OIDCLoginProtocolService.java
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.protocol.oidc;
import org.jboss.resteasy.reactive.NoCache;
import org.keycloak.http.HttpRequest;
import org.keycloak.OAuthErrorException;
import org.keycloak.common.ClientConnection;
import org.keycloak.events.EventBuilder;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.jose.jwk.JSONWebKeySet;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint;
import org.keycloak.protocol.oidc.endpoints.LoginStatusIframeEndpoint;
import org.keycloak.protocol.oidc.endpoints.LogoutEndpoint;
import org.keycloak.protocol.oidc.endpoints.ThirdPartyCookiesIframeEndpoint;
import org.keycloak.protocol.oidc.endpoints.TokenEndpoint;
import org.keycloak.protocol.oidc.endpoints.TokenRevocationEndpoint;
import org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint;
import org.keycloak.protocol.oidc.ext.OIDCExtProvider;
import org.keycloak.protocol.oidc.utils.JWKSServerUtils;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.cors.Cors;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.util.CacheControlUtil;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.OPTIONS;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriBuilder;
import jakarta.ws.rs.core.UriInfo;
/**
* Resource class for the oauth/openid connect token service
*
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class OIDCLoginProtocolService {
private final RealmModel realm;
private final TokenManager tokenManager;
private final EventBuilder event;
private final KeycloakSession session;
private final HttpHeaders headers;
private final HttpRequest request;
private final ClientConnection clientConnection;
public OIDCLoginProtocolService(KeycloakSession session, EventBuilder event) {
this.session = session;
this.clientConnection = session.getContext().getConnection();
this.realm = session.getContext().getRealm();
this.tokenManager = new TokenManager();
this.event = event;
this.request = session.getContext().getHttpRequest();
this.headers = session.getContext().getRequestHeaders();
}
public static UriBuilder tokenServiceBaseUrl(UriInfo uriInfo) {
UriBuilder baseUriBuilder = uriInfo.getBaseUriBuilder();
return tokenServiceBaseUrl(baseUriBuilder);
}
public static UriBuilder tokenServiceBaseUrl(UriBuilder baseUriBuilder) {
return baseUriBuilder.path(RealmsResource.class).path("{realm}/protocol/" + OIDCLoginProtocol.LOGIN_PROTOCOL);
}
public static UriBuilder authUrl(UriInfo uriInfo) {
UriBuilder baseUriBuilder = uriInfo.getBaseUriBuilder();
return authUrl(baseUriBuilder);
}
public static UriBuilder authUrl(UriBuilder baseUriBuilder) {
UriBuilder uriBuilder = tokenServiceBaseUrl(baseUriBuilder);
return uriBuilder.path(OIDCLoginProtocolService.class, "auth");
}
public static UriBuilder registrationsUrl(UriBuilder baseUriBuilder) {
UriBuilder uriBuilder = tokenServiceBaseUrl(baseUriBuilder);
return uriBuilder.path(OIDCLoginProtocolService.class, "registrations");
}
public static UriBuilder tokenUrl(UriBuilder baseUriBuilder) {
UriBuilder uriBuilder = tokenServiceBaseUrl(baseUriBuilder);
return uriBuilder.path(OIDCLoginProtocolService.class, "token");
}
public static UriBuilder certsUrl(UriBuilder baseUriBuilder) {
UriBuilder uriBuilder = tokenServiceBaseUrl(baseUriBuilder);
return uriBuilder.path(OIDCLoginProtocolService.class, "certs");
}
public static UriBuilder userInfoUrl(UriBuilder baseUriBuilder) {
UriBuilder uriBuilder = tokenServiceBaseUrl(baseUriBuilder);
return uriBuilder.path(OIDCLoginProtocolService.class, "issueUserInfo");
}
public static UriBuilder tokenIntrospectionUrl(UriBuilder baseUriBuilder) {
return tokenUrl(baseUriBuilder).path(TokenEndpoint.class, "introspect");
}
public static UriBuilder logoutUrl(UriInfo uriInfo) {
UriBuilder baseUriBuilder = uriInfo.getBaseUriBuilder();
return logoutUrl(baseUriBuilder);
}
public static UriBuilder logoutUrl(UriBuilder baseUriBuilder) {
UriBuilder uriBuilder = tokenServiceBaseUrl(baseUriBuilder);
return uriBuilder.path(OIDCLoginProtocolService.class, "logout");
}
public static UriBuilder tokenRevocationUrl(UriBuilder baseUriBuilder) {
UriBuilder uriBuilder = tokenServiceBaseUrl(baseUriBuilder);
return uriBuilder.path(OIDCLoginProtocolService.class, "revoke");
}
/**
* Authorization endpoint
*/
@Path("auth")
public Object auth() {
return new AuthorizationEndpoint(session, event);
}
/**
* Registration endpoint
*/
@Path("registrations")
public Object registrations(@QueryParam(Constants.TOKEN) String tokenString) {
AuthorizationEndpoint endpoint = new AuthorizationEndpoint(session, event);
return endpoint.register(tokenString);
}
/**
* Forgot-Credentials endpoint
*/
@Path("forgot-credentials")
public Object forgotCredentialsPage() {
AuthorizationEndpoint endpoint = new AuthorizationEndpoint(session, event);
return endpoint.forgotCredentials();
}
/**
* Token endpoint
*/
@Path("token")
public Object token() {
return new TokenEndpoint(session, tokenManager, event);
}
@Path("login-status-iframe.html")
public Object getLoginStatusIframe() {
return new LoginStatusIframeEndpoint(session);
}
@Path("3p-cookies")
public Object thirdPartyCookiesCheck() {
return new ThirdPartyCookiesIframeEndpoint(session);
}
@OPTIONS
@Path("certs")
@Produces(MediaType.APPLICATION_JSON)
public Response getVersionPreflight() {
return Cors.builder().allowedMethods("GET").preflight().auth().add(Response.ok());
}
@GET
@Path("certs")
@Produces(MediaType.APPLICATION_JSON)
@NoCache
public Response certs() {
checkSsl();
JSONWebKeySet keySet = JWKSServerUtils.getRealmJwks(session, realm);
Response.ResponseBuilder responseBuilder = Response.ok(keySet).cacheControl(CacheControlUtil.getDefaultCacheControl());
return Cors.builder().allowedOrigins("*").auth().add(responseBuilder);
}
@Path("userinfo")
public Object issueUserInfo() {
return new UserInfoEndpoint(session, tokenManager);
}
@Path("logout")
public Object logout() {
return new LogoutEndpoint(session, tokenManager, event);
}
@Path("revoke")
public Object revoke() {
return new TokenRevocationEndpoint(session, event);
}
@Path("oauth/oob")
@GET
public Response installedAppUrnCallback(final @QueryParam("code") String code, final @QueryParam("error") String error, final @QueryParam("error_description") String errorDescription) {
LoginFormsProvider forms = session.getProvider(LoginFormsProvider.class);
if (code != null) {
return forms.setClientSessionCode(code).createCode();
} else {
return forms.setError(error).createCode();
}
}
@Path("ext/{extension}")
public Object resolveExtension(@PathParam("extension") String extension) {
OIDCExtProvider provider = session.getProvider(OIDCExtProvider.class, extension);
if (provider != null) {
provider.setEvent(event);
return provider;
}
throw new NotFoundException();
}
private void checkSsl() {
if (!session.getContext().getUri().getBaseUri().getScheme().equals("https")
&& realm.getSslRequired().isRequired(clientConnection)) {
Cors cors = Cors.builder().auth().allowedMethods(request.getHttpMethod()).auth().exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS);
throw new CorsErrorResponseException(cors.allowAllOrigins(), OAuthErrorException.INVALID_REQUEST, "HTTPS required",
Response.Status.FORBIDDEN);
}
}
}