRsaKeyProviderFactory
|
||||||
org.keycloak.keys.JavaKeystoreKeyProviderFactory
|
org.keycloak.keys.JavaKeystoreKeyProviderFactory
|
||||||
org.keycloak.keys.ImportedRsaKeyProviderFactory
|
org.keycloak.keys.ImportedRsaKeyProviderFactory
|
|
@ -20,6 +20,7 @@ package org.keycloak.testsuite.rest.resource;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
import java.util.UUID;
|
||||||
import java.util.stream.Collectors;
|
import java.util.stream.Collectors;
|
||||||
|
|
||||||
import javax.ws.rs.Consumes;
|
import javax.ws.rs.Consumes;
|
||||||
|
@ -59,6 +60,14 @@ public class TestCacheResource {
|
||||||
return cache.containsKey(id);
|
return cache.containsKey(id);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@GET
|
||||||
|
@Path("/contains-uuid/{id}")
|
||||||
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
|
public boolean containsUuid(@PathParam("id") String id) {
|
||||||
|
UUID uuid = UUID.fromString(id);
|
||||||
|
return cache.containsKey(uuid);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
@GET
|
@GET
|
||||||
@Path("/enumerate-keys")
|
@Path("/enumerate-keys")
|
||||||
|
|
|
@ -39,6 +39,10 @@ public interface TestingCacheResource {
|
||||||
@Produces(MediaType.APPLICATION_JSON)
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
boolean contains(@PathParam("id") String id);
|
boolean contains(@PathParam("id") String id);
|
||||||
|
|
||||||
|
@GET
|
||||||
|
@Path("/contains-uuid/{id}")
|
||||||
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
|
boolean containsUuid(@PathParam("id") String id);
|
||||||
|
|
||||||
@GET
|
@GET
|
||||||
@Path("/enumerate-keys")
|
@Path("/enumerate-keys")
|
||||||
|
|
|
@ -107,7 +107,7 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest {
|
||||||
LoginTask loginTask = null;
|
LoginTask loginTask = null;
|
||||||
|
|
||||||
try (CloseableHttpClient httpClient = HttpClientBuilder.create().setRedirectStrategy(new LaxRedirectStrategy()).build()) {
|
try (CloseableHttpClient httpClient = HttpClientBuilder.create().setRedirectStrategy(new LaxRedirectStrategy()).build()) {
|
||||||
loginTask = new LoginTask(httpClient, userSessionId, 100, 1, Arrays.asList(
|
loginTask = new LoginTask(httpClient, userSessionId, 100, 1, false, Arrays.asList(
|
||||||
createHttpClientContextForUser(httpClient, "test-user@localhost", "password")
|
createHttpClientContextForUser(httpClient, "test-user@localhost", "password")
|
||||||
));
|
));
|
||||||
run(DEFAULT_THREADS, DEFAULT_CLIENTS_COUNT, loginTask);
|
run(DEFAULT_THREADS, DEFAULT_CLIENTS_COUNT, loginTask);
|
||||||
|
@ -131,6 +131,29 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest {
|
||||||
return context;
|
return context;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void concurrentLoginSingleUserSingleClient() throws Throwable {
|
||||||
|
log.info("*********************************************");
|
||||||
|
long start = System.currentTimeMillis();
|
||||||
|
|
||||||
|
AtomicReference<String> userSessionId = new AtomicReference<>();
|
||||||
|
LoginTask loginTask = null;
|
||||||
|
|
||||||
|
try (CloseableHttpClient httpClient = HttpClientBuilder.create().setRedirectStrategy(new LaxRedirectStrategy()).build()) {
|
||||||
|
loginTask = new LoginTask(httpClient, userSessionId, 100, 1, true, Arrays.asList(
|
||||||
|
createHttpClientContextForUser(httpClient, "test-user@localhost", "password")
|
||||||
|
));
|
||||||
|
run(DEFAULT_THREADS, DEFAULT_CLIENTS_COUNT, loginTask);
|
||||||
|
int clientSessionsCount = testingClient.testing().getClientSessionsCountInUserSession("test", userSessionId.get());
|
||||||
|
Assert.assertEquals(2, clientSessionsCount);
|
||||||
|
} finally {
|
||||||
|
long end = System.currentTimeMillis() - start;
|
||||||
|
log.infof("Statistics: %s", loginTask == null ? "??" : loginTask.getHistogram());
|
||||||
|
log.info("concurrentLoginSingleUserSingleClient took " + (end/1000) + "s");
|
||||||
|
log.info("*********************************************");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void concurrentLoginMultipleUsers() throws Throwable {
|
public void concurrentLoginMultipleUsers() throws Throwable {
|
||||||
log.info("*********************************************");
|
log.info("*********************************************");
|
||||||
|
@ -140,7 +163,7 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest {
|
||||||
LoginTask loginTask = null;
|
LoginTask loginTask = null;
|
||||||
|
|
||||||
try (CloseableHttpClient httpClient = HttpClientBuilder.create().setRedirectStrategy(new LaxRedirectStrategy()).build()) {
|
try (CloseableHttpClient httpClient = HttpClientBuilder.create().setRedirectStrategy(new LaxRedirectStrategy()).build()) {
|
||||||
loginTask = new LoginTask(httpClient, userSessionId, 100, 1, Arrays.asList(
|
loginTask = new LoginTask(httpClient, userSessionId, 100, 1, false, Arrays.asList(
|
||||||
createHttpClientContextForUser(httpClient, "test-user@localhost", "password"),
|
createHttpClientContextForUser(httpClient, "test-user@localhost", "password"),
|
||||||
createHttpClientContextForUser(httpClient, "john-doh@localhost", "password"),
|
createHttpClientContextForUser(httpClient, "john-doh@localhost", "password"),
|
||||||
createHttpClientContextForUser(httpClient, "roleRichUser", "password")
|
createHttpClientContextForUser(httpClient, "roleRichUser", "password")
|
||||||
|
@ -157,6 +180,60 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void concurrentCodeReuseShouldFail() throws Throwable {
|
||||||
|
log.info("*********************************************");
|
||||||
|
long start = System.currentTimeMillis();
|
||||||
|
|
||||||
|
|
||||||
|
for (int i=0 ; i<10 ; i++) {
|
||||||
|
OAuthClient oauth1 = new OAuthClient();
|
||||||
|
oauth1.init(adminClient, driver);
|
||||||
|
oauth1.clientId("client0");
|
||||||
|
|
||||||
|
OAuthClient.AuthorizationEndpointResponse resp = oauth1.doLogin("test-user@localhost", "password");
|
||||||
|
String code = resp.getCode();
|
||||||
|
Assert.assertNotNull(code);
|
||||||
|
String codeURL = driver.getCurrentUrl();
|
||||||
|
|
||||||
|
|
||||||
|
AtomicInteger codeToTokenSuccessCount = new AtomicInteger(0);
|
||||||
|
AtomicInteger codeToTokenErrorsCount = new AtomicInteger(0);
|
||||||
|
|
||||||
|
KeycloakRunnable codeToTokenTask = new KeycloakRunnable() {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void run(int threadIndex, Keycloak keycloak, RealmResource realm) throws Throwable {
|
||||||
|
log.infof("Trying to execute codeURL: %s, threadIndex: %i", codeURL, threadIndex);
|
||||||
|
|
||||||
|
OAuthClient.AccessTokenResponse resp = oauth1.doAccessTokenRequest(code, "password");
|
||||||
|
if (resp.getAccessToken() != null && resp.getError() == null) {
|
||||||
|
codeToTokenSuccessCount.incrementAndGet();
|
||||||
|
} else if (resp.getAccessToken() == null && resp.getError() != null) {
|
||||||
|
codeToTokenErrorsCount.incrementAndGet();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
run(DEFAULT_THREADS, DEFAULT_THREADS, codeToTokenTask);
|
||||||
|
|
||||||
|
oauth1.openLogout();
|
||||||
|
|
||||||
|
Assert.assertEquals(1, codeToTokenSuccessCount.get());
|
||||||
|
Assert.assertEquals(DEFAULT_THREADS - 1, codeToTokenErrorsCount.get());
|
||||||
|
|
||||||
|
log.infof("Iteration %i passed successfully", i);
|
||||||
|
}
|
||||||
|
|
||||||
|
long end = System.currentTimeMillis() - start;
|
||||||
|
log.info("concurrentCodeReuseShouldFail took " + (end/1000) + "s");
|
||||||
|
log.info("*********************************************");
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
protected String getPageContent(String url, CloseableHttpClient httpClient, HttpClientContext context) throws IOException {
|
protected String getPageContent(String url, CloseableHttpClient httpClient, HttpClientContext context) throws IOException {
|
||||||
HttpGet request = new HttpGet(url);
|
HttpGet request = new HttpGet(url);
|
||||||
|
|
||||||
|
@ -237,6 +314,7 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest {
|
||||||
return m;
|
return m;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public class LoginTask implements KeycloakRunnable {
|
public class LoginTask implements KeycloakRunnable {
|
||||||
|
|
||||||
private final AtomicInteger clientIndex = new AtomicInteger();
|
private final AtomicInteger clientIndex = new AtomicInteger();
|
||||||
|
@ -256,9 +334,10 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest {
|
||||||
private final int retryCount;
|
private final int retryCount;
|
||||||
private final AtomicInteger[] retryHistogram;
|
private final AtomicInteger[] retryHistogram;
|
||||||
private final AtomicInteger totalInvocations = new AtomicInteger();
|
private final AtomicInteger totalInvocations = new AtomicInteger();
|
||||||
|
private final boolean sameClient;
|
||||||
private final List<HttpClientContext> clientContexts;
|
private final List<HttpClientContext> clientContexts;
|
||||||
|
|
||||||
public LoginTask(CloseableHttpClient httpClient, AtomicReference<String> userSessionId, int retryDelayMs, int retryCount, List<HttpClientContext> clientContexts) {
|
public LoginTask(CloseableHttpClient httpClient, AtomicReference<String> userSessionId, int retryDelayMs, int retryCount, boolean sameClient, List<HttpClientContext> clientContexts) {
|
||||||
this.httpClient = httpClient;
|
this.httpClient = httpClient;
|
||||||
this.userSessionId = userSessionId;
|
this.userSessionId = userSessionId;
|
||||||
this.retryDelayMs = retryDelayMs;
|
this.retryDelayMs = retryDelayMs;
|
||||||
|
@ -267,12 +346,13 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest {
|
||||||
for (int i = 0; i < retryHistogram.length; i ++) {
|
for (int i = 0; i < retryHistogram.length; i ++) {
|
||||||
retryHistogram[i] = new AtomicInteger();
|
retryHistogram[i] = new AtomicInteger();
|
||||||
}
|
}
|
||||||
|
this.sameClient = sameClient;
|
||||||
this.clientContexts = clientContexts;
|
this.clientContexts = clientContexts;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void run(int threadIndex, Keycloak keycloak, RealmResource realm) throws Throwable {
|
public void run(int threadIndex, Keycloak keycloak, RealmResource realm) throws Throwable {
|
||||||
int i = clientIndex.getAndIncrement();
|
int i = sameClient ? 0 : clientIndex.getAndIncrement();
|
||||||
OAuthClient oauth1 = oauthClient.get();
|
OAuthClient oauth1 = oauthClient.get();
|
||||||
oauth1.clientId("client" + i);
|
oauth1.clientId("client" + i);
|
||||||
log.infof("%d [%s]: Accessing login page for %s", threadIndex, Thread.currentThread().getName(), oauth1.getClientId());
|
log.infof("%d [%s]: Accessing login page for %s", threadIndex, Thread.currentThread().getName(), oauth1.getClientId());
|
||||||
|
|
|
@ -75,7 +75,7 @@ public class ConcurrentLoginCrossDCTest extends ConcurrentLoginTest {
|
||||||
LoginTask loginTask = null;
|
LoginTask loginTask = null;
|
||||||
|
|
||||||
try (CloseableHttpClient httpClient = HttpClientBuilder.create().setRedirectStrategy(new LaxRedirectStrategy()).build()) {
|
try (CloseableHttpClient httpClient = HttpClientBuilder.create().setRedirectStrategy(new LaxRedirectStrategy()).build()) {
|
||||||
loginTask = new LoginTask(httpClient, userSessionId, LOGIN_TASK_DELAY_MS, LOGIN_TASK_RETRIES, Arrays.asList(
|
loginTask = new LoginTask(httpClient, userSessionId, LOGIN_TASK_DELAY_MS, LOGIN_TASK_RETRIES, false, Arrays.asList(
|
||||||
createHttpClientContextForUser(httpClient, "test-user@localhost", "password")
|
createHttpClientContextForUser(httpClient, "test-user@localhost", "password")
|
||||||
));
|
));
|
||||||
HttpUriRequest request = handleLogin(getPageContent(oauth.getLoginFormUrl(), httpClient, HttpClientContext.create()), "test-user@localhost", "password");
|
HttpUriRequest request = handleLogin(getPageContent(oauth.getLoginFormUrl(), httpClient, HttpClientContext.create()), "test-user@localhost", "password");
|
||||||
|
|
|
@ -168,7 +168,7 @@ public class GeneratedHmacKeyProviderTest extends AbstractKeycloakTest {
|
||||||
rep.getConfig().putSingle("secretSize", "1234");
|
rep.getConfig().putSingle("secretSize", "1234");
|
||||||
|
|
||||||
Response response = adminClient.realm("test").components().add(rep);
|
Response response = adminClient.realm("test").components().add(rep);
|
||||||
assertErrror(response, "'Secret size' should be 32, 64, 128, 256 or 512");
|
assertErrror(response, "'Secret size' should be 16, 24, 32, 64, 128, 256 or 512");
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void assertErrror(Response response, String error) {
|
protected void assertErrror(Response response, String error) {
|
||||||
|
|
|
@ -307,7 +307,6 @@ public class AccessTokenTest extends AbstractKeycloakTest {
|
||||||
events.expectCodeToToken(codeId, sessionId)
|
events.expectCodeToToken(codeId, sessionId)
|
||||||
.removeDetail(Details.TOKEN_ID)
|
.removeDetail(Details.TOKEN_ID)
|
||||||
.user((String) null)
|
.user((String) null)
|
||||||
.session((String) null)
|
|
||||||
.removeDetail(Details.REFRESH_TOKEN_ID)
|
.removeDetail(Details.REFRESH_TOKEN_ID)
|
||||||
.removeDetail(Details.REFRESH_TOKEN_TYPE)
|
.removeDetail(Details.REFRESH_TOKEN_TYPE)
|
||||||
.error(Errors.INVALID_CODE).assertEvent();
|
.error(Errors.INVALID_CODE).assertEvent();
|
||||||
|
@ -334,8 +333,8 @@ public class AccessTokenTest extends AbstractKeycloakTest {
|
||||||
|
|
||||||
setTimeOffset(0);
|
setTimeOffset(0);
|
||||||
|
|
||||||
AssertEvents.ExpectedEvent expectedEvent = events.expectCodeToToken(codeId, null);
|
AssertEvents.ExpectedEvent expectedEvent = events.expectCodeToToken(codeId, codeId);
|
||||||
expectedEvent.error("invalid_code")
|
expectedEvent.error("expired_code")
|
||||||
.removeDetail(Details.TOKEN_ID)
|
.removeDetail(Details.TOKEN_ID)
|
||||||
.removeDetail(Details.REFRESH_TOKEN_ID)
|
.removeDetail(Details.REFRESH_TOKEN_ID)
|
||||||
.removeDetail(Details.REFRESH_TOKEN_TYPE)
|
.removeDetail(Details.REFRESH_TOKEN_TYPE)
|
||||||
|
@ -380,7 +379,7 @@ public class AccessTokenTest extends AbstractKeycloakTest {
|
||||||
response = oauth.doAccessTokenRequest(code, "password");
|
response = oauth.doAccessTokenRequest(code, "password");
|
||||||
Assert.assertEquals(400, response.getStatusCode());
|
Assert.assertEquals(400, response.getStatusCode());
|
||||||
|
|
||||||
AssertEvents.ExpectedEvent expectedEvent = events.expectCodeToToken(codeId, null);
|
AssertEvents.ExpectedEvent expectedEvent = events.expectCodeToToken(codeId, codeId);
|
||||||
expectedEvent.error("invalid_code")
|
expectedEvent.error("invalid_code")
|
||||||
.removeDetail(Details.TOKEN_ID)
|
.removeDetail(Details.TOKEN_ID)
|
||||||
.removeDetail(Details.REFRESH_TOKEN_ID)
|
.removeDetail(Details.REFRESH_TOKEN_ID)
|
||||||
|
|
|
@ -22,6 +22,7 @@ import org.junit.Rule;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
import org.keycloak.OAuth2Constants;
|
import org.keycloak.OAuth2Constants;
|
||||||
import org.keycloak.OAuthErrorException;
|
import org.keycloak.OAuthErrorException;
|
||||||
|
import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
|
||||||
import org.keycloak.events.Details;
|
import org.keycloak.events.Details;
|
||||||
import org.keycloak.events.Errors;
|
import org.keycloak.events.Errors;
|
||||||
import org.keycloak.models.Constants;
|
import org.keycloak.models.Constants;
|
||||||
|
@ -73,7 +74,6 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
|
||||||
Assert.assertNull(response.getError());
|
Assert.assertNull(response.getError());
|
||||||
|
|
||||||
String codeId = events.expectLogin().assertEvent().getDetails().get(Details.CODE_ID);
|
String codeId = events.expectLogin().assertEvent().getDetails().get(Details.CODE_ID);
|
||||||
assertCode(codeId, response.getCode());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -89,7 +89,6 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
|
||||||
String code = driver.findElement(By.id(OAuth2Constants.CODE)).getAttribute("value");
|
String code = driver.findElement(By.id(OAuth2Constants.CODE)).getAttribute("value");
|
||||||
|
|
||||||
String codeId = events.expectLogin().detail(Details.REDIRECT_URI, "http://localhost:8180/auth/realms/test/protocol/openid-connect/oauth/oob").assertEvent().getDetails().get(Details.CODE_ID);
|
String codeId = events.expectLogin().detail(Details.REDIRECT_URI, "http://localhost:8180/auth/realms/test/protocol/openid-connect/oauth/oob").assertEvent().getDetails().get(Details.CODE_ID);
|
||||||
assertCode(codeId, code);
|
|
||||||
|
|
||||||
ClientManager.realm(adminClient.realm("test")).clientId("test-app").removeRedirectUris(Constants.INSTALLED_APP_URN);
|
ClientManager.realm(adminClient.realm("test")).clientId("test-app").removeRedirectUris(Constants.INSTALLED_APP_URN);
|
||||||
}
|
}
|
||||||
|
@ -104,7 +103,6 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
|
||||||
Assert.assertNotNull(response.getCode());
|
Assert.assertNotNull(response.getCode());
|
||||||
|
|
||||||
String codeId = events.expectLogin().assertEvent().getDetails().get(Details.CODE_ID);
|
String codeId = events.expectLogin().assertEvent().getDetails().get(Details.CODE_ID);
|
||||||
assertCode(codeId, response.getCode());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -119,7 +117,6 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
|
||||||
Assert.assertNull(response.getError());
|
Assert.assertNull(response.getError());
|
||||||
|
|
||||||
String codeId = events.expectLogin().assertEvent().getDetails().get(Details.CODE_ID);
|
String codeId = events.expectLogin().assertEvent().getDetails().get(Details.CODE_ID);
|
||||||
assertCode(codeId, response.getCode());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -151,11 +148,6 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
|
||||||
assertEquals("OpenIdConnect.AuthenticationProperties=2302984sdlk", state);
|
assertEquals("OpenIdConnect.AuthenticationProperties=2302984sdlk", state);
|
||||||
|
|
||||||
String codeId = events.expectLogin().assertEvent().getDetails().get(Details.CODE_ID);
|
String codeId = events.expectLogin().assertEvent().getDetails().get(Details.CODE_ID);
|
||||||
assertCode(codeId, code);
|
|
||||||
}
|
|
||||||
|
|
||||||
private void assertCode(String expectedCodeId, String actualCode) {
|
|
||||||
assertEquals(expectedCodeId, actualCode.split("\\.")[2]);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -33,6 +33,7 @@ import org.keycloak.models.UserSessionModel;
|
||||||
import org.keycloak.models.utils.KeycloakModelUtils;
|
import org.keycloak.models.utils.KeycloakModelUtils;
|
||||||
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
|
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
|
||||||
import org.keycloak.models.UserManager;
|
import org.keycloak.models.UserManager;
|
||||||
|
import org.keycloak.sessions.CommonClientSessionModel;
|
||||||
import org.keycloak.testsuite.rule.KeycloakRule;
|
import org.keycloak.testsuite.rule.KeycloakRule;
|
||||||
|
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
|
@ -169,14 +170,14 @@ public class UserSessionProviderTest {
|
||||||
int time = clientSession.getTimestamp();
|
int time = clientSession.getTimestamp();
|
||||||
assertEquals(null, clientSession.getAction());
|
assertEquals(null, clientSession.getAction());
|
||||||
|
|
||||||
clientSession.setAction(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name());
|
clientSession.setAction(AuthenticatedClientSessionModel.Action.LOGGED_OUT.name());
|
||||||
clientSession.setTimestamp(time + 10);
|
clientSession.setTimestamp(time + 10);
|
||||||
|
|
||||||
kc.stopSession(session, true);
|
kc.stopSession(session, true);
|
||||||
session = kc.startSession();
|
session = kc.startSession();
|
||||||
|
|
||||||
AuthenticatedClientSessionModel updated = session.sessions().getUserSession(realm, userSessionId).getAuthenticatedClientSessions().get(clientUUID);
|
AuthenticatedClientSessionModel updated = session.sessions().getUserSession(realm, userSessionId).getAuthenticatedClientSessions().get(clientUUID);
|
||||||
assertEquals(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name(), updated.getAction());
|
assertEquals(AuthenticatedClientSessionModel.Action.LOGGED_OUT.name(), updated.getAction());
|
||||||
assertEquals(time + 10, updated.getTimestamp());
|
assertEquals(time + 10, updated.getTimestamp());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -190,11 +191,11 @@ public class UserSessionProviderTest {
|
||||||
UserSessionModel userSession = session.sessions().getUserSession(realm, userSessionId);
|
UserSessionModel userSession = session.sessions().getUserSession(realm, userSessionId);
|
||||||
AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessions().get(clientUUID);
|
AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessions().get(clientUUID);
|
||||||
|
|
||||||
clientSession.setAction(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name());
|
clientSession.setAction(AuthenticatedClientSessionModel.Action.LOGGED_OUT.name());
|
||||||
clientSession.setNote("foo", "bar");
|
clientSession.setNote("foo", "bar");
|
||||||
|
|
||||||
AuthenticatedClientSessionModel updated = session.sessions().getUserSession(realm, userSessionId).getAuthenticatedClientSessions().get(clientUUID);
|
AuthenticatedClientSessionModel updated = session.sessions().getUserSession(realm, userSessionId).getAuthenticatedClientSessions().get(clientUUID);
|
||||||
assertEquals(AuthenticatedClientSessionModel.Action.CODE_TO_TOKEN.name(), updated.getAction());
|
assertEquals(AuthenticatedClientSessionModel.Action.LOGGED_OUT.name(), updated.getAction());
|
||||||
assertEquals("bar", updated.getNote("foo"));
|
assertEquals("bar", updated.getNote("foo"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue