Skip to content

Commit

Permalink
[ELY-2584] Add the ability to specify that the OIDC Authentication Re…
Browse files Browse the repository at this point in the history
…quest should include request and request_uri parameters
  • Loading branch information
Prarthona Paul committed Sep 25, 2023
1 parent b380080 commit ea303ca
Show file tree
Hide file tree
Showing 12 changed files with 832 additions and 56 deletions.
1 change: 1 addition & 0 deletions http/oidc/_site/feed.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.3.2">Jekyll</generator><link href="http://localhost:4000/feed.xml" rel="self" type="application/atom+xml" /><link href="http://localhost:4000/" rel="alternate" type="text/html" /><updated>2023-08-28T09:43:39-04:00</updated><id>http://localhost:4000/feed.xml</id></feed>
12 changes: 12 additions & 0 deletions http/oidc/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,12 @@
<artifactId>keycloak-admin-client</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-services</artifactId>
<version>3.1.0.Final</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.jboss.logmanager</groupId>
<artifactId>jboss-logmanager</artifactId>
Expand Down Expand Up @@ -173,6 +179,12 @@
<artifactId>jmockit</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.wildfly.security</groupId>
<artifactId>wildfly-elytron-credential-source-impl</artifactId>
<version>2.2.2.CR1-SNAPSHOT</version>
<scope>test</scope>
</dependency>

</dependencies>

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ protected JwtClaims createRequestToken(String clientId, String tokenUrl) {
return jwtClaims;
}

private static KeyPair loadKeyPairFromKeyStore(String keyStoreFile, String storePassword, String keyPassword, String keyAlias, String keyStoreType) {
public static KeyPair loadKeyPairFromKeyStore(String keyStoreFile, String storePassword, String keyPassword, String keyAlias, String keyStoreType) {
InputStream stream = findFile(keyStoreFile);
try {
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
Expand Down
40 changes: 40 additions & 0 deletions http/oidc/src/main/java/org/wildfly/security/http/oidc/Oidc.java
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,14 @@ public class Oidc {
public static final String TEXT_CONTENT_TYPE = "text/*";
public static final String DISCOVERY_PATH = ".well-known/openid-configuration";
public static final String KEYCLOAK_REALMS_PATH = "realms/";
public static final String KEYSTORE_PASS = "password";
public static final String JKS_KEYSTORE_TYPE = "JKS";
public static final String JSON_CONFIG_CONTEXT_PARAM = "org.wildfly.security.http.oidc.json.config";
static final String ACCOUNT_PATH = "account";
public static final String CLIENTS_MANAGEMENT_REGISTER_NODE_PATH = "clients-managements/register-node";
public static final String CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH = "clients-managements/unregister-node";
public static final String ADMIN_CONSOLE_PATH = "admin/master/console/#";
public static final String REALM_SETTING_KEYS_PATH = "realm-settings/keys";
public static final String SLASH = "/";
public static final String OIDC_CLIENT_CONTEXT_KEY = OidcClientContext.class.getName();
public static final String CLIENT_ID = "client_id";
Expand All @@ -73,12 +77,17 @@ public class Oidc {
public static final String PARTIAL = "partial/";
public static final String PASSWORD = "password";
public static final String PROMPT = "prompt";
public static final String REQUEST = "request";
public static final String REQUEST_URI = "request_uri";
public static final String SCOPE = "scope";
public static final String UI_LOCALES = "ui_locales";
public static final String USERNAME = "username";
public static final String OIDC_SCOPE = "openid";
public static final String REDIRECT_URI = "redirect_uri";
public static final String REFRESH_TOKEN = "refresh_token";
public static final String REQUEST_TYPE_OAUTH2 = "oauth2";
public static final String REQUEST_TYPE_REQUEST = "request";
public static final String REQUEST_TYPE_REQUEST_URI = "request_uri";
public static final String RESPONSE_TYPE = "response_type";
public static final String SESSION_STATE = "session_state";
public static final String SOAP_ACTION = "SOAPAction";
Expand Down Expand Up @@ -116,6 +125,35 @@ public class Oidc {
public static final String X_REQUESTED_WITH = "X-Requested-With";
public static final String XML_HTTP_REQUEST = "XMLHttpRequest";

/* Accepted Request Object Signing Algorithms for KeyCloak*/
public static final String NONE = "none";
public static final String RS_256 = "RS256";
public static final String HS_256 = "HS256";
public static final String HS_384 = "HS384";
public static final String HS_512 = "HS512";
public static final String ES_256 = "ES256";
public static final String ES_384 = "ES384";
public static final String ES_512 = "ES512";
public static final String ES_256K = "ES256K";
public static final String RS_384 = "RS384";
public static final String RS_512 = "RS512";
public static final String PS_256 = "PS256";
public static final String PS_384 = "PS384";
public static final String PS_512 = "PS512";

/* Accepted Request Object Encrypting Algorithms for KeyCloak*/
public static final String RSA_OAEP = "RSA-OAEP";
public static final String RSA_OAEP_256 = "RSA-OAEP-256";
public static final String RSA1_5 = "RSA1_5";

/* Accepted Request Object Encryption Methods for KeyCloak*/
public static final String A256GCM = "A256GCM";
public static final String A192GCM = "A192GCM";
public static final String A128GCM = "A128GCM";
public static final String A128CBC_HS256 = "A128CBC-HS256";
public static final String A192CBC_HS384 = "A192CBC-HS384";
public static final String A256CBC_HS512 = "A256CBC-HS512";

/**
* Bearer token pattern.
* The Bearer token authorization header is of the form "Bearer", followed by optional whitespace, followed by
Expand Down Expand Up @@ -276,6 +314,8 @@ public static String getJavaAlgorithm(String algorithm) {
return ES384;
case AlgorithmIdentifiers.ECDSA_USING_P521_CURVE_AND_SHA512:
return ES512;
case AlgorithmIdentifiers.NONE:
return NONE;
default:
throw log.unknownAlgorithm(algorithm);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,19 +20,17 @@

import static org.apache.http.HttpHeaders.ACCEPT;
import static org.wildfly.security.http.oidc.ElytronMessages.log;
import static org.wildfly.security.http.oidc.Oidc.ACCOUNT_PATH;
import static org.wildfly.security.http.oidc.Oidc.CLIENTS_MANAGEMENT_REGISTER_NODE_PATH;
import static org.wildfly.security.http.oidc.Oidc.CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH;
import static org.wildfly.security.http.oidc.Oidc.DEFAULT_TOKEN_SIGNATURE_ALGORITHM;
import static org.wildfly.security.http.oidc.Oidc.DISCOVERY_PATH;
import static org.wildfly.security.http.oidc.Oidc.JSON_CONTENT_TYPE;
import static org.wildfly.security.http.oidc.Oidc.KEYCLOAK_REALMS_PATH;
import static org.wildfly.security.http.oidc.Oidc.SLASH;
import static org.wildfly.security.http.oidc.Oidc.SSLRequired;
import static org.wildfly.security.http.oidc.Oidc.TokenStore;
import static org.wildfly.security.http.oidc.Oidc.*;
import static org.wildfly.security.jose.util.JsonSerialization.readValue;

import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.Reader;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.Callable;

Expand All @@ -41,7 +39,7 @@
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.util.EntityUtils;
import org.wildfly.security.jose.util.JsonSerialization;
import org.jose4j.jwk.JsonWebKeySet;

/**
* The OpenID Connect (OIDC) configuration for a client application. This class is based on
Expand Down Expand Up @@ -80,7 +78,13 @@ public enum RelativeUrlsUsed {
protected String unregisterNodeUrl;
protected String jwksUrl;
protected String issuerUrl;
protected String authorizationEndpoint;
protected String principalAttribute = "sub";
protected List<String> requestObjectSigningAlgValuesSupported;
protected List<String> requestObjectEncryptionEncValuesSupported;
protected List<String> requestObjectEncryptionAlgValuesSupported;
protected boolean requestParameterSupported;
protected boolean requestUriParameterSupported;

protected String resource;
protected String clientId;
Expand Down Expand Up @@ -126,6 +130,19 @@ public enum RelativeUrlsUsed {
protected boolean verifyTokenAudience = false;

protected String tokenSignatureAlgorithm = DEFAULT_TOKEN_SIGNATURE_ALGORITHM;
protected String authenticationRequestFormat;
protected String requestSignatureAlgorithm;
protected String requestEncryptAlgorithm;
protected String requestEncryptEncValue;
protected String pushedAuthorizationRequestEndpoint;
protected String clientKeyStoreFile;
protected String clientKeyStorePass;
protected String clientKeyPass;
protected String clientKeyAlias;
protected String clientKeystoreType;

protected String realmKey;
protected JsonWebKeySet realmKeySet = new JsonWebKeySet();

public OidcClientConfiguration() {
}
Expand Down Expand Up @@ -223,6 +240,15 @@ protected void resolveUrls() {
tokenUrl = config.getTokenEndpoint();
logoutUrl = config.getLogoutEndpoint();
jwksUrl = config.getJwksUri();
authorizationEndpoint = config.getAuthorizationEndpoint();
requestParameterSupported = config.getRequestParameterSupported();
requestObjectSigningAlgValuesSupported = config.getRequestObjectSigningAlgValuesSupported();
requestObjectEncryptionEncValuesSupported = config.getRequestObjectEncryptionEncValuesSupported();
requestObjectEncryptionAlgValuesSupported = config.getRequestObjectEncryptionAlgValuesSupported();
requestUriParameterSupported = config.getRequestUriParameterSupported();
realmKeySet = createrealmKeySet();
pushedAuthorizationRequestEndpoint = config.getPushedAuthorizationRequestEndpoint();

if (authServerBaseUrl != null) {
// keycloak-specific properties
accountUrl = getUrl(issuerUrl, ACCOUNT_PATH);
Expand All @@ -237,6 +263,26 @@ protected void resolveUrls() {
}
}

private JsonWebKeySet createrealmKeySet() throws Exception{
HttpGet request = new HttpGet(jwksUrl);
request.addHeader(ACCEPT, JSON_CONTENT_TYPE);
HttpResponse response = getClient().execute(request);
if (response.getStatusLine().getStatusCode() != HttpStatus.SC_OK) {
EntityUtils.consumeQuietly(response.getEntity());
throw new Exception(response.getStatusLine().getReasonPhrase());
}
InputStream inputStream = response.getEntity().getContent();
StringBuilder textBuilder = new StringBuilder();
try (Reader reader = new BufferedReader(new InputStreamReader
(inputStream, StandardCharsets.UTF_8))) {
int c = 0;
while ((c = reader.read()) != -1) {
textBuilder.append((char) c);
}
}
return new JsonWebKeySet(textBuilder.toString());
}

protected OidcProviderMetadata getOidcProviderMetadata(String discoveryUrl) throws Exception {
HttpGet request = new HttpGet(discoveryUrl);
request.addHeader(ACCEPT, JSON_CONTENT_TYPE);
Expand All @@ -246,7 +292,7 @@ protected OidcProviderMetadata getOidcProviderMetadata(String discoveryUrl) thro
EntityUtils.consumeQuietly(response.getEntity());
throw new Exception(response.getStatusLine().getReasonPhrase());
}
return JsonSerialization.readValue(response.getEntity().getContent(), OidcProviderMetadata.class);
return readValue(response.getEntity().getContent(), OidcProviderMetadata.class);
} finally {
request.releaseConnection();
}
Expand Down Expand Up @@ -329,6 +375,22 @@ public String getIssuerUrl() {
return issuerUrl;
}

public List<String> getRequestObjectSigningAlgValuesSupported() {
return requestObjectSigningAlgValuesSupported;
}

public boolean getRequestParameterSupported() {
return requestParameterSupported;
}

public boolean getRequestUriParameterSupported() {
return requestUriParameterSupported;
}

public String getAuthorizationEndpoint() {
return authorizationEndpoint;
}

public void setResource(String resource) {
this.resource = resource;
}
Expand Down Expand Up @@ -651,4 +713,99 @@ public String getTokenSignatureAlgorithm() {
return tokenSignatureAlgorithm;
}

public String getAuthenticationRequestFormat() {
return authenticationRequestFormat;
}

public void setAuthenticationRequestFormat(String requestObjectType ) {
this.authenticationRequestFormat = requestObjectType;
}

public String getRequestSignatureAlgorithm() {
return requestSignatureAlgorithm;
}

public void setRequestSignatureAlgorithm(String algorithm) {
this.requestSignatureAlgorithm = algorithm;
}

public String getRequestEncryptAlgorithm() {
return requestEncryptAlgorithm;
}

public void setRequestEncryptAlgorithm(String algorithm) {
this.requestEncryptAlgorithm = algorithm;
}

public String getRequestEncryptEncValue() {
return requestEncryptEncValue;
}

public void setRequestEncryptEncValue (String enc) {
this.requestEncryptEncValue = enc;
}

public String getRealmKey () {
return realmKey;
}

public void setRealmKey(String key) {
this.realmKey = key;
}

public String getClientKeyStore () {
return clientKeyStoreFile;
}

public void setClientKeyStore(String keyStoreFile) {
this.clientKeyStoreFile = keyStoreFile;
}

public String getClientKeyStorePassword () {
return clientKeyStorePass;
}

public void setClientKeyStorePassword(String pass) {
this.clientKeyStorePass = pass;
}

public String getClientKeyPassword () {
return clientKeyPass;
}

public void setClientKeyPassword(String pass) {
this.clientKeyPass = pass;
}

public String getClientKeystoreType() {
return clientKeystoreType;
}

public void setClientKeystoreType(String type) {
this.clientKeystoreType = type;
}

public String getClientKeyAlias() {
return clientKeyAlias;
}

public void setClientKeyAlias(String alias) {
this.clientKeyAlias = alias;
}

public JsonWebKeySet getrealmKeySet() {
return realmKeySet;
}

public void setrealmKeySet(JsonWebKeySet keySet) {
this.realmKeySet = keySet;
}

public String getPushedAuthorizationRequestEndpoint() {
return pushedAuthorizationRequestEndpoint;
}

public void setPushedAuthorizationRequestEndpoint(String url) {
this.pushedAuthorizationRequestEndpoint = url;
}
}
Loading

0 comments on commit ea303ca

Please sign in to comment.