libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Revert dynamic grant type resolution

Browse source
This commit is contained in:
Dmitry Telegin 2024-02-20 05:40:22 +00:00 committed by Pedro Igor
parent 5f04ce310a
commit c73516ba5b
12 changed files with 58 additions and 182 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

110
server-spi-private/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantManager.java
View file

@ -1,110 +0,0 @@
/*
* Copyright 2024 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.protocol.oidc.grants;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.keycloak.OAuth2Constants;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.events.EventType;
/**
* A class to register and resolve OAuth 2.0 Grant Type implementations
*
* @author <a href="mailto:demetrio@carretti.pro">Dmitry Telegin</a>
*/
public class OAuth2GrantManager {
private static final MultivaluedHashMap<String, OAuth2GrantType> GRANT_TYPE_MAP = new MultivaluedHashMap<>();
private static final Map<String, EventType> EVENT_TYPE_MAP = new HashMap<>();
static {
EVENT_TYPE_MAP.put(OAuth2Constants.AUTHORIZATION_CODE, EventType.CODE_TO_TOKEN);
EVENT_TYPE_MAP.put(OAuth2Constants.REFRESH_TOKEN, EventType.REFRESH_TOKEN);
EVENT_TYPE_MAP.put(OAuth2Constants.PASSWORD, EventType.LOGIN);
EVENT_TYPE_MAP.put(OAuth2Constants.CLIENT_CREDENTIALS, EventType.CLIENT_LOGIN);
EVENT_TYPE_MAP.put(OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE, EventType.TOKEN_EXCHANGE);
EVENT_TYPE_MAP.put(OAuth2Constants.UMA_GRANT_TYPE, EventType.PERMISSION_TOKEN);
EVENT_TYPE_MAP.put(OAuth2Constants.CIBA_GRANT_TYPE, EventType.AUTHREQID_TO_TOKEN);
EVENT_TYPE_MAP.put(OAuth2Constants.DEVICE_CODE_GRANT_TYPE, EventType.OAUTH2_DEVICE_CODE_TO_TOKEN);
}
/**
* Register OAuth 2.0 grant type
* @param grant grant type to register
*/
public static void register(OAuth2GrantType grant) {
GRANT_TYPE_MAP.add(grant.getGrantType(), grant);
}
/**
* Resolve grant type implementation from grant type and request context
* @param grantType grant type
* @param context grant request context
* @return grant type implementation
*/
public static Optional<OAuth2GrantType> resolve(String grantType, OAuth2GrantType.Context context) {
return resolve(resolve(grantType), context);
}
/**
* Return registered implementations for the given grant type
* @param grantType grant type
* @return list of implementations
*/
public static List<OAuth2GrantType> resolve(String grantType) {
return GRANT_TYPE_MAP.get(grantType);
}
/**
* Select the "best" grant type implementation from a list of candidates, using supports() and then priority
* @param grants a list of candidate implementations
* @param context grant request context
* @return grant type implementation
*/
public static Optional<OAuth2GrantType> resolve(List<OAuth2GrantType> grants, OAuth2GrantType.Context context) {
Optional<OAuth2GrantType> grant;
switch (grants.size()) {
case 0:
grant = Optional.empty();
break;
case 1:
grant = Optional.of(grants.get(0));
break;
default:
grant = grants.stream().filter(g -> g.supports(context)).sorted((g1, g2) -> g2.order() - g1.order()).findFirst();
break;
}
return grant.map(g -> g.create(context.getSession()));
}
/**
* Map well-known OAuth 2.0 grant types to Keycloak event types
* @param grantType
* @return
*/
public static EventType grantToEvent(String grantType) {
return EVENT_TYPE_MAP.getOrDefault(grantType, EventType.OAUTH2_EXTENSION_GRANT);
}
}

8
server-spi-private/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantType.java
View file

@ -26,6 +26,7 @@ import java.util.Map;
import org.keycloak.common.ClientConnection;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.http.HttpRequest;
import org.keycloak.http.HttpResponse;
import org.keycloak.models.ClientModel;
@ -44,12 +45,11 @@ import org.keycloak.services.cors.Cors;
public interface OAuth2GrantType extends Provider, ProviderFactory<OAuth2GrantType> {
/**
* Returns the name of the OAuth 2.0 grant type implemented by this provider.
* This value will be matched against the "grant_type" token request parameter.
* Returns the event type associated with this OAuth 2.0 grant type.
*
* @return grant type name
* @return event type
*/
String getGrantType();
EventType getEventType();
/**
* Checks if the grant implementation supports the request.

13
services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
View file

@ -32,7 +32,6 @@ import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.grants.OAuth2GrantManager;
import org.keycloak.protocol.oidc.grants.OAuth2GrantType;
import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
import org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder;
@ -92,7 +91,6 @@ public class TokenEndpoint {
private final EventBuilder event;
private String grantType;
private List<OAuth2GrantType> grants;
private OAuth2GrantType grant;
private OAuth2GrantType.Context context;
@ -140,7 +138,6 @@ public class TokenEndpoint {
context = new OAuth2GrantType.Context(session, clientConfig, clientAuthAttributes, formParams, event, cors, tokenManager, dPoP);
resolveGrantType();
grant.setContext(context);
return grant.process();
}
@ -190,19 +187,15 @@ public class TokenEndpoint {
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "Missing form parameter: " + OIDCLoginProtocol.GRANT_TYPE_PARAM, Response.Status.BAD_REQUEST);
}
grants = OAuth2GrantManager.resolve(grantType);
if (grants.isEmpty()) {
grant = session.getProvider(OAuth2GrantType.class, grantType);
if (grant == null) {
throw newUnsupportedGrantTypeException();
}
event.event(OAuth2GrantManager.grantToEvent(grantType));
event.event(grant.getEventType());
event.detail(Details.GRANT_TYPE, grantType);
}
private void resolveGrantType() {
grant = OAuth2GrantManager.resolve(grants, context).orElseThrow(() -> newUnsupportedGrantTypeException());
}
private CorsErrorResponseException newUnsupportedGrantTypeException() {
return new CorsErrorResponseException(cors, OAuthErrorException.UNSUPPORTED_GRANT_TYPE,
"Unsupported " + OIDCLoginProtocol.GRANT_TYPE_PARAM, Status.BAD_REQUEST);

8
services/src/main/java/org/keycloak/protocol/oidc/grants/AuthorizationCodeGrantType.java
View file

@ -29,6 +29,7 @@ import org.keycloak.OAuthErrorException;
import org.keycloak.common.Profile;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.events.Errors;
import org.keycloak.events.EventType;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.ClientSessionContext;
@ -56,7 +57,6 @@ import org.keycloak.services.util.DefaultClientSessionContext;
public class AuthorizationCodeGrantType extends OAuth2GrantTypeBase {
private static final Logger logger = Logger.getLogger(AuthorizationCodeGrantType.class);
private static final String PROVIDER_ID = "authorization_code";
@Override
public Response process() {
@ -198,12 +198,12 @@ public class AuthorizationCodeGrantType extends OAuth2GrantTypeBase {
}
@Override
public String getId() {
return PROVIDER_ID;
public EventType getEventType() {
return EventType.CODE_TO_TOKEN;
}
@Override
public String getGrantType() {
public String getId() {
return OAuth2Constants.AUTHORIZATION_CODE;
}

8
services/src/main/java/org/keycloak/protocol/oidc/grants/ClientCredentialsGrantType.java
View file

@ -27,6 +27,7 @@ import org.keycloak.OAuthErrorException;
import org.keycloak.common.constants.ServiceAccountConstants;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.UserModel;
@ -56,7 +57,6 @@ import org.keycloak.util.TokenUtil;
*/
public class ClientCredentialsGrantType extends OAuth2GrantTypeBase {
private static final String PROVIDER_ID = "client_credentials";
private static final Logger logger = Logger.getLogger(ClientCredentialsGrantType.class);
@Override
@ -180,12 +180,12 @@ public class ClientCredentialsGrantType extends OAuth2GrantTypeBase {
}
@Override
public String getId() {
return PROVIDER_ID;
public EventType getEventType() {
return EventType.CLIENT_LOGIN;
}
@Override
public String getGrantType() {
public String getId() {
return OAuth2Constants.CLIENT_CREDENTIALS;
}

1
services/src/main/java/org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.java
View file

@ -273,7 +273,6 @@ public abstract class OAuth2GrantTypeBase implements OAuth2GrantType {
@Override
public void postInit(KeycloakSessionFactory factory) {
OAuth2GrantManager.register(this);
}
@Override

18
services/src/main/java/org/keycloak/protocol/oidc/grants/PermissionGrantType.java
View file

@ -29,6 +29,7 @@ import org.keycloak.authorization.authorization.AuthorizationTokenService;
import org.keycloak.authorization.util.Tokens;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventType;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.ClientModel;
@ -47,8 +48,6 @@ import org.keycloak.services.managers.AppAuthManager;
*/
public class PermissionGrantType extends OAuth2GrantTypeBase {
private static final String PROVIDER_ID = "uma_ticket";
@Override
public Response process() {
event.detail(Details.AUTH_METHOD, "oauth_credentials");
@ -114,8 +113,7 @@ public class PermissionGrantType extends OAuth2GrantTypeBase {
} else {
// Clients need to authenticate in order to obtain a RPT from the server.
// In order to support cases where the client is obtaining permissions on its on behalf, we issue a temporary access token
Context clientCredentialsContext = new Context(context);
OAuth2GrantType clientCredentialsGrant = OAuth2GrantManager.resolve(OAuth2Constants.CLIENT_CREDENTIALS, clientCredentialsContext).get();
OAuth2GrantType clientCredentialsGrant = session.getProvider(OAuth2GrantType.class, OAuth2Constants.CLIENT_CREDENTIALS);
clientCredentialsGrant.setContext(context);
accessTokenString = AccessTokenResponse.class.cast(clientCredentialsGrant.process().getEntity()).getToken();
}
@ -187,19 +185,19 @@ public class PermissionGrantType extends OAuth2GrantTypeBase {
return authorizationResponse;
}
@Override
public String getGrantType() {
return OAuth2Constants.UMA_GRANT_TYPE;
}
@Override
public OAuth2GrantType create(KeycloakSession session) {
return new PermissionGrantType();
}
@Override
public EventType getEventType() {
return EventType.PERMISSION_TOKEN;
}
@Override
public String getId() {
return PROVIDER_ID;
return OAuth2Constants.UMA_GRANT_TYPE;
}
}

14
services/src/main/java/org/keycloak/protocol/oidc/grants/RefreshTokenGrantType.java
View file

@ -26,6 +26,7 @@ import org.keycloak.OAuth2Constants;
import org.keycloak.OAuthErrorException;
import org.keycloak.common.Profile;
import org.keycloak.events.Errors;
import org.keycloak.events.EventType;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.UserSessionModel;
@ -45,7 +46,6 @@ import org.keycloak.services.util.MtlsHoKTokenUtil;
*/
public class RefreshTokenGrantType extends OAuth2GrantTypeBase {
private static final String PROVIDER_ID = "refresh_token";
private static final Logger logger = Logger.getLogger(RefreshTokenGrantType.class);
@Override
@ -105,19 +105,19 @@ public class RefreshTokenGrantType extends OAuth2GrantTypeBase {
return cors.builder(Response.ok(res, MediaType.APPLICATION_JSON_TYPE)).build();
}
@Override
public String getGrantType() {
return OAuth2Constants.REFRESH_TOKEN;
}
@Override
public OAuth2GrantType create(KeycloakSession session) {
return new RefreshTokenGrantType();
}
@Override
public EventType getEventType() {
return EventType.REFRESH_TOKEN;
}
@Override
public String getId() {
return PROVIDER_ID;
return OAuth2Constants.REFRESH_TOKEN;
}
}

14
services/src/main/java/org/keycloak/protocol/oidc/grants/ResourceOwnerPasswordCredentialsGrantType.java
View file

@ -27,6 +27,7 @@ import org.keycloak.OAuthErrorException;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventType;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.AuthenticationFlowModel;
import org.keycloak.models.ClientSessionContext;
@ -56,7 +57,6 @@ import org.keycloak.util.TokenUtil;
*/
public class ResourceOwnerPasswordCredentialsGrantType extends OAuth2GrantTypeBase {
private static final String PROVIDER_ID = "password";
private static final Logger logger = Logger.getLogger(ResourceOwnerPasswordCredentialsGrantType.class);
@Override
@ -154,19 +154,19 @@ public class ResourceOwnerPasswordCredentialsGrantType extends OAuth2GrantTypeBa
return cors.builder(Response.ok(res, MediaType.APPLICATION_JSON_TYPE)).build();
}
@Override
public String getGrantType() {
return OAuth2Constants.PASSWORD;
}
@Override
public OAuth2GrantType create(KeycloakSession session) {
return new ResourceOwnerPasswordCredentialsGrantType();
}
@Override
public EventType getEventType() {
return EventType.LOGIN;
}
@Override
public String getId() {
return PROVIDER_ID;
return OAuth2Constants.PASSWORD;
}
}

16
services/src/main/java/org/keycloak/protocol/oidc/grants/TokenExchangeGrantType.java
View file

@ -23,11 +23,11 @@ import jakarta.ws.rs.core.Response;
import org.keycloak.OAuth2Constants;
import org.keycloak.common.Profile;
import org.keycloak.events.Details;
import org.keycloak.events.EventType;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.TokenExchangeContext;
import org.keycloak.protocol.oidc.TokenExchangeProvider;
import org.keycloak.provider.EnvironmentDependentProviderFactory;
import org.keycloak.utils.ProfileHelper;
/**
* OAuth 2.0 Authorization Code Grant
@ -37,8 +37,6 @@ import org.keycloak.utils.ProfileHelper;
*/
public class TokenExchangeGrantType extends OAuth2GrantTypeBase implements EnvironmentDependentProviderFactory {
private static final String PROVIDER_ID = "token_exchange";
@Override
public Response process() {
event.detail(Details.AUTH_METHOD, "token_exchange");
@ -66,11 +64,6 @@ public class TokenExchangeGrantType extends OAuth2GrantTypeBase implements Envir
.exchange(exchange);
}
@Override
public String getGrantType() {
return OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE;
}
@Override
public OAuth2GrantType create(KeycloakSession session) {
return new TokenExchangeGrantType();
@ -81,9 +74,14 @@ public class TokenExchangeGrantType extends OAuth2GrantTypeBase implements Envir
return Profile.isFeatureEnabled(Profile.Feature.TOKEN_EXCHANGE);
}
@Override
public EventType getEventType() {
return EventType.TOKEN_EXCHANGE;
}
@Override
public String getId() {
return PROVIDER_ID;
return OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE;
}
}

14
services/src/main/java/org/keycloak/protocol/oidc/grants/ciba/CibaGrantType.java
View file

@ -31,6 +31,7 @@ import org.keycloak.common.Profile;
import org.keycloak.common.util.Time;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventType;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.ClientSessionContext;
@ -70,7 +71,6 @@ import org.keycloak.sessions.RootAuthenticationSessionModel;
*/
public class CibaGrantType extends OAuth2GrantTypeBase implements EnvironmentDependentProviderFactory {
private static final String PROVIDER_ID = "ciba";
private static final Logger logger = Logger.getLogger(CibaGrantType.class);
public static final String IS_CONSENT_REQUIRED = "is_consent_required";
@ -290,11 +290,6 @@ public class CibaGrantType extends OAuth2GrantTypeBase implements EnvironmentDep
logger.debugf("CIBA Grant :: authentication channel %s clientId = %s, authResultId = %s", message, request.getIssuedFor(), request.getAuthResultId());
}
@Override
public String getGrantType() {
return OAuth2Constants.CIBA_GRANT_TYPE;
}
@Override
public OAuth2GrantType create(KeycloakSession session) {
return new CibaGrantType();
@ -305,9 +300,14 @@ public class CibaGrantType extends OAuth2GrantTypeBase implements EnvironmentDep
return Profile.isFeatureEnabled(Profile.Feature.CIBA);
}
@Override
public EventType getEventType() {
return EventType.AUTHREQID_TO_TOKEN;
}
@Override
public String getId() {
return PROVIDER_ID;
return OAuth2Constants.CIBA_GRANT_TYPE;
}
}

16
services/src/main/java/org/keycloak/protocol/oidc/grants/device/DeviceGrantType.java
View file

@ -24,6 +24,7 @@ import org.keycloak.OAuthErrorException;
import org.keycloak.common.Profile;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventType;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
@ -52,7 +53,6 @@ import org.keycloak.protocol.oidc.utils.PkceUtils;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.cors.Cors;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.UserSessionCrossDCManager;
import org.keycloak.services.resources.RealmsResource;
@ -75,8 +75,6 @@ import java.util.Map;
*/
public class DeviceGrantType extends OAuth2GrantTypeBase implements EnvironmentDependentProviderFactory {
private static final String PROVIDER_ID = "device_code";
// OAuth 2.0 Device Authorization Grant
public static final String OAUTH2_DEVICE_VERIFIED_USER_CODE = "OAUTH2_DEVICE_VERIFIED_USER_CODE";
public static final String OAUTH2_DEVICE_USER_CODE = "device_user_code";
@ -340,11 +338,6 @@ public class DeviceGrantType extends OAuth2GrantTypeBase implements EnvironmentD
return createTokenResponse(user, userSession, clientSessionCtx, scopeParam, false, s -> {return new DeviceTokenResponseContext(deviceCodeModel, formParams, clientSession, s);});
}
@Override
public String getGrantType() {
return OAuth2Constants.DEVICE_CODE_GRANT_TYPE;
}
@Override
public OAuth2GrantType create(KeycloakSession session) {
return new DeviceGrantType();
@ -355,9 +348,14 @@ public class DeviceGrantType extends OAuth2GrantTypeBase implements EnvironmentD
return Profile.isFeatureEnabled(Profile.Feature.DEVICE_FLOW);
}
@Override
public EventType getEventType() {
return EventType.OAUTH2_DEVICE_CODE_TO_TOKEN;
}
@Override
public String getId() {
return PROVIDER_ID;
return OAuth2Constants.DEVICE_CODE_GRANT_TYPE;
}
}