public URI generateRedirectUri(String samlParameterName, String redirectUri, Document document)
      throws ConfigurationException, ProcessingException, IOException {
    KeycloakUriBuilder builder =
        KeycloakUriBuilder.fromUri(redirectUri)
            .replaceQuery(null)
            .queryParam(samlParameterName, base64Encoded(document));
    if (relayState != null) {
      builder.queryParam("RelayState", relayState);
    }

    if (sign) {
      builder.queryParam(
          GeneralConstants.SAML_SIG_ALG_REQUEST_KEY, signatureAlgorithm.getXmlSignatureMethod());
      URI uri = builder.build();
      String rawQuery = uri.getRawQuery();
      Signature signature = signatureAlgorithm.createSignature();
      byte[] sig = new byte[0];
      try {
        signature.initSign(signingKeyPair.getPrivate());
        signature.update(rawQuery.getBytes("UTF-8"));
        sig = signature.sign();
      } catch (InvalidKeyException | UnsupportedEncodingException | SignatureException e) {
        throw new ProcessingException(e);
      }
      String encodedSig = RedirectBindingUtil.base64URLEncode(sig);
      builder.queryParam(GeneralConstants.SAML_SIGNATURE_REQUEST_KEY, encodedSig);
    }
    return builder.build();
  }
示例#2
0
 public URI getAuthServerRoot() {
   try {
     return KeycloakUriBuilder.fromUri(suiteContext.getAuthServerInfo().getContextRoot().toURI())
         .path("/auth/")
         .build();
   } catch (URISyntaxException e) {
     throw new RuntimeException(e);
   }
 }
示例#3
0
 /**
  * This function has been copied (and modified) from the Keycloak AdapterDeploymentContext class.
  * It should be kept up-to-date with future versions of Keycloak.
  */
 private KeycloakUriBuilder getBaseBuilder(
     KeycloakDeployment deployment, HttpFacade.Request facadeRequest) {
   String base = deployment.getAuthServerBaseUrl();
   KeycloakUriBuilder builder = KeycloakUriBuilder.fromUri(base);
   URI request = URI.create(facadeRequest.getURI());
   String scheme = request.getScheme();
   if (deployment.getSslRequired().isRequired(facadeRequest.getRemoteAddr())) {
     scheme = "https";
     if (!request.getScheme().equals(scheme) && request.getPort() != -1) {
       throw new RuntimeException("Can't resolve relative url from adapter config.");
     }
   }
   builder.scheme(scheme);
   builder.host(request.getHost());
   if (request.getPort() != -1) {
     builder.port(request.getPort());
   }
   return builder;
 }
  public void verifyRedirectBindingSignature(PublicKey publicKey, String paramKey)
      throws VerificationException {
    String request = facade.getRequest().getQueryParamValue(paramKey);
    String algorithm =
        facade.getRequest().getQueryParamValue(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY);
    String signature =
        facade.getRequest().getQueryParamValue(GeneralConstants.SAML_SIGNATURE_REQUEST_KEY);
    String decodedAlgorithm =
        facade.getRequest().getQueryParamValue(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY);

    if (request == null) {
      throw new VerificationException("SAML Request was null");
    }
    if (algorithm == null) throw new VerificationException("SigAlg was null");
    if (signature == null) throw new VerificationException("Signature was null");

    // Shibboleth doesn't sign the document for redirect binding.
    // todo maybe a flag?

    String relayState = facade.getRequest().getQueryParamValue(GeneralConstants.RELAY_STATE);
    KeycloakUriBuilder builder = KeycloakUriBuilder.fromPath("/").queryParam(paramKey, request);
    if (relayState != null) {
      builder.queryParam(GeneralConstants.RELAY_STATE, relayState);
    }
    builder.queryParam(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY, algorithm);
    String rawQuery = builder.build().getRawQuery();

    try {
      // byte[] decodedSignature = RedirectBindingUtil.urlBase64Decode(signature);
      byte[] decodedSignature = Base64.decode(signature);

      SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.getFromXmlMethod(decodedAlgorithm);
      Signature validator = signatureAlgorithm.createSignature(); // todo plugin signature alg
      validator.initVerify(publicKey);
      validator.update(rawQuery.getBytes("UTF-8"));
      if (!validator.verify(decodedSignature)) {
        throw new VerificationException("Invalid query param signature");
      }
    } catch (Exception e) {
      throw new VerificationException(e);
    }
  }
 @Override
 public String getRedirectUri() {
   HttpSession session = request.getSession(false);
   if (session == null) return null;
   String redirect = (String) session.getAttribute(REDIRECT_URI);
   if (redirect == null) {
     String contextPath = request.getContextPath();
     String baseUri =
         KeycloakUriBuilder.fromUri(request.getRequestURL().toString())
             .replacePath(contextPath)
             .build()
             .toString();
     return SamlUtil.getRedirectTo(facade, contextPath, baseUri);
   }
   return redirect;
 }
示例#6
0
 void setAuthServerBaseUrl(String authServerBaseUrl) {
   this.authServerBaseUrl = authServerBaseUrl;
   KeycloakUriBuilder serverBuilder = KeycloakUriBuilder.fromUri(authServerBaseUrl);
   resolveUrls(serverBuilder);
 }
示例#7
0
 private static String getContextPath(HttpFacade facade) {
   String uri = facade.getRequest().getURI();
   String path = KeycloakUriBuilder.fromUri(uri).getPath();
   int index = path.indexOf("/", 1);
   return index == -1 ? path : path.substring(0, index);
 }