KEYCLOAK-3562

services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java

@@ -243,16 +243,19 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
             String preferredUsername = (String)idToken.getOtherClaims().get(IDToken.PREFERRED_USERNAME);
             String email = (String)idToken.getOtherClaims().get(IDToken.EMAIL);
 
-            if (getConfig().getUserInfoUrl() != null && (id == null || name == null || preferredUsername == null || email == null) ) {
-                SimpleHttp request = JsonSimpleHttp.doGet(getConfig().getUserInfoUrl())
-                        .header("Authorization", "Bearer " + accessToken);
-                JsonNode userInfo = JsonSimpleHttp.asJson(request);
+            if (!getConfig().isDisableUserInfoService()) {
+                String userInfoUrl = getUserInfoUrl();
+                if (userInfoUrl != null && (id == null || name == null || preferredUsername == null || email == null)) {
+                    SimpleHttp request = JsonSimpleHttp.doGet(userInfoUrl)
+                            .header("Authorization", "Bearer " + accessToken);
+                    JsonNode userInfo = JsonSimpleHttp.asJson(request);
 
-                id = getJsonProperty(userInfo, "sub");
-                name = getJsonProperty(userInfo, "name");
-                preferredUsername = getJsonProperty(userInfo, "preferred_username");
-                email = getJsonProperty(userInfo, "email");
-                AbstractJsonUserAttributeMapper.storeUserProfileForMapper(identity, userInfo, getConfig().getAlias());
+                    id = getJsonProperty(userInfo, "sub");
+                    name = getJsonProperty(userInfo, "name");
+                    preferredUsername = getJsonProperty(userInfo, "preferred_username");
+                    email = getJsonProperty(userInfo, "email");
+                    AbstractJsonUserAttributeMapper.storeUserProfileForMapper(identity, userInfo, getConfig().getAlias());
+                }
             }
             identity.getContextData().put(FEDERATED_ACCESS_TOKEN_RESPONSE, tokenResponse);
             identity.getContextData().put(VALIDATED_ID_TOKEN, idToken);
@@ -287,6 +290,11 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
         }
     }
 
+    protected String getUserInfoUrl() {
+        return getConfig().getUserInfoUrl();
+    }
+
+
     private String verifyAccessToken(AccessTokenResponse tokenResponse) {
         String accessToken = tokenResponse.getToken();
 

services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java

@@ -93,6 +93,15 @@ public class OIDCIdentityProviderConfig extends OAuth2IdentityProviderConfig {
         getConfig().put("backchannelSupported", String.valueOf(backchannel));
     }
 
+    public boolean isDisableUserInfoService() {
+        String disableUserInfo = getConfig().get("disableUserInfo");
+        return disableUserInfo == null ? false : Boolean.valueOf(disableUserInfo);
+    }
+
+    public void setDisableUserInfoService(boolean disable) {
+        getConfig().put("disableUserInfo", String.valueOf(disable));
+    }
+
 
 
 

services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java

@@ -16,9 +16,12 @@
  */
 package org.keycloak.social.google;
 
+import org.jboss.resteasy.spi.ResteasyProviderFactory;
 import org.keycloak.broker.oidc.OIDCIdentityProvider;
 import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
 import org.keycloak.broker.social.SocialIdentityProvider;
+import org.keycloak.common.ClientConnection;
+import org.keycloak.common.util.KeycloakUriBuilder;
 import org.keycloak.models.KeycloakSession;
 
 /**
@@ -31,7 +34,7 @@ public class GoogleIdentityProvider extends OIDCIdentityProvider implements Soci
     public static final String PROFILE_URL = "https://www.googleapis.com/plus/v1/people/me/openIdConnect";
     public static final String DEFAULT_SCOPE = "openid profile email";
 
-    public GoogleIdentityProvider(KeycloakSession session, OIDCIdentityProviderConfig config) {
+    public GoogleIdentityProvider(KeycloakSession session, GoogleIdentityProviderConfig config) {
         super(session, config);
         config.setAuthorizationUrl(AUTH_URL);
         config.setTokenUrl(TOKEN_URL);
@@ -42,4 +45,19 @@ public class GoogleIdentityProvider extends OIDCIdentityProvider implements Soci
     protected String getDefaultScopes() {
         return DEFAULT_SCOPE;
     }
+
+    @Override
+    protected String getUserInfoUrl() {
+        String uri = super.getUserInfoUrl();
+        if (((GoogleIdentityProviderConfig)getConfig()).isUserIp()) {
+            ClientConnection connection = ResteasyProviderFactory.getContextData(ClientConnection.class);
+            if (connection != null) {
+                uri = KeycloakUriBuilder.fromUri(super.getUserInfoUrl()).queryParam("userIp", connection.getRemoteAddr()).build().toString();
+            }
+
+        }
+        logger.debugv("GOOGLE userInfoUrl: {0}", uri);
+        return uri;
+    }
+
 }

services/src/main/java/org/keycloak/social/google/GoogleIdentityProviderConfig.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.social.google;
+
+import org.keycloak.broker.oidc.OAuth2IdentityProviderConfig;
+import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
+import org.keycloak.models.IdentityProviderModel;
+
+/**
+ * @author Vlastimil Elias (velias at redhat dot com)
+ */
+public class GoogleIdentityProviderConfig extends OIDCIdentityProviderConfig {
+
+    public GoogleIdentityProviderConfig(IdentityProviderModel model) {
+        super(model);
+    }
+
+    public boolean isUserIp() {
+        String userIp = getConfig().get("userIp");
+        return userIp == null ? false : Boolean.valueOf(userIp);
+    }
+
+    public void setUserIp(boolean ip) {
+        getConfig().put("userIp", String.valueOf(ip));
+    }
+
+}

services/src/main/java/org/keycloak/social/google/GoogleIdentityProviderFactory.java

@@ -36,7 +36,7 @@ public class GoogleIdentityProviderFactory extends AbstractIdentityProviderFacto
 
     @Override
     public GoogleIdentityProvider create(KeycloakSession session, IdentityProviderModel model) {
-        return new GoogleIdentityProvider(session, new OIDCIdentityProviderConfig(model));
+        return new GoogleIdentityProvider(session, new GoogleIdentityProviderConfig(model));
     }
 
     @Override

testsuite/integration/src/test/java/org/keycloak/testsuite/adapter/AdapterTest.java

@@ -91,6 +91,11 @@ public class AdapterTest {
     @Rule
     public AdapterTestStrategy testStrategy = new AdapterTestStrategy("http://localhost:8081/auth", "http://localhost:8081", keycloakRule);
 
+    @Test
+    public void testIDE() throws Exception {
+        Thread.sleep(100000000);
+    }
+
     @Test
     public void testLoginSSOAndLogout() throws Exception {
         testStrategy.testLoginSSOMax();

themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties

@@ -434,6 +434,10 @@ store-tokens=Store Tokens
 identity-provider.store-tokens.tooltip=Enable/disable if tokens must be stored after authenticating users.
 stored-tokens-readable=Stored Tokens Readable
 identity-provider.stored-tokens-readable.tooltip=Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
+disableUserInfo=Disable User Info
+identity-provider.disableUserInfo.tooltip=Disable usage of User Info service to obtain additional user information?  Default is to use this OIDC service.
+userIp=Use userIp Param
+identity-provider.google-userIp.tooltip=Set 'userIp' query parameter when invoking on Google's User Info service.  This will use the user's ip address.  Useful if Google is throttling access to the User Info service.
 update-profile-on-first-login=Update Profile on First Login
 on=On
 on-missing-info=On missing info

themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-google-ext.html

@@ -0,0 +1,7 @@
+<div class="form-group">
+    <label class="col-md-2 control-label" for="userIp">{{:: 'userIp' | translate}}</label>
+    <div class="col-md-6">
+        <input ng-model="identityProvider.config.userIp" id="userIp" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
+    </div>
+    <kc-tooltip>{{:: 'identity-provider.google-userIp.tooltip' | translate}}</kc-tooltip>
+</div>

themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-social.html

@@ -64,6 +64,13 @@
                 </div>
                 <kc-tooltip>{{:: 'identity-provider.enabled.tooltip' | translate}}</kc-tooltip>
             </div>
+            <div class="form-group">
+                <label class="col-md-2 control-label" for="disableUserInfo">{{:: 'disableUserInfo' | translate}}</label>
+                <div class="col-md-6">
+                    <input ng-model="identityProvider.config.disableUserInfo" id="disableUserInfo" onoffswitchvalue on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
+                </div>
+                <kc-tooltip>{{:: 'identity-provider.disableUserInfo.tooltip' | translate}}</kc-tooltip>
+            </div>
             <div class="form-group">
                 <label class="col-md-2 control-label" for="trustEmail">{{:: 'trust-email' | translate}}</label>
                 <div class="col-md-6">