protected boolean corsRequest() { if (!deployment.isCors()) return false; KeycloakSecurityContext securityContext = facade.getSecurityContext(); String origin = facade.getRequest().getHeader(CorsHeaders.ORIGIN); String requestOrigin = UriUtils.getOrigin(facade.getRequest().getURI()); log.debugv("Origin: {0} uri: {1}", origin, facade.getRequest().getURI()); if (securityContext != null && origin != null && !origin.equals(requestOrigin)) { AccessToken token = securityContext.getToken(); Set<String> allowedOrigins = token.getAllowedOrigins(); if (log.isDebugEnabled()) { for (String a : allowedOrigins) log.debug(" " + a); } if (allowedOrigins == null || (!allowedOrigins.contains("*") && !allowedOrigins.contains(origin))) { if (allowedOrigins == null) { log.debugv("allowedOrigins was null in token"); } else { log.debugv("allowedOrigins did not contain origin"); } facade.getResponse().setStatus(403); facade.getResponse().end(); return true; } log.debugv("returning origin: {0}", origin); facade.getResponse().setStatus(200); facade.getResponse().setHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin); facade.getResponse().setHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true"); } else { log.debugv( "cors validation not needed as we're not a secure session or origin header was null: {0}", facade.getRequest().getURI()); } return false; }
public static void setTokenCookie( KeycloakDeployment deployment, HttpFacade facade, RefreshableKeycloakSecurityContext session) { log.debugf("Set new %s cookie now", AdapterConstants.KEYCLOAK_ADAPTER_STATE_COOKIE); String accessToken = session.getTokenString(); String idToken = session.getIdTokenString(); String refreshToken = session.getRefreshToken(); String cookie = new StringBuilder(accessToken) .append(DELIM) .append(idToken) .append(DELIM) .append(refreshToken) .toString(); String cookiePath = getContextPath(facade); facade .getResponse() .setCookie( AdapterConstants.KEYCLOAK_ADAPTER_STATE_COOKIE, cookie, cookiePath, null, -1, deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr()), true); }
protected boolean verifySSL() { if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { log.warn("SSL is required to authenticate"); return true; } return false; }
public AuthOutcome authenticate() { if (log.isTraceEnabled()) { log.trace("--> authenticate()"); } BearerTokenRequestAuthenticator bearer = createBearerTokenAuthenticator(); if (log.isTraceEnabled()) { log.trace("try bearer"); } AuthOutcome outcome = bearer.authenticate(facade); if (outcome == AuthOutcome.FAILED) { challenge = bearer.getChallenge(); log.debug("Bearer FAILED"); return AuthOutcome.FAILED; } else if (outcome == AuthOutcome.AUTHENTICATED) { if (verifySSL()) return AuthOutcome.FAILED; completeAuthentication(bearer); log.debug("Bearer AUTHENTICATED"); return AuthOutcome.AUTHENTICATED; } else if (deployment.isBearerOnly()) { challenge = bearer.getChallenge(); log.debug("NOT_ATTEMPTED: bearer only"); return AuthOutcome.NOT_ATTEMPTED; } if (log.isTraceEnabled()) { log.trace("try oauth"); } if (isCached()) { if (verifySSL()) return AuthOutcome.FAILED; log.debug("AUTHENTICATED: was cached"); return AuthOutcome.AUTHENTICATED; } OAuthRequestAuthenticator oauth = createOAuthAuthenticator(); outcome = oauth.authenticate(); if (outcome == AuthOutcome.FAILED) { challenge = oauth.getChallenge(); return AuthOutcome.FAILED; } else if (outcome == AuthOutcome.NOT_ATTEMPTED) { challenge = oauth.getChallenge(); return AuthOutcome.NOT_ATTEMPTED; } if (verifySSL()) return AuthOutcome.FAILED; completeAuthentication(oauth); // redirect to strip out access code and state query parameters facade.getResponse().setHeader("Location", oauth.getStrippedOauthParametersRequestUri()); facade.getResponse().setStatus(302); facade.getResponse().end(); log.debug("AUTHENTICATED"); return AuthOutcome.AUTHENTICATED; }
protected boolean abortTokenResponse() { if (facade.getSecurityContext() == null) { log.debugv("Not logged in, sending back 401: {0}", facade.getRequest().getURI()); facade.getResponse().setStatus(401); facade.getResponse().end(); return true; } if (!deployment.isExposeToken()) { facade.getResponse().setStatus(200); facade.getResponse().end(); return true; } // Don't allow a CORS request if we're not validating CORS requests. if (!deployment.isCors() && facade.getRequest().getHeader(CorsHeaders.ORIGIN) != null) { facade.getResponse().setStatus(200); facade.getResponse().end(); return true; } return false; }
protected KeycloakDeployment internalBuild(AdapterConfig adapterConfig) { if (adapterConfig.getRealm() == null) throw new RuntimeException("Must set 'realm' in config"); deployment.setRealm(adapterConfig.getRealm()); String resource = adapterConfig.getResource(); if (resource == null) throw new RuntimeException("Must set 'resource' in config"); deployment.setResourceName(resource); String realmKeyPem = adapterConfig.getRealmKey(); if (realmKeyPem != null) { PublicKey realmKey; try { realmKey = PemUtils.decodePublicKey(realmKeyPem); } catch (Exception e) { throw new RuntimeException(e); } deployment.setRealmKey(realmKey); } if (adapterConfig.getSslRequired() != null) { deployment.setSslRequired(SslRequired.valueOf(adapterConfig.getSslRequired().toUpperCase())); } else { deployment.setSslRequired(SslRequired.EXTERNAL); } if (adapterConfig.getTokenStore() != null) { deployment.setTokenStore(TokenStore.valueOf(adapterConfig.getTokenStore().toUpperCase())); } else { deployment.setTokenStore(TokenStore.SESSION); } if (adapterConfig.getPrincipalAttribute() != null) deployment.setPrincipalAttribute(adapterConfig.getPrincipalAttribute()); deployment.setResourceCredentials(adapterConfig.getCredentials()); deployment.setPublicClient(adapterConfig.isPublicClient()); deployment.setUseResourceRoleMappings(adapterConfig.isUseResourceRoleMappings()); deployment.setExposeToken(adapterConfig.isExposeToken()); if (adapterConfig.isCors()) { deployment.setCors(true); deployment.setCorsMaxAge(adapterConfig.getCorsMaxAge()); deployment.setCorsAllowedHeaders(adapterConfig.getCorsAllowedHeaders()); deployment.setCorsAllowedMethods(adapterConfig.getCorsAllowedMethods()); } deployment.setBearerOnly(adapterConfig.isBearerOnly()); deployment.setEnableBasicAuth(adapterConfig.isEnableBasicAuth()); deployment.setAlwaysRefreshToken(adapterConfig.isAlwaysRefreshToken()); deployment.setRegisterNodeAtStartup(adapterConfig.isRegisterNodeAtStartup()); deployment.setRegisterNodePeriod(adapterConfig.getRegisterNodePeriod()); if (realmKeyPem == null && adapterConfig.isBearerOnly() && adapterConfig.getAuthServerUrl() == null) { throw new IllegalArgumentException( "For bearer auth, you must set the realm-public-key or auth-server-url"); } if (realmKeyPem == null || !deployment.isBearerOnly() || deployment.isRegisterNodeAtStartup() || deployment.getRegisterNodePeriod() != -1) { deployment.setClient(new HttpClientBuilder().build(adapterConfig)); } if (adapterConfig.getAuthServerUrl() == null && (!deployment.isBearerOnly() || realmKeyPem == null)) { throw new RuntimeException("You must specify auth-url"); } deployment.setAuthServerBaseUrl(adapterConfig); log.debug( "Use authServerUrl: " + deployment.getAuthServerBaseUrl() + ", tokenUrl: " + deployment.getTokenUrl() + ", relativeUrls: " + deployment.getRelativeUrls()); return deployment; }