diff --git a/server-spi-private/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantType.java b/server-spi-private/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantType.java index 54bd71c33a..0f1b3d0780 100644 --- a/server-spi-private/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantType.java +++ b/server-spi-private/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantType.java @@ -50,28 +50,13 @@ public interface OAuth2GrantType extends Provider { */ EventType getEventType(); - /** - * Checks if the grant implementation supports the request. - * The check will be performed after the initial matching against the "grant_type" parameter. - * @param context grant request context - * @return request supported - */ - default boolean supports(Context context) { - return true; - } - - /** - * Sets grant request context. - * @param context grant request context - */ - void setContext(Context context); - /** * Processes grant request. + * @param context grant request context * * @return token response */ - Response process(); + Response process(Context context); public static class Context { protected KeycloakSession session; @@ -124,10 +109,6 @@ public interface OAuth2GrantType extends Provider { this.dPoP = context.dPoP; } - public KeycloakSession getSession() { - return session; - } - public void setFormParams(MultivaluedHashMap formParams) { this.formParams = formParams; } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java index aaa351cf19..7ff420da8d 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java @@ -92,7 +92,6 @@ public class TokenEndpoint { private String grantType; private OAuth2GrantType grant; - private OAuth2GrantType.Context context; private Cors cors; @@ -136,10 +135,8 @@ public class TokenEndpoint { checkParameterDuplicated(); } - context = new OAuth2GrantType.Context(session, clientConfig, clientAuthAttributes, formParams, event, cors, tokenManager, dPoP); - - grant.setContext(context); - return grant.process(); + OAuth2GrantType.Context context = new OAuth2GrantType.Context(session, clientConfig, clientAuthAttributes, formParams, event, cors, tokenManager, dPoP); + return grant.process(context); } @Path("introspect") diff --git a/services/src/main/java/org/keycloak/protocol/oidc/grants/AuthorizationCodeGrantType.java b/services/src/main/java/org/keycloak/protocol/oidc/grants/AuthorizationCodeGrantType.java index a91aad4080..df871a687d 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/grants/AuthorizationCodeGrantType.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/grants/AuthorizationCodeGrantType.java @@ -59,7 +59,9 @@ public class AuthorizationCodeGrantType extends OAuth2GrantTypeBase { private static final Logger logger = Logger.getLogger(AuthorizationCodeGrantType.class); @Override - public Response process() { + public Response process(Context context) { + setContext(context); + checkAndRetrieveDPoPProof(Profile.isFeatureEnabled(Profile.Feature.DPOP)); String code = formParams.getFirst(OAuth2Constants.CODE); diff --git a/services/src/main/java/org/keycloak/protocol/oidc/grants/ClientCredentialsGrantType.java b/services/src/main/java/org/keycloak/protocol/oidc/grants/ClientCredentialsGrantType.java index ff3f216dc2..3435a23332 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/grants/ClientCredentialsGrantType.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/grants/ClientCredentialsGrantType.java @@ -60,7 +60,9 @@ public class ClientCredentialsGrantType extends OAuth2GrantTypeBase { private static final Logger logger = Logger.getLogger(ClientCredentialsGrantType.class); @Override - public Response process() { + public Response process(Context context) { + setContext(context); + if (client.isBearerOnly()) { event.error(Errors.INVALID_CLIENT); throw new CorsErrorResponseException(cors, OAuthErrorException.UNAUTHORIZED_CLIENT, "Bearer-only client not allowed to retrieve service account", Response.Status.UNAUTHORIZED); diff --git a/services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java b/services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java index e790c52757..a1c9fd8ee3 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java @@ -88,8 +88,7 @@ public abstract class OAuth2GrantTypeBase implements OAuth2GrantType { protected HttpResponse response; protected HttpHeaders headers; - @Override - public void setContext(Context context) { + protected void setContext(Context context) { this.context = context; this.session = context.session; this.realm = context.realm; diff --git a/services/src/main/java/org/keycloak/protocol/oidc/grants/PermissionGrantType.java b/services/src/main/java/org/keycloak/protocol/oidc/grants/PermissionGrantType.java index 44dd8acc02..3f3742b5d1 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/grants/PermissionGrantType.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/grants/PermissionGrantType.java @@ -49,7 +49,9 @@ import org.keycloak.services.managers.AppAuthManager; public class PermissionGrantType extends OAuth2GrantTypeBase { @Override - public Response process() { + public Response process(Context context) { + setContext(context); + event.detail(Details.AUTH_METHOD, "oauth_credentials"); String accessTokenString = null; @@ -117,8 +119,7 @@ public class PermissionGrantType extends OAuth2GrantTypeBase { context.setClient(client); context.setClientConfig(clientConfig); context.setClientAuthAttributes(clientAuthAttributes); - clientCredentialsGrant.setContext(context); - accessTokenString = AccessTokenResponse.class.cast(clientCredentialsGrant.process().getEntity()).getToken(); + accessTokenString = AccessTokenResponse.class.cast(clientCredentialsGrant.process(context).getEntity()).getToken(); } } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/grants/RefreshTokenGrantType.java b/services/src/main/java/org/keycloak/protocol/oidc/grants/RefreshTokenGrantType.java index 800f07ae78..882e3c7620 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/grants/RefreshTokenGrantType.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/grants/RefreshTokenGrantType.java @@ -49,7 +49,9 @@ public class RefreshTokenGrantType extends OAuth2GrantTypeBase { private static final Logger logger = Logger.getLogger(RefreshTokenGrantType.class); @Override - public Response process() { + public Response process(Context context) { + setContext(context); + checkAndRetrieveDPoPProof(Profile.isFeatureEnabled(Profile.Feature.DPOP)); String refreshToken = formParams.getFirst(OAuth2Constants.REFRESH_TOKEN); diff --git a/services/src/main/java/org/keycloak/protocol/oidc/grants/ResourceOwnerPasswordCredentialsGrantType.java b/services/src/main/java/org/keycloak/protocol/oidc/grants/ResourceOwnerPasswordCredentialsGrantType.java index 6c76315883..aca671b26d 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/grants/ResourceOwnerPasswordCredentialsGrantType.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/grants/ResourceOwnerPasswordCredentialsGrantType.java @@ -60,7 +60,9 @@ public class ResourceOwnerPasswordCredentialsGrantType extends OAuth2GrantTypeBa private static final Logger logger = Logger.getLogger(ResourceOwnerPasswordCredentialsGrantType.class); @Override - public Response process() { + public Response process(Context context) { + setContext(context); + event.detail(Details.AUTH_METHOD, "oauth_credentials"); if (!client.isDirectAccessGrantsEnabled()) { diff --git a/services/src/main/java/org/keycloak/protocol/oidc/grants/TokenExchangeGrantType.java b/services/src/main/java/org/keycloak/protocol/oidc/grants/TokenExchangeGrantType.java index 44deed6c2c..aecc471784 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/grants/TokenExchangeGrantType.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/grants/TokenExchangeGrantType.java @@ -34,7 +34,9 @@ import org.keycloak.protocol.oidc.TokenExchangeProvider; public class TokenExchangeGrantType extends OAuth2GrantTypeBase { @Override - public Response process() { + public Response process(Context context) { + setContext(context); + event.detail(Details.AUTH_METHOD, "token_exchange"); event.client(client); diff --git a/services/src/main/java/org/keycloak/protocol/oidc/grants/ciba/CibaGrantType.java b/services/src/main/java/org/keycloak/protocol/oidc/grants/ciba/CibaGrantType.java index f43cc1f668..76cd724e38 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/grants/ciba/CibaGrantType.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/grants/ciba/CibaGrantType.java @@ -109,7 +109,9 @@ public class CibaGrantType extends OAuth2GrantTypeBase { } @Override - public Response process() { + public Response process(Context context) { + setContext(context); + if (!realm.getCibaPolicy().isOIDCCIBAGrantEnabled(client)) { event.error(Errors.NOT_ALLOWED); throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT, diff --git a/services/src/main/java/org/keycloak/protocol/oidc/grants/device/DeviceGrantType.java b/services/src/main/java/org/keycloak/protocol/oidc/grants/device/DeviceGrantType.java index 5a20506624..4105dc2de6 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/grants/device/DeviceGrantType.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/grants/device/DeviceGrantType.java @@ -206,7 +206,9 @@ public class DeviceGrantType extends OAuth2GrantTypeBase { } @Override - public Response process() { + public Response process(Context context) { + setContext(context); + if (!realm.getOAuth2DeviceConfig().isOAuth2DeviceAuthorizationGrantEnabled(client)) { event.error(Errors.NOT_ALLOWED); throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_GRANT,