[KEYCLOAK-18745] - Client JWT authentication should allow PAR endpoint as audience
This commit is contained in:
Pedro Igor
parent
8c49478628
commit
fe4e089e81
3 changed files with 85 additions and 5 deletions
|
|
@ -32,6 +32,7 @@ import org.keycloak.json.StringOrArraySerializer;
|
|||
import java.io.Serializable;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
/**
|
||||
|
|
@ -219,6 +220,22 @@ public class JsonWebToken implements Serializable, Token {
|
|||
return false;
|
||||
}
|
||||
|
||||
public boolean hasAnyAudience(List<String> audiences) {
|
||||
String[] auds = getAudience();
|
||||
|
||||
if (auds == null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
for (String aud : auds) {
|
||||
if (audiences.contains(aud)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
public JsonWebToken audience(String... audience) {
|
||||
this.audience = audience;
|
||||
return this;
|
||||
|
|
|
|||
|
|
@ -46,6 +46,7 @@ import org.keycloak.models.SingleUseTokenStoreProvider;
|
|||
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
|
||||
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
|
||||
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
|
||||
import org.keycloak.protocol.oidc.par.endpoints.ParEndpoint;
|
||||
import org.keycloak.provider.ProviderConfigProperty;
|
||||
import org.keycloak.representations.JsonWebToken;
|
||||
import org.keycloak.services.ServicesLogger;
|
||||
|
|
@ -157,10 +158,11 @@ public class JWTClientAuthenticator extends AbstractClientAuthenticator {
|
|||
}
|
||||
|
||||
// Allow both "issuer" or "token-endpoint" as audience
|
||||
String issuerUrl = Urls.realmIssuer(context.getUriInfo().getBaseUri(), realm.getName());
|
||||
String tokenUrl = OIDCLoginProtocolService.tokenUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString();
|
||||
if (!token.hasAudience(issuerUrl) && !token.hasAudience(tokenUrl)) {
|
||||
throw new RuntimeException("Token audience doesn't match domain. Realm issuer is '" + issuerUrl + "' but audience from token is '" + Arrays.asList(token.getAudience()).toString() + "'");
|
||||
List<String> expectedAudiences = getExpectedAudiences(context, realm);
|
||||
|
||||
if (!token.hasAnyAudience(expectedAudiences)) {
|
||||
throw new RuntimeException("Token audience doesn't match domain. Expected audiences are any of " + expectedAudiences
|
||||
+ " but audience from token is '" + Arrays.asList(token.getAudience()) + "'");
|
||||
}
|
||||
|
||||
if (!token.isActive()) {
|
||||
|
|
@ -267,4 +269,11 @@ public class JWTClientAuthenticator extends AbstractClientAuthenticator {
|
|||
return Collections.emptySet();
|
||||
}
|
||||
}
|
||||
|
||||
private List<String> getExpectedAudiences(ClientAuthenticationFlowContext context, RealmModel realm) {
|
||||
String issuerUrl = Urls.realmIssuer(context.getUriInfo().getBaseUri(), realm.getName());
|
||||
String tokenUrl = OIDCLoginProtocolService.tokenUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString();
|
||||
String parEndpointUrl = ParEndpoint.parUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString();
|
||||
return Arrays.asList(issuerUrl, tokenUrl, parEndpointUrl);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -111,6 +111,9 @@ import javax.ws.rs.core.Response;
|
|||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertNotEquals;
|
||||
import static org.junit.Assert.assertNotNull;
|
||||
import static org.junit.Assert.assertNull;
|
||||
|
||||
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
|
||||
|
||||
/**
|
||||
|
|
@ -788,6 +791,54 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
|
|||
assertError(response, "client1", OAuthErrorException.INVALID_CLIENT, Errors.INVALID_CLIENT_CREDENTIALS);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testParEndpointAsAudience() throws Exception {
|
||||
ClientRepresentation clientRepresentation = app2;
|
||||
ClientResource clientResource = getClient(testRealm.getRealm(), clientRepresentation.getId());
|
||||
clientRepresentation = clientResource.toRepresentation();
|
||||
|
||||
KeyPair keyPair = setupJwks(Algorithm.PS256, clientRepresentation, clientResource);
|
||||
PublicKey publicKey = keyPair.getPublic();
|
||||
PrivateKey privateKey = keyPair.getPrivate();
|
||||
JsonWebToken assertion = createRequestToken(app2.getClientId(), getRealmInfoUrl());
|
||||
|
||||
assertion.audience(oauth.getParEndpointUrl());
|
||||
|
||||
List<NameValuePair> parameters = new LinkedList<NameValuePair>();
|
||||
parameters.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE, OAuth2Constants.CLIENT_CREDENTIALS));
|
||||
parameters.add(new BasicNameValuePair(OAuth2Constants.CLIENT_ASSERTION_TYPE, OAuth2Constants.CLIENT_ASSERTION_TYPE_JWT));
|
||||
parameters.add(new BasicNameValuePair(OAuth2Constants.CLIENT_ASSERTION, createSignledRequestToken(privateKey, publicKey, Algorithm.PS256, assertion)));
|
||||
|
||||
try (CloseableHttpResponse resp = sendRequest(oauth.getServiceAccountUrl(), parameters)) {
|
||||
OAuthClient.AccessTokenResponse response = new OAuthClient.AccessTokenResponse(resp);
|
||||
assertNotNull(response.getAccessToken());
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testInvalidAudience() throws Exception {
|
||||
ClientRepresentation clientRepresentation = app2;
|
||||
ClientResource clientResource = getClient(testRealm.getRealm(), clientRepresentation.getId());
|
||||
clientRepresentation = clientResource.toRepresentation();
|
||||
|
||||
KeyPair keyPair = setupJwks(Algorithm.PS256, clientRepresentation, clientResource);
|
||||
PublicKey publicKey = keyPair.getPublic();
|
||||
PrivateKey privateKey = keyPair.getPrivate();
|
||||
JsonWebToken assertion = createRequestToken(app2.getClientId(), getRealmInfoUrl());
|
||||
|
||||
assertion.audience("https://as.other.org");
|
||||
|
||||
List<NameValuePair> parameters = new LinkedList<NameValuePair>();
|
||||
parameters.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE, OAuth2Constants.CLIENT_CREDENTIALS));
|
||||
parameters.add(new BasicNameValuePair(OAuth2Constants.CLIENT_ASSERTION_TYPE, OAuth2Constants.CLIENT_ASSERTION_TYPE_JWT));
|
||||
parameters.add(new BasicNameValuePair(OAuth2Constants.CLIENT_ASSERTION, createSignledRequestToken(privateKey, publicKey, Algorithm.PS256, assertion)));
|
||||
|
||||
try (CloseableHttpResponse resp = sendRequest(oauth.getServiceAccountUrl(), parameters)) {
|
||||
OAuthClient.AccessTokenResponse response = new OAuthClient.AccessTokenResponse(resp);
|
||||
assertNull(response.getAccessToken());
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAssertionInvalidNotBefore() throws Exception {
|
||||
String invalidJwt = getClient1SignedJWT();
|
||||
|
|
@ -1243,7 +1294,10 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
|
|||
}
|
||||
|
||||
private String createSignedRequestToken(String clientId, String realmInfoUrl, PrivateKey privateKey, PublicKey publicKey, String algorithm) {
|
||||
JsonWebToken jwt = createRequestToken(clientId, realmInfoUrl);
|
||||
return createSignledRequestToken(privateKey, publicKey, algorithm, createRequestToken(clientId, realmInfoUrl));
|
||||
}
|
||||
|
||||
private String createSignledRequestToken(PrivateKey privateKey, PublicKey publicKey, String algorithm, JsonWebToken jwt) {
|
||||
String kid = KeyUtils.createKeyId(publicKey);
|
||||
SignatureSignerContext signer = oauth.createSigner(privateKey, kid, algorithm);
|
||||
String ret = new JWSBuilder().kid(kid).jsonContent(jwt).sign(signer);
|
||||
|
|
|
|||
Loading…
Reference in a new issue