diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientConfigurationBuilder.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientConfigurationBuilder.java index 334157c495..93919cbd11 100644 --- a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientConfigurationBuilder.java +++ b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientConfigurationBuilder.java @@ -28,6 +28,7 @@ import java.io.InputStream; import java.security.PublicKey; import java.util.concurrent.Callable; +import java.util.Map; import org.apache.http.client.HttpClient; import org.wildfly.common.iteration.CodePointIterator; @@ -105,36 +106,6 @@ protected OidcClientConfiguration internalBuild(final OidcJsonConfiguration oidc if (oidcJsonConfiguration.getScope() != null) { oidcClientConfiguration.setScope(oidcJsonConfiguration.getScope()); } - if (oidcJsonConfiguration.getAuthenticationRequestFormat() != null) { - oidcClientConfiguration.setAuthenticationRequestFormat(oidcJsonConfiguration.getAuthenticationRequestFormat()); - } else { - oidcClientConfiguration.setAuthenticationRequestFormat(OAUTH2.getValue()); - } - if (oidcJsonConfiguration.getRequestObjectSigningAlgorithm() != null) { - oidcClientConfiguration.setRequestObjectSigningAlgorithm(oidcJsonConfiguration.getRequestObjectSigningAlgorithm()); - } else { - oidcClientConfiguration.setRequestObjectSigningAlgorithm(NONE); - } - if (oidcJsonConfiguration.getRequestObjectEncryptionAlgValue() != null && oidcJsonConfiguration.getRequestObjectEncryptionEncValue() != null) { //both are required to encrypt the request object - oidcClientConfiguration.setRequestObjectEncryptionAlgValue(oidcJsonConfiguration.getRequestObjectEncryptionAlgValue()); - oidcClientConfiguration.setRequestObjectEncryptionEncValue(oidcJsonConfiguration.getRequestObjectEncryptionEncValue()); - JWKEncPublicKeyLocator encryptionPublicKeyLocator = new JWKEncPublicKeyLocator(); - oidcClientConfiguration.setEncryptionPublicKeyLocator(encryptionPublicKeyLocator); - } else if (oidcClientConfiguration.getRequestObjectEncryptionAlgValue() != null || oidcClientConfiguration.getRequestObjectEncryptionEncValue() != null) { //if only one is specified, that is not correct - throw log.invalidRequestObjectEncryptionAlgorithmConfiguration(); - } - if (oidcJsonConfiguration.getRequestObjectSigningKeyStoreFile() != null - && oidcJsonConfiguration.getRequestObjectSigningKeyStorePassword() != null - && oidcJsonConfiguration.getRequestObjectSigningKeyPassword() != null - && oidcJsonConfiguration.getRequestObjectSigningKeyAlias() != null) { - oidcClientConfiguration.setRequestObjectSigningKeyStoreFile(oidcJsonConfiguration.getRequestObjectSigningKeyStoreFile()); - oidcClientConfiguration.setRequestObjectSigningKeyStorePassword(oidcJsonConfiguration.getRequestObjectSigningKeyStorePassword()); - oidcClientConfiguration.setRequestObjectSigningKeyPassword(oidcJsonConfiguration.getRequestObjectSigningKeyPassword()); - oidcClientConfiguration.setRequestObjectSigningKeyAlias(oidcJsonConfiguration.getRequestObjectSigningKeyAlias()); - if (oidcJsonConfiguration.getRequestObjectSigningKeyStoreType() != null) { - oidcClientConfiguration.setRequestObjectSigningKeyStoreType(oidcJsonConfiguration.getRequestObjectSigningKeyStoreType()); - } - } if (oidcJsonConfiguration.getPrincipalAttribute() != null) oidcClientConfiguration.setPrincipalAttribute(oidcJsonConfiguration.getPrincipalAttribute()); oidcClientConfiguration.setResourceCredentials(oidcJsonConfiguration.getCredentials()); @@ -171,6 +142,38 @@ protected OidcClientConfiguration internalBuild(final OidcJsonConfiguration oidc oidcClientConfiguration.setIgnoreOAuthQueryParameter(oidcJsonConfiguration.isIgnoreOAuthQueryParameter()); oidcClientConfiguration.setRewriteRedirectRules(oidcJsonConfiguration.getRedirectRewriteRules()); oidcClientConfiguration.setVerifyTokenAudience(oidcJsonConfiguration.isVerifyTokenAudience()); + Map authenticationRequest = oidcJsonConfiguration.getAuthenticationRequest(); + if (authenticationRequest!= null) { + if (authenticationRequest.get("authentication-request-format") != null) + oidcClientConfiguration.setAuthenticationRequestFormat(authenticationRequest.get("authentication-request-format")); + else + oidcClientConfiguration.setAuthenticationRequestFormat(OAUTH2.getValue()); + if (authenticationRequest.get("request-object-encryption-enc-value") != null && authenticationRequest.get("request-object-encryption-alg-value") != null) { //both are required to encrypt the request object + oidcClientConfiguration.setRequestObjectEncryptionEncValue(authenticationRequest.get("request-object-encryption-enc-value")); + oidcClientConfiguration.setRequestObjectEncryptionAlgValue(authenticationRequest.get("request-object-encryption-alg-value")); + JWKEncPublicKeyLocator encryptionPublicKeyLocator = new JWKEncPublicKeyLocator(); + oidcClientConfiguration.setEncryptionPublicKeyLocator(encryptionPublicKeyLocator); + } else if (authenticationRequest.get("request-object-encryption-enc-value") != null || authenticationRequest.get("request-object-encryption-alg-value") != null) { //if only one is specified, that is not correct + throw log.invalidRequestObjectEncryptionAlgorithmConfiguration(); + } + if (authenticationRequest.get("authentication-request-signing-algorithm") != null) + oidcClientConfiguration.setRequestObjectSigningAlgorithm(authenticationRequest.get("request-object-signing-algorithm")); + else + oidcClientConfiguration.setRequestObjectSigningAlgorithm(NONE); + if (authenticationRequest.get("request-object-signing-key-alias") != null + && authenticationRequest.get("request-object-signing-key-password") != null + && authenticationRequest.get("request-object-signing-keystore-file") != null + && authenticationRequest.get("request-object-signing-keystore-password") != null) { + oidcClientConfiguration.setRequestObjectSigningKeyAlias(authenticationRequest.get("request-object-signing-key-alias")); + oidcClientConfiguration.setRequestObjectSigningKeyPassword(authenticationRequest.get("request-object-signing-key-password")); + oidcClientConfiguration.setRequestObjectSigningKeyStoreFile(authenticationRequest.get("request-object-signing-keystore-file")); + oidcClientConfiguration.setRequestObjectSigningKeyStorePassword(authenticationRequest.get("request-object-signing-keystore-password")); + if (authenticationRequest.get("request-object-signing-keystore-type") != null) + oidcClientConfiguration.setRequestObjectSigningKeyStoreType(authenticationRequest.get("request-object-signing-keystore-type")); + } + } else { + oidcClientConfiguration.setAuthenticationRequestFormat(OAUTH2.getValue()); + } if (realmKeyPem == null && oidcJsonConfiguration.isBearerOnly() && (oidcJsonConfiguration.getAuthServerUrl() == null && oidcJsonConfiguration.getProviderUrl() == null)) { diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcJsonConfiguration.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcJsonConfiguration.java index 29d2d785e3..edcd677a1f 100644 --- a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcJsonConfiguration.java +++ b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcJsonConfiguration.java @@ -49,7 +49,7 @@ "authentication-request-format", "request-object-signing-algorithm", "request-object-encryption-alg-value", "request-object-encryption-enc-value", "request-object-signing-keystore-file", "request-object-signing-keystore-password","request-object-signing-key-password", "request-object-signing-key-alias", - "request-object-signing-keystore-type" + "request-object-signing-keystore-type", "authentication-request" }) public class OidcJsonConfiguration { @@ -138,6 +138,8 @@ public class OidcJsonConfiguration { protected Map credentials = new TreeMap<>(String.CASE_INSENSITIVE_ORDER); @JsonProperty("redirect-rewrite-rules") protected Map redirectRewriteRules; + @JsonProperty("authentication-request") + protected Map authenticationRequest; @JsonProperty("realm") protected String realm; @JsonProperty("realm-public-key") @@ -569,6 +571,14 @@ public void setRedirectRewriteRules(Map redirectRewriteRules) { this.redirectRewriteRules = redirectRewriteRules; } + public Map getAuthenticationRequest() { + return authenticationRequest; + } + + public void setAuthenticationRequest(Map authenticationRequest) { + this.authenticationRequest = authenticationRequest; + } + public String getTokenSignatureAlgorithm() { return tokenSignatureAlgorithm; } diff --git a/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcTest.java b/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcTest.java index 516d0bf6b4..1abf7eabdd 100644 --- a/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcTest.java +++ b/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcTest.java @@ -768,13 +768,15 @@ private InputStream getOidcConfigurationInputStreamWithRequestParameter(String r " \"public-client\" : \"false\",\n" + " \"ssl-required\" : \"EXTERNAL\",\n" + " \"ssl-required\" : \"EXTERNAL\",\n" + - " \"authentication-request-format\" : \"" + requestParameter + "\",\n" + - " \"request-object-signing-algorithm\" : \"" + signingAlgorithm + "\",\n" + - " \"request-object-encryption-alg-value\" : \"" + encryptionAlgorithm + "\",\n" + - " \"request-object-encryption-enc-value\" : \"" + encMethod + "\",\n" + " \"scope\" : \"profile email phone\",\n" + " \"credentials\" : {\n" + " \"secret\" : \"" + CLIENT_SECRET + "\"\n" + + " },\n" + + " \"authentication-request\" : {\n" + + " \"authentication-request-format\" : \"" + requestParameter + "\",\n" + + " \"request-object-signing-algorithm\" : \"" + signingAlgorithm + "\",\n" + + " \"request-object-encryption-alg-value\" : \"" + encryptionAlgorithm + "\",\n" + + " \"request-object-encryption-enc-value\" : \"" + encMethod + "\"\n" + " }\n" + "}"; return new ByteArrayInputStream(oidcConfig.getBytes(StandardCharsets.UTF_8)); @@ -786,18 +788,20 @@ private InputStream getOidcConfigurationInputStreamWithRequestParameter(String r " \"provider-url\" : \"" + KEYCLOAK_CONTAINER.getAuthServerUrl() + "/realms/" + TEST_REALM_WITH_SCOPES + "/" + "\",\n" + " \"public-client\" : \"false\",\n" + " \"ssl-required\" : \"EXTERNAL\",\n" + - " \"authentication-request-format\" : \"" + requestParameter + "\",\n" + - " \"request-object-signing-algorithm\" : \"" + signingAlgorithm + "\",\n" + - " \"request-object-encryption-alg-value\" : \"" + encryptionAlgorithm + "\",\n" + - " \"request-object-encryption-enc-value\" : \"" + encMethod + "\",\n" + - " \"request-object-signing-keystore-file\" : \"" + keyStorePath + "\",\n" + - " \"request-object-signing-keystore-type\" : \"" + keyStoreType + "\",\n" + - " \"request-object-signing-keystore-password\" : \"" + KEYSTORE_PASS + "\",\n" + - " \"request-object-signing-key-password\" : \"" + KEYSTORE_PASS + "\",\n" + - " \"request-object-signing-key-alias\" : \"" + alias + "\",\n" + " \"scope\" : \"email phone profile\",\n" + " \"credentials\" : {\n" + " \"secret\" : \"" + CLIENT_SECRET + "\"\n" + + " },\n" + + " \"authentication-request\" : {\n" + + " \"authentication-request-format\" : \"" + requestParameter + "\",\n" + + " \"request-object-signing-algorithm\" : \"" + signingAlgorithm + "\",\n" + + " \"request-object-encryption-alg-value\" : \"" + encryptionAlgorithm + "\",\n" + + " \"request-object-encryption-enc-value\" : \"" + encMethod + "\",\n" + + " \"request-object-signing-keystore-file\" : \"" + keyStorePath + "\",\n" + + " \"request-object-signing-keystore-type\" : \"" + keyStoreType + "\",\n" + + " \"request-object-signing-keystore-password\" : \"" + KEYSTORE_PASS + "\",\n" + + " \"request-object-signing-key-password\" : \"" + KEYSTORE_PASS + "\",\n" + + " \"request-object-signing-key-alias\" : \"" + alias + "\"\n" + " }\n" + "}"; return new ByteArrayInputStream(oidcConfig.getBytes(StandardCharsets.UTF_8));