@Override
public void setClientCredentials(
KeycloakDeployment deployment,
Map<String, String> requestHeaders,
Map<String, String> formParams) {
String signedToken =
createSignedRequestToken(deployment.getResourceName(), deployment.getRealmInfoUrl());
formParams.put(
OAuth2Constants.CLIENT_ASSERTION_TYPE, OAuth2Constants.CLIENT_ASSERTION_TYPE_JWT);
formParams.put(OAuth2Constants.CLIENT_ASSERTION, signedToken);
}
@Override
public void init(KeycloakDeployment deployment, Object config) {
if (config == null || !(config instanceof Map)) {
throw new RuntimeException(
"Configuration of jwt credentials is missing or incorrect for client '"
+ deployment.getResourceName()
+ "'. Check your adapter configuration");
}
Map<String, Object> cfg = (Map<String, Object>) config;
String clientKeystoreFile = (String) cfg.get("client-keystore-file");
if (clientKeystoreFile == null) {
throw new RuntimeException(
"Missing parameter client-keystore-file in configuration of jwt for client "
+ deployment.getResourceName());
}
String clientKeystoreType = (String) cfg.get("client-keystore-type");
KeystoreUtil.KeystoreFormat clientKeystoreFormat =
clientKeystoreType == null
? KeystoreUtil.KeystoreFormat.JKS
: Enum.valueOf(KeystoreUtil.KeystoreFormat.class, clientKeystoreType.toUpperCase());
String clientKeystorePassword = (String) cfg.get("client-keystore-password");
if (clientKeystorePassword == null) {
throw new RuntimeException(
"Missing parameter client-keystore-password in configuration of jwt for client "
+ deployment.getResourceName());
}
String clientKeyPassword = (String) cfg.get("client-key-password");
if (clientKeyPassword == null) {
clientKeyPassword = clientKeystorePassword;
}
String clientKeyAlias = (String) cfg.get("client-key-alias");
if (clientKeyAlias == null) {
clientKeyAlias = deployment.getResourceName();
}
this.privateKey =
KeystoreUtil.loadPrivateKeyFromKeystore(
clientKeystoreFile,
clientKeystorePassword,
clientKeyPassword,
clientKeyAlias,
clientKeystoreFormat);
this.tokenTimeout = asInt(cfg, "token-timeout", 10);
}
@Override
public void setClientCredentials(
KeycloakDeployment deployment,
Map<String, String> requestHeaders,
Map<String, String> formParams) {
String clientId = deployment.getResourceName();
if (!deployment.isPublicClient()) {
if (clientSecret != null) {
String authorization = BasicAuthHelper.createHeader(clientId, clientSecret);
requestHeaders.put("Authorization", authorization);
} else {
logger.warnf("Client '%s' doesn't have secret available", clientId);
}
} else {
formParams.put(OAuth2Constants.CLIENT_ID, clientId);
}
}
/**
* This function has been copied (and modified) from the Keycloak AdapterDeploymentContext class.
* It should be kept up-to-date with future versions of Keycloak.
*/
private KeycloakUriBuilder getBaseBuilder(
KeycloakDeployment deployment, HttpFacade.Request facadeRequest) {
String base = deployment.getAuthServerBaseUrl();
KeycloakUriBuilder builder = KeycloakUriBuilder.fromUri(base);
URI request = URI.create(facadeRequest.getURI());
String scheme = request.getScheme();
if (deployment.getSslRequired().isRequired(facadeRequest.getRemoteAddr())) {
scheme = "https";
if (!request.getScheme().equals(scheme) && request.getPort() != -1) {
throw new RuntimeException("Can't resolve relative url from adapter config.");
}
}
builder.scheme(scheme);
builder.host(request.getHost());
if (request.getPort() != -1) {
builder.port(request.getPort());
}
return builder;
}
/**
* This function has been copied (and modified) from the Keycloak AdapterDeploymentContext class.
* It should be kept up-to-date with future versions of Keycloak.
*/
public KeycloakDeployment resolveUrls(
KeycloakDeployment deployment, HttpFacade.Request facadeRequest) {
if (deployment.getRelativeUrls() == RelativeUrlsUsed.NEVER) {
// Absolute URI are already set to everything
return deployment;
} else {
DeploymentDelegate delegate = new DeploymentDelegate(deployment);
delegate.setAuthServerBaseUrl(getBaseBuilder(deployment, facadeRequest).build().toString());
return delegate;
}
}
public boolean checkCorsPreflight(Request request, Response response) {
log.finer("checkCorsPreflight " + request.getRequestURI());
if (!request.getMethod().equalsIgnoreCase("OPTIONS")) {
log.finer("checkCorsPreflight: not options ");
return false;
}
if (request.getHeader("Origin") == null) {
log.finer("checkCorsPreflight: no origin header");
return false;
}
log.finer("Preflight request returning");
response.setStatus(HttpServletResponse.SC_OK);
String origin = request.getHeader("Origin");
response.setHeader("Access-Control-Allow-Origin", origin);
response.setHeader("Access-Control-Allow-Credentials", "true");
String requestMethods = request.getHeader("Access-Control-Request-Method");
if (requestMethods != null) {
if (deployment.getCorsAllowedMethods() != null) {
requestMethods = deployment.getCorsAllowedMethods();
}
response.setHeader("Access-Control-Allow-Methods", requestMethods);
}
String allowHeaders = request.getHeader("Access-Control-Request-Headers");
if (allowHeaders != null) {
if (deployment.getCorsAllowedHeaders() != null) {
allowHeaders = deployment.getCorsAllowedHeaders();
}
response.setHeader("Access-Control-Allow-Headers", allowHeaders);
}
if (deployment.getCorsMaxAge() > -1) {
response.setHeader("Access-Control-Max-Age", Integer.toString(deployment.getCorsMaxAge()));
}
return true;
}
@Override
public void setRegisterNodePeriod(int registerNodePeriod) {
delegate.setRegisterNodePeriod(registerNodePeriod);
}
@Override
public void setAlwaysRefreshToken(boolean alwaysRefreshToken) {
delegate.setAlwaysRefreshToken(alwaysRefreshToken);
}
@Override
public int getRegisterNodePeriod() {
return delegate.getRegisterNodePeriod();
}
@Override
public boolean isUseResourceRoleMappings() {
return delegate.isUseResourceRoleMappings();
}
@Override
public void setCors(boolean cors) {
delegate.setCors(cors);
}
@Override
public String getPrincipalAttribute() {
return delegate.getPrincipalAttribute();
}
@Override
public boolean isTurnOffChangeSessionIdOnLogin() {
return delegate.isTurnOffChangeSessionIdOnLogin();
}
@Override
public void setExposeToken(boolean exposeToken) {
delegate.setExposeToken(exposeToken);
}
@Override
public boolean isExposeToken() {
return delegate.isExposeToken();
}
@Override
public void setNotBefore(int notBefore) {
delegate.setNotBefore(notBefore);
}
@Override
public int getNotBefore() {
return delegate.getNotBefore();
}
@Override
public String getCorsAllowedHeaders() {
return delegate.getCorsAllowedHeaders();
}
@Override
public void setCorsMaxAge(int corsMaxAge) {
delegate.setCorsMaxAge(corsMaxAge);
}
@Override
public int getCorsMaxAge() {
return delegate.getCorsMaxAge();
}
@Override
public void setRegisterNodeAtStartup(boolean registerNodeAtStartup) {
delegate.setRegisterNodeAtStartup(registerNodeAtStartup);
}
@Override
public void setUseResourceRoleMappings(boolean useResourceRoleMappings) {
delegate.setUseResourceRoleMappings(useResourceRoleMappings);
}
@Override
public boolean isRegisterNodeAtStartup() {
return delegate.isRegisterNodeAtStartup();
}
@Override
public String getCorsAllowedMethods() {
return delegate.getCorsAllowedMethods();
}
@Override
public void setPrincipalAttribute(String principalAttribute) {
delegate.setPrincipalAttribute(principalAttribute);
}
@Override
public void setCorsAllowedHeaders(String corsAllowedHeaders) {
delegate.setCorsAllowedHeaders(corsAllowedHeaders);
}
@Override
public void setTurnOffChangeSessionIdOnLogin(boolean turnOffChangeSessionIdOnLogin) {
delegate.setTurnOffChangeSessionIdOnLogin(turnOffChangeSessionIdOnLogin);
}
@Override
public boolean isAlwaysRefreshToken() {
return delegate.isAlwaysRefreshToken();
}
@Override
public void setCorsAllowedMethods(String corsAllowedMethods) {
delegate.setCorsAllowedMethods(corsAllowedMethods);
}
@Override
public boolean isCors() {
return delegate.isCors();
}