[KEYCLOAK-4927] - Authz client incompatible with client definition
This commit is contained in:
Pedro Igor
parent
39afd4a020
commit
b68494b3f0
4 changed files with 23 additions and 53 deletions
|
|
@ -17,6 +17,8 @@
|
|||
*/
|
||||
package org.keycloak.adapters.authorization;
|
||||
|
||||
import java.util.Set;
|
||||
|
||||
import org.jboss.logging.Logger;
|
||||
import org.keycloak.adapters.OIDCHttpFacade;
|
||||
import org.keycloak.adapters.spi.HttpFacade;
|
||||
|
|
@ -26,8 +28,6 @@ import org.keycloak.authorization.client.resource.PermissionResource;
|
|||
import org.keycloak.authorization.client.resource.ProtectionResource;
|
||||
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig.PathConfig;
|
||||
|
||||
import java.util.Set;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||
*/
|
||||
|
|
@ -52,7 +52,7 @@ public class BearerTokenPolicyEnforcer extends AbstractPolicyEnforcer {
|
|||
private void challengeEntitlementAuthentication(OIDCHttpFacade facade) {
|
||||
HttpFacade.Response response = facade.getResponse();
|
||||
AuthzClient authzClient = getAuthzClient();
|
||||
String clientId = authzClient.getConfiguration().getClientId();
|
||||
String clientId = authzClient.getConfiguration().getResource();
|
||||
String authorizationServerUri = authzClient.getServerConfiguration().getIssuer().toString() + "/authz/entitlement";
|
||||
response.setStatus(401);
|
||||
response.setHeader("WWW-Authenticate", "KC_ETT realm=\"" + clientId + "\",as_uri=\"" + authorizationServerUri + "\"");
|
||||
|
|
@ -65,7 +65,7 @@ public class BearerTokenPolicyEnforcer extends AbstractPolicyEnforcer {
|
|||
HttpFacade.Response response = facade.getResponse();
|
||||
AuthzClient authzClient = getAuthzClient();
|
||||
String ticket = getPermissionTicket(pathConfig, requiredScopes, authzClient);
|
||||
String clientId = authzClient.getConfiguration().getClientId();
|
||||
String clientId = authzClient.getConfiguration().getResource();
|
||||
String authorizationServerUri = authzClient.getServerConfiguration().getIssuer().toString() + "/authz/authorize";
|
||||
response.setStatus(401);
|
||||
response.setHeader("WWW-Authenticate", "UMA realm=\"" + clientId + "\",as_uri=\"" + authorizationServerUri + "\",ticket=\"" + ticket + "\"");
|
||||
|
|
|
|||
|
|
@ -127,7 +127,7 @@ public class KeycloakAdapterPolicyEnforcer extends AbstractPolicyEnforcer {
|
|||
AccessToken token = httpFacade.getSecurityContext().getToken();
|
||||
|
||||
if (token.getAuthorization() == null) {
|
||||
EntitlementResponse authzResponse = authzClient.entitlement(accessToken).getAll(authzClient.getConfiguration().getClientId());
|
||||
EntitlementResponse authzResponse = authzClient.entitlement(accessToken).getAll(authzClient.getConfiguration().getResource());
|
||||
return AdapterRSATokenVerifier.verifyToken(authzResponse.getRpt(), deployment);
|
||||
} else {
|
||||
EntitlementRequest request = new EntitlementRequest();
|
||||
|
|
@ -137,7 +137,7 @@ public class KeycloakAdapterPolicyEnforcer extends AbstractPolicyEnforcer {
|
|||
permissionRequest.setScopes(new HashSet<>(pathConfig.getScopes()));
|
||||
LOGGER.debugf("Sending entitlements request: resource_set_id [%s], resource_set_name [%s], scopes [%s].", permissionRequest.getResourceSetId(), permissionRequest.getResourceSetName(), permissionRequest.getScopes());
|
||||
request.addPermission(permissionRequest);
|
||||
EntitlementResponse authzResponse = authzClient.entitlement(accessToken).get(authzClient.getConfiguration().getClientId(), request);
|
||||
EntitlementResponse authzResponse = authzClient.entitlement(accessToken).get(authzClient.getConfiguration().getResource(), request);
|
||||
return AdapterRSATokenVerifier.verifyToken(authzResponse.getRpt(), deployment);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,44 +17,33 @@
|
|||
*/
|
||||
package org.keycloak.authorization.client;
|
||||
|
||||
import com.fasterxml.jackson.annotation.JsonIgnore;
|
||||
import com.fasterxml.jackson.annotation.JsonProperty;
|
||||
import org.apache.http.client.HttpClient;
|
||||
import org.apache.http.impl.client.HttpClients;
|
||||
import org.keycloak.util.BasicAuthHelper;
|
||||
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import org.apache.http.client.HttpClient;
|
||||
import org.apache.http.impl.client.HttpClients;
|
||||
import org.keycloak.representations.adapters.config.AdapterConfig;
|
||||
import org.keycloak.util.BasicAuthHelper;
|
||||
import com.fasterxml.jackson.annotation.JsonIgnore;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||
*/
|
||||
public class Configuration {
|
||||
public class Configuration extends AdapterConfig {
|
||||
|
||||
@JsonIgnore
|
||||
private HttpClient httpClient;
|
||||
|
||||
@JsonProperty("auth-server-url")
|
||||
protected String authServerUrl;
|
||||
|
||||
@JsonProperty("realm")
|
||||
protected String realm;
|
||||
|
||||
@JsonProperty("resource")
|
||||
protected String clientId;
|
||||
|
||||
@JsonProperty("credentials")
|
||||
protected Map<String, Object> clientCredentials = new HashMap<>();
|
||||
|
||||
public Configuration() {
|
||||
|
||||
}
|
||||
|
||||
public Configuration(String authServerUrl, String realm, String clientId, Map<String, Object> clientCredentials, HttpClient httpClient) {
|
||||
this.authServerUrl = authServerUrl;
|
||||
this.realm = realm;
|
||||
this.clientId = clientId;
|
||||
this.clientCredentials = clientCredentials;
|
||||
setAuthServerUrl(authServerUrl);
|
||||
setRealm(realm);
|
||||
setResource(clientId);
|
||||
setCredentials(clientCredentials);
|
||||
this.httpClient = httpClient;
|
||||
}
|
||||
|
||||
|
|
@ -62,13 +51,13 @@ public class Configuration {
|
|||
private ClientAuthenticator clientAuthenticator = new ClientAuthenticator() {
|
||||
@Override
|
||||
public void configureClientCredentials(HashMap<String, String> requestParams, HashMap<String, String> requestHeaders) {
|
||||
String secret = (String) clientCredentials.get("secret");
|
||||
String secret = (String) getCredentials().get("secret");
|
||||
|
||||
if (secret == null) {
|
||||
throw new RuntimeException("Client secret not provided.");
|
||||
}
|
||||
|
||||
requestHeaders.put("Authorization", BasicAuthHelper.createHeader(clientId, secret));
|
||||
requestHeaders.put("Authorization", BasicAuthHelper.createHeader(getResource(), secret));
|
||||
}
|
||||
};
|
||||
|
||||
|
|
@ -80,23 +69,7 @@ public class Configuration {
|
|||
return httpClient;
|
||||
}
|
||||
|
||||
public String getClientId() {
|
||||
return clientId;
|
||||
}
|
||||
|
||||
public String getAuthServerUrl() {
|
||||
return authServerUrl;
|
||||
}
|
||||
|
||||
public ClientAuthenticator getClientAuthenticator() {
|
||||
return this.clientAuthenticator;
|
||||
}
|
||||
|
||||
public Map<String, Object> getClientCredentials() {
|
||||
return clientCredentials;
|
||||
}
|
||||
|
||||
public String getRealm() {
|
||||
return realm;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,13 +1,10 @@
|
|||
{
|
||||
"realm": "servlet-authz",
|
||||
"auth-server-url" : "http://localhost:8080/auth",
|
||||
"ssl-required" : "external",
|
||||
"resource" : "servlet-authz-app",
|
||||
"public-client" : false,
|
||||
"auth-server-url": "http://localhost:8080/auth",
|
||||
"ssl-required": "external",
|
||||
"resource": "servlet-authz-app",
|
||||
"credentials": {
|
||||
"secret": "secret"
|
||||
},
|
||||
"policy-enforcer": {
|
||||
"on-deny-redirect-to" : "/servlet-authz-app/accessDenied.jsp"
|
||||
}
|
||||
"policy-enforcer": {}
|
||||
}
|
||||
Loading…
Reference in a new issue