libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

[KEYCLOAK-4927] - Authz client incompatible with client definition

Browse source
This commit is contained in:
Pedro Igor 2017-05-18 09:57:12 -03:00
parent 39afd4a020
commit b68494b3f0
4 changed files with 23 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/BearerTokenPolicyEnforcer.java
View file

@ -17,6 +17,8 @@
*/ */
package org.keycloak.adapters.authorization; package org.keycloak.adapters.authorization;
import java.util.Set;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.keycloak.adapters.OIDCHttpFacade; import org.keycloak.adapters.OIDCHttpFacade;
import org.keycloak.adapters.spi.HttpFacade; import org.keycloak.adapters.spi.HttpFacade;
@ -26,8 +28,6 @@ import org.keycloak.authorization.client.resource.PermissionResource;
import org.keycloak.authorization.client.resource.ProtectionResource; import org.keycloak.authorization.client.resource.ProtectionResource;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig.PathConfig; import org.keycloak.representations.adapters.config.PolicyEnforcerConfig.PathConfig;
import java.util.Set;
/** /**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a> * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/ */
@ -52,7 +52,7 @@ public class BearerTokenPolicyEnforcer extends AbstractPolicyEnforcer {
private void challengeEntitlementAuthentication(OIDCHttpFacade facade) { private void challengeEntitlementAuthentication(OIDCHttpFacade facade) {
HttpFacade.Response response = facade.getResponse(); HttpFacade.Response response = facade.getResponse();
AuthzClient authzClient = getAuthzClient(); AuthzClient authzClient = getAuthzClient();
String clientId = authzClient.getConfiguration().getClientId(); String clientId = authzClient.getConfiguration().getResource();
String authorizationServerUri = authzClient.getServerConfiguration().getIssuer().toString() + "/authz/entitlement"; String authorizationServerUri = authzClient.getServerConfiguration().getIssuer().toString() + "/authz/entitlement";
response.setStatus(401); response.setStatus(401);
response.setHeader("WWW-Authenticate", "KC_ETT realm=\"" + clientId + "\",as_uri=\"" + authorizationServerUri + "\""); response.setHeader("WWW-Authenticate", "KC_ETT realm=\"" + clientId + "\",as_uri=\"" + authorizationServerUri + "\"");
@ -65,7 +65,7 @@ public class BearerTokenPolicyEnforcer extends AbstractPolicyEnforcer {
HttpFacade.Response response = facade.getResponse(); HttpFacade.Response response = facade.getResponse();
AuthzClient authzClient = getAuthzClient(); AuthzClient authzClient = getAuthzClient();
String ticket = getPermissionTicket(pathConfig, requiredScopes, authzClient); String ticket = getPermissionTicket(pathConfig, requiredScopes, authzClient);
String clientId = authzClient.getConfiguration().getClientId(); String clientId = authzClient.getConfiguration().getResource();
String authorizationServerUri = authzClient.getServerConfiguration().getIssuer().toString() + "/authz/authorize"; String authorizationServerUri = authzClient.getServerConfiguration().getIssuer().toString() + "/authz/authorize";
response.setStatus(401); response.setStatus(401);
response.setHeader("WWW-Authenticate", "UMA realm=\"" + clientId + "\",as_uri=\"" + authorizationServerUri + "\",ticket=\"" + ticket + "\""); response.setHeader("WWW-Authenticate", "UMA realm=\"" + clientId + "\",as_uri=\"" + authorizationServerUri + "\",ticket=\"" + ticket + "\"");

4
adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.java
View file

@ -127,7 +127,7 @@ public class KeycloakAdapterPolicyEnforcer extends AbstractPolicyEnforcer {
AccessToken token = httpFacade.getSecurityContext().getToken(); AccessToken token = httpFacade.getSecurityContext().getToken();
if (token.getAuthorization() == null) { if (token.getAuthorization() == null) {
EntitlementResponse authzResponse = authzClient.entitlement(accessToken).getAll(authzClient.getConfiguration().getClientId()); EntitlementResponse authzResponse = authzClient.entitlement(accessToken).getAll(authzClient.getConfiguration().getResource());
return AdapterRSATokenVerifier.verifyToken(authzResponse.getRpt(), deployment); return AdapterRSATokenVerifier.verifyToken(authzResponse.getRpt(), deployment);
} else { } else {
EntitlementRequest request = new EntitlementRequest(); EntitlementRequest request = new EntitlementRequest();
@ -137,7 +137,7 @@ public class KeycloakAdapterPolicyEnforcer extends AbstractPolicyEnforcer {
permissionRequest.setScopes(new HashSet<>(pathConfig.getScopes())); permissionRequest.setScopes(new HashSet<>(pathConfig.getScopes()));
LOGGER.debugf("Sending entitlements request: resource_set_id [%s], resource_set_name [%s], scopes [%s].", permissionRequest.getResourceSetId(), permissionRequest.getResourceSetName(), permissionRequest.getScopes()); LOGGER.debugf("Sending entitlements request: resource_set_id [%s], resource_set_name [%s], scopes [%s].", permissionRequest.getResourceSetId(), permissionRequest.getResourceSetName(), permissionRequest.getScopes());
request.addPermission(permissionRequest); request.addPermission(permissionRequest);
EntitlementResponse authzResponse = authzClient.entitlement(accessToken).get(authzClient.getConfiguration().getClientId(), request); EntitlementResponse authzResponse = authzClient.entitlement(accessToken).get(authzClient.getConfiguration().getResource(), request);
return AdapterRSATokenVerifier.verifyToken(authzResponse.getRpt(), deployment); return AdapterRSATokenVerifier.verifyToken(authzResponse.getRpt(), deployment);
} }
} }

53
authz/client/src/main/java/org/keycloak/authorization/client/Configuration.java
View file

@ -17,44 +17,33 @@
*/ */
package org.keycloak.authorization.client; package org.keycloak.authorization.client;
import com.fasterxml.jackson.annotation.JsonIgnore;
import com.fasterxml.jackson.annotation.JsonProperty;
import org.apache.http.client.HttpClient;
import org.apache.http.impl.client.HttpClients;
import org.keycloak.util.BasicAuthHelper;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import org.apache.http.client.HttpClient;
import org.apache.http.impl.client.HttpClients;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.keycloak.util.BasicAuthHelper;
import com.fasterxml.jackson.annotation.JsonIgnore;
/** /**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a> * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/ */
public class Configuration { public class Configuration extends AdapterConfig {
@JsonIgnore @JsonIgnore
private HttpClient httpClient; private HttpClient httpClient;
@JsonProperty("auth-server-url")
protected String authServerUrl;
@JsonProperty("realm")
protected String realm;
@JsonProperty("resource")
protected String clientId;
@JsonProperty("credentials")
protected Map<String, Object> clientCredentials = new HashMap<>();
public Configuration() { public Configuration() {
} }
public Configuration(String authServerUrl, String realm, String clientId, Map<String, Object> clientCredentials, HttpClient httpClient) { public Configuration(String authServerUrl, String realm, String clientId, Map<String, Object> clientCredentials, HttpClient httpClient) {
this.authServerUrl = authServerUrl; this.authServerUrl = authServerUrl;
this.realm = realm; setAuthServerUrl(authServerUrl);
this.clientId = clientId; setRealm(realm);
this.clientCredentials = clientCredentials; setResource(clientId);
setCredentials(clientCredentials);
this.httpClient = httpClient; this.httpClient = httpClient;
} }
@ -62,13 +51,13 @@ public class Configuration {
private ClientAuthenticator clientAuthenticator = new ClientAuthenticator() { private ClientAuthenticator clientAuthenticator = new ClientAuthenticator() {
@Override @Override
public void configureClientCredentials(HashMap<String, String> requestParams, HashMap<String, String> requestHeaders) { public void configureClientCredentials(HashMap<String, String> requestParams, HashMap<String, String> requestHeaders) {
String secret = (String) clientCredentials.get("secret"); String secret = (String) getCredentials().get("secret");
if (secret == null) { if (secret == null) {
throw new RuntimeException("Client secret not provided."); throw new RuntimeException("Client secret not provided.");
} }
requestHeaders.put("Authorization", BasicAuthHelper.createHeader(clientId, secret)); requestHeaders.put("Authorization", BasicAuthHelper.createHeader(getResource(), secret));
} }
}; };
@ -80,23 +69,7 @@ public class Configuration {
return httpClient; return httpClient;
} }
public String getClientId() {
return clientId;
}
public String getAuthServerUrl() {
return authServerUrl;
}
public ClientAuthenticator getClientAuthenticator() { public ClientAuthenticator getClientAuthenticator() {
return this.clientAuthenticator; return this.clientAuthenticator;
} }
public Map<String, Object> getClientCredentials() {
return clientCredentials;
}
public String getRealm() {
return realm;
}
} }

11
examples/authz/servlet-authz/src/main/webapp/WEB-INF/keycloak.json
View file

@ -1,13 +1,10 @@
{ {
"realm": "servlet-authz", "realm": "servlet-authz",
"auth-server-url" : "http://localhost:8080/auth", "auth-server-url": "http://localhost:8080/auth",
"ssl-required" : "external", "ssl-required": "external",
"resource" : "servlet-authz-app", "resource": "servlet-authz-app",
"public-client" : false,
"credentials": { "credentials": {
"secret": "secret" "secret": "secret"
}, },
"policy-enforcer": { "policy-enforcer": {}
"on-deny-redirect-to" : "/servlet-authz-app/accessDenied.jsp"
}
} }