From b68494b3f0090ac8d7257a4d3a126bbb42b0cd38 Mon Sep 17 00:00:00 2001
From: Pedro Igor <pigor.craveiro@gmail.com>
Date: Thu, 18 May 2017 09:57:12 -0300
Subject: [PATCH] [KEYCLOAK-4927] - Authz client incompatible with client
 definition

---
 .../BearerTokenPolicyEnforcer.java            |  8 +--
 .../KeycloakAdapterPolicyEnforcer.java        |  4 +-
 .../authorization/client/Configuration.java   | 53 +++++--------------
 .../src/main/webapp/WEB-INF/keycloak.json     | 11 ++--
 4 files changed, 23 insertions(+), 53 deletions(-)

diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/BearerTokenPolicyEnforcer.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/BearerTokenPolicyEnforcer.java
index 0cdfab949c..f2555d4414 100644
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/BearerTokenPolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/BearerTokenPolicyEnforcer.java
@@ -17,6 +17,8 @@
  */
 package org.keycloak.adapters.authorization;
 
+import java.util.Set;
+
 import org.jboss.logging.Logger;
 import org.keycloak.adapters.OIDCHttpFacade;
 import org.keycloak.adapters.spi.HttpFacade;
@@ -26,8 +28,6 @@ import org.keycloak.authorization.client.resource.PermissionResource;
 import org.keycloak.authorization.client.resource.ProtectionResource;
 import org.keycloak.representations.adapters.config.PolicyEnforcerConfig.PathConfig;
 
-import java.util.Set;
-
 /**
  * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
  */
@@ -52,7 +52,7 @@ public class BearerTokenPolicyEnforcer extends AbstractPolicyEnforcer {
     private void challengeEntitlementAuthentication(OIDCHttpFacade facade) {
         HttpFacade.Response response = facade.getResponse();
         AuthzClient authzClient = getAuthzClient();
-        String clientId = authzClient.getConfiguration().getClientId();
+        String clientId = authzClient.getConfiguration().getResource();
         String  authorizationServerUri = authzClient.getServerConfiguration().getIssuer().toString() + "/authz/entitlement";
         response.setStatus(401);
         response.setHeader("WWW-Authenticate", "KC_ETT realm=\"" + clientId + "\",as_uri=\"" + authorizationServerUri + "\"");
@@ -65,7 +65,7 @@ public class BearerTokenPolicyEnforcer extends AbstractPolicyEnforcer {
         HttpFacade.Response response = facade.getResponse();
         AuthzClient authzClient = getAuthzClient();
         String ticket = getPermissionTicket(pathConfig, requiredScopes, authzClient);
-        String clientId = authzClient.getConfiguration().getClientId();
+        String clientId = authzClient.getConfiguration().getResource();
         String authorizationServerUri = authzClient.getServerConfiguration().getIssuer().toString() + "/authz/authorize";
         response.setStatus(401);
         response.setHeader("WWW-Authenticate", "UMA realm=\"" + clientId + "\",as_uri=\"" + authorizationServerUri + "\",ticket=\"" + ticket + "\"");
diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java
index 316a39d41e..0dbddd4b47 100644
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java
@@ -127,7 +127,7 @@ public class KeycloakAdapterPolicyEnforcer extends AbstractPolicyEnforcer {
                 AccessToken token = httpFacade.getSecurityContext().getToken();
 
                 if (token.getAuthorization() == null) {
-                    EntitlementResponse authzResponse = authzClient.entitlement(accessToken).getAll(authzClient.getConfiguration().getClientId());
+                    EntitlementResponse authzResponse = authzClient.entitlement(accessToken).getAll(authzClient.getConfiguration().getResource());
                     return AdapterRSATokenVerifier.verifyToken(authzResponse.getRpt(), deployment);
                 } else {
                     EntitlementRequest request = new EntitlementRequest();
@@ -137,7 +137,7 @@ public class KeycloakAdapterPolicyEnforcer extends AbstractPolicyEnforcer {
                     permissionRequest.setScopes(new HashSet<>(pathConfig.getScopes()));
                     LOGGER.debugf("Sending entitlements request: resource_set_id [%s], resource_set_name [%s], scopes [%s].", permissionRequest.getResourceSetId(), permissionRequest.getResourceSetName(), permissionRequest.getScopes());
                     request.addPermission(permissionRequest);
-                    EntitlementResponse authzResponse = authzClient.entitlement(accessToken).get(authzClient.getConfiguration().getClientId(), request);
+                    EntitlementResponse authzResponse = authzClient.entitlement(accessToken).get(authzClient.getConfiguration().getResource(), request);
                     return AdapterRSATokenVerifier.verifyToken(authzResponse.getRpt(), deployment);
                 }
             }
diff --git a/authz/client/src/main/java/org/keycloak/authorization/client/Configuration.java b/authz/client/src/main/java/org/keycloak/authorization/client/Configuration.java
index 835c830b91..647891ff4a 100644
--- a/authz/client/src/main/java/org/keycloak/authorization/client/Configuration.java
+++ b/authz/client/src/main/java/org/keycloak/authorization/client/Configuration.java
@@ -17,44 +17,33 @@
  */
 package org.keycloak.authorization.client;
 
-import com.fasterxml.jackson.annotation.JsonIgnore;
-import com.fasterxml.jackson.annotation.JsonProperty;
-import org.apache.http.client.HttpClient;
-import org.apache.http.impl.client.HttpClients;
-import org.keycloak.util.BasicAuthHelper;
-
 import java.util.HashMap;
 import java.util.Map;
 
+import org.apache.http.client.HttpClient;
+import org.apache.http.impl.client.HttpClients;
+import org.keycloak.representations.adapters.config.AdapterConfig;
+import org.keycloak.util.BasicAuthHelper;
+import com.fasterxml.jackson.annotation.JsonIgnore;
+
 /**
  * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
  */
-public class Configuration {
+public class Configuration extends AdapterConfig {
 
     @JsonIgnore
     private HttpClient httpClient;
 
-    @JsonProperty("auth-server-url")
-    protected String authServerUrl;
-
-    @JsonProperty("realm")
-    protected String realm;
-
-    @JsonProperty("resource")
-    protected String clientId;
-
-    @JsonProperty("credentials")
-    protected Map<String, Object> clientCredentials = new HashMap<>();
-
     public Configuration() {
 
     }
 
     public Configuration(String authServerUrl, String realm, String clientId, Map<String, Object> clientCredentials, HttpClient httpClient) {
         this.authServerUrl = authServerUrl;
-        this.realm = realm;
-        this.clientId = clientId;
-        this.clientCredentials = clientCredentials;
+        setAuthServerUrl(authServerUrl);
+        setRealm(realm);
+        setResource(clientId);
+        setCredentials(clientCredentials);
         this.httpClient = httpClient;
     }
 
@@ -62,13 +51,13 @@ public class Configuration {
     private ClientAuthenticator clientAuthenticator = new ClientAuthenticator() {
         @Override
         public void configureClientCredentials(HashMap<String, String> requestParams, HashMap<String, String> requestHeaders) {
-            String secret = (String) clientCredentials.get("secret");
+            String secret = (String) getCredentials().get("secret");
 
             if (secret == null) {
                 throw new RuntimeException("Client secret not provided.");
             }
 
-            requestHeaders.put("Authorization", BasicAuthHelper.createHeader(clientId, secret));
+            requestHeaders.put("Authorization", BasicAuthHelper.createHeader(getResource(), secret));
         }
     };
 
@@ -80,23 +69,7 @@ public class Configuration {
         return httpClient;
     }
 
-    public String getClientId() {
-        return clientId;
-    }
-
-    public String getAuthServerUrl() {
-        return authServerUrl;
-    }
-
     public ClientAuthenticator getClientAuthenticator() {
         return this.clientAuthenticator;
     }
-
-    public Map<String, Object> getClientCredentials() {
-        return clientCredentials;
-    }
-
-    public String getRealm() {
-        return realm;
-    }
 }
diff --git a/examples/authz/servlet-authz/src/main/webapp/WEB-INF/keycloak.json b/examples/authz/servlet-authz/src/main/webapp/WEB-INF/keycloak.json
index f6b9c90927..7983fa39f1 100644
--- a/examples/authz/servlet-authz/src/main/webapp/WEB-INF/keycloak.json
+++ b/examples/authz/servlet-authz/src/main/webapp/WEB-INF/keycloak.json
@@ -1,13 +1,10 @@
 {
   "realm": "servlet-authz",
-  "auth-server-url" : "http://localhost:8080/auth",
-  "ssl-required" : "external",
-  "resource" : "servlet-authz-app",
-  "public-client" : false,
+  "auth-server-url": "http://localhost:8080/auth",
+  "ssl-required": "external",
+  "resource": "servlet-authz-app",
   "credentials": {
     "secret": "secret"
   },
-  "policy-enforcer": {
-    "on-deny-redirect-to" : "/servlet-authz-app/accessDenied.jsp"
-  }
+  "policy-enforcer": {}
 }
\ No newline at end of file