@Override public C getConfig() { return super.getConfig(); }
private String verifyAccessToken(PublicKey key, AccessTokenResponse tokenResponse) { String accessToken = tokenResponse.getToken(); if (accessToken == null) { throw new IdentityBrokerException("No access_token from server."); } return accessToken; }
/** * Store used profile JsonNode into user context for later use by this mapper. Profile data are dumped into special logger if enabled also to allow investigation of the structure. * * @param user context to store profile data into * @param profile to store into context * @param provider identification of social provider to be used in log dump * * @see #preprocessFederatedIdentity(KeycloakSession, RealmModel, IdentityProviderMapperModel, BrokeredIdentityContext) * @see BrokeredIdentityContext#getContextData() */ public static void storeUserProfileForMapper(BrokeredIdentityContext user, JsonNode profile, String provider) { user.getContextData().put(AbstractJsonUserAttributeMapper.CONTEXT_JSON_NODE, profile); if (LOGGER_DUMP_USER_PROFILE.isDebugEnabled()) LOGGER_DUMP_USER_PROFILE.debug("User Profile JSON Data for provider "+provider+": " + profile); }
@Override protected BrokeredIdentityContext doGetFederatedIdentity(String accessToken) { try { JsonNode profile = JsonSimpleHttp.asJson(SimpleHttp.doGet(PROFILE_URL).header("Authorization", "Bearer " + accessToken)); BrokeredIdentityContext user = new BrokeredIdentityContext(getJsonProperty(profile, "id")); String username = getJsonProperty(profile, "login"); user.setUsername(username); user.setName(getJsonProperty(profile, "name")); user.setEmail(getJsonProperty(profile, "email")); user.setIdpConfig(getConfig()); user.setIdp(this); AbstractJsonUserAttributeMapper.storeUserProfileForMapper(user, profile, getConfig().getAlias()); return user; } catch (Exception e) { throw new IdentityBrokerException("Could not obtain user profile from github.", e); } }
@Override protected BrokeredIdentityContext doGetFederatedIdentity(String accessToken) { try { String URL = PROFILE_URL + "?access_token=" + URLEncoder.encode(accessToken, "UTF-8"); if (log.isDebugEnabled()) { log.debug("Microsoft Live user profile request to: " + URL); } JsonNode profile = JsonSimpleHttp.asJson(SimpleHttp.doGet(URL)); String id = getJsonProperty(profile, "id"); String email = null; if (profile.has("emails")) { email = getJsonProperty(profile.get("emails"), "preferred"); } BrokeredIdentityContext user = new BrokeredIdentityContext(id); user.setUsername(email != null ? email : id); user.setFirstName(getJsonProperty(profile, "first_name")); user.setLastName(getJsonProperty(profile, "last_name")); if (email != null) user.setEmail(email); user.setIdpConfig(getConfig()); user.setIdp(this); AbstractJsonUserAttributeMapper.storeUserProfileForMapper(user, profile, getConfig().getAlias()); return user; } catch (Exception e) { throw new IdentityBrokerException("Could not obtain user profile from Microsoft Live ID.", e); } }
@Override protected BrokeredIdentityContext doGetFederatedIdentity(String accessToken) { log.debug("doGetFederatedIdentity()"); try { String URL = PROFILE_URL + "&access_token=" + accessToken + "&key=" + getConfig().getKey(); if (log.isDebugEnabled()) { log.debug("StackOverflow profile request to: " + URL); } JsonNode profile = JsonSimpleHttp.asJson(SimpleHttp.doGet(URL)).get("items").get(0); BrokeredIdentityContext user = new BrokeredIdentityContext(getJsonProperty(profile, "user_id")); String username = extractUsernameFromProfileURL(getJsonProperty(profile, "link")); user.setUsername(username); user.setName(unescapeHtml3(getJsonProperty(profile, "display_name"))); // email is not provided // user.setEmail(getJsonProperty(profile, "email")); user.setIdpConfig(getConfig()); user.setIdp(this); AbstractJsonUserAttributeMapper.storeUserProfileForMapper(user, profile, getConfig().getAlias()); return user; } catch (Exception e) { throw new IdentityBrokerException("Could not obtain user profile from Stackoverflow: " + e.getMessage(), e); } }
private RoleModel hasRole(RealmModel realm,IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { JsonWebToken token = (JsonWebToken)context.getContextData().get(KeycloakOIDCIdentityProvider.VALIDATED_ACCESS_TOKEN); //if (token == null) return; String roleName = mapperModel.getConfig().get(HardcodedRoleMapper.ROLE); String[] parseRole = KeycloakModelUtils.parseRole(mapperModel.getConfig().get(EXTERNAL_ROLE)); String externalRoleName = parseRole[1]; String claimName = null; if (parseRole[0] == null) { claimName = "realm_access.roles"; } else { claimName = "resource_access." + parseRole[0] + ".roles"; } Object claim = getClaimValue(token, claimName); if (valueEquals(externalRoleName, claim)) { RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName); if (role == null) throw new IdentityBrokerException("Unable to find role: " + roleName); return role; } return null; }
protected UriBuilder createAuthorizationUrl(AuthenticationRequest request) { return UriBuilder.fromUri(getConfig().getAuthorizationUrl()) .queryParam(OAUTH2_PARAMETER_SCOPE, getConfig().getDefaultScope()) .queryParam(OAUTH2_PARAMETER_STATE, request.getState()) .queryParam(OAUTH2_PARAMETER_RESPONSE_TYPE, "code") .queryParam(OAUTH2_PARAMETER_CLIENT_ID, getConfig().getClientId()) .queryParam(OAUTH2_PARAMETER_REDIRECT_URI, request.getRedirectUri()); }
@Override public void sendConfirmIdentityBrokerLink(String link, long expirationInMinutes) throws EmailException { Map<String, Object> attributes = new HashMap<String, Object>(); attributes.put("user", new ProfileBean(user)); attributes.put("link", link); attributes.put("linkExpiration", expirationInMinutes); attributes.put("realmName", getRealmName()); BrokeredIdentityContext brokerContext = (BrokeredIdentityContext) this.attributes.get(IDENTITY_PROVIDER_BROKER_CONTEXT); String idpAlias = brokerContext.getIdpConfig().getAlias(); idpAlias = ObjectUtil.capitalize(idpAlias); attributes.put("identityProviderContext", brokerContext); attributes.put("identityProviderAlias", idpAlias); List<Object> subjectAttrs = Arrays.<Object>asList(idpAlias); send("identityProviderLinkSubject", subjectAttrs, "identity-provider-link.ftl", attributes); }
@Override public void preprocessFederatedIdentity(KeycloakSession session, RealmModel realm, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { String attribute = mapperModel.getConfig().get(USER_ATTRIBUTE); Object value = getClaimValue(mapperModel, context); if (value != null) { context.setUserAttribute(attribute, value.toString()); } }
@Override protected BrokeredIdentityContext doGetFederatedIdentity(String accessToken) { log.debug("doGetFederatedIdentity()"); try { JsonNode profile = JsonSimpleHttp.asJson(SimpleHttp.doGet(PROFILE_URL).header("Authorization", "Bearer " + accessToken)); BrokeredIdentityContext user = new BrokeredIdentityContext(getJsonProperty(profile, "id")); String username = extractUsernameFromProfileURL(getJsonProperty(profile, "publicProfileUrl")); user.setUsername(username); user.setName(getJsonProperty(profile, "formattedName")); user.setEmail(getJsonProperty(profile, "emailAddress")); user.setIdpConfig(getConfig()); user.setIdp(this); AbstractJsonUserAttributeMapper.storeUserProfileForMapper(user, profile, getConfig().getAlias()); return user; } catch (Exception e) { throw new IdentityBrokerException("Could not obtain user profile from linkedIn.", e); } }
protected BrokeredIdentityContext getFederatedIdentity(String response) { String accessToken = extractTokenFromResponse(response, OAUTH2_PARAMETER_ACCESS_TOKEN); if (accessToken == null) { throw new IdentityBrokerException("No access token available in OAuth server response: " + response); } return doGetFederatedIdentity(accessToken); }
public static Object getClaimValue(BrokeredIdentityContext context, String claim) { { // search access token JsonWebToken token = (JsonWebToken)context.getContextData().get(KeycloakOIDCIdentityProvider.VALIDATED_ACCESS_TOKEN); if (token != null) { Object value = getClaimValue(token, claim); if (value != null) return value; } } { // search ID Token JsonWebToken token = (JsonWebToken)context.getContextData().get(KeycloakOIDCIdentityProvider.VALIDATED_ID_TOKEN); if (token != null) { Object value = getClaimValue(token, claim); if (value != null) return value; } } return null; }
@Override public void preprocessFederatedIdentity(KeycloakSession session, RealmModel realm, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { String attribute = mapperModel.getConfig().get(CONF_USER_ATTRIBUTE); if (attribute == null || attribute.trim().isEmpty()) { logger.warnf("Attribute is not configured for mapper %s", mapperModel.getName()); return; } attribute = attribute.trim(); String value = getJsonValue(mapperModel, context); if (value != null) { context.setUserAttribute(attribute, value); } }
@Override public Response performLogin(AuthenticationRequest request) { try { URI authorizationUrl = createAuthorizationUrl(request).build(); return Response.temporaryRedirect(authorizationUrl).build(); } catch (Exception e) { throw new IdentityBrokerException("Could not create authentication request.", e); } }
@Override protected void processAccessTokenResponse(BrokeredIdentityContext context, PublicKey idpKey, AccessTokenResponse response) { JsonWebToken access = validateToken(idpKey, response.getToken()); context.getContextData().put(VALIDATED_ACCESS_TOKEN, access); }
@Override public void importNewUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { String roleName = mapperModel.getConfig().get(HardcodedRoleMapper.ROLE); if (hasClaimValue(mapperModel, context)) { RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName); if (role == null) throw new IdentityBrokerException("Unable to find role: " + roleName); user.grantRole(role); } }
@Override public void attachUserSession(UserSessionModel userSession, ClientSessionModel clientSession, BrokeredIdentityContext context) { AccessTokenResponse tokenResponse = (AccessTokenResponse)context.getContextData().get(FEDERATED_ACCESS_TOKEN_RESPONSE); userSession.setNote(FEDERATED_ACCESS_TOKEN, tokenResponse.getToken()); userSession.setNote(FEDERATED_ID_TOKEN, tokenResponse.getIdToken()); }
@Override public void updateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { String roleName = mapperModel.getConfig().get(HardcodedRoleMapper.ROLE); if (!hasClaimValue(mapperModel, context)) { RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName); if (role == null) throw new IdentityBrokerException("Unable to find role: " + roleName); user.deleteRoleMapping(role); } }
protected static String getJsonValue(IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { String jsonField = mapperModel.getConfig().get(CONF_JSON_FIELD); if (jsonField == null || jsonField.trim().isEmpty()) { logger.warnf("JSON field path is not configured for mapper %s", mapperModel.getName()); return null; } jsonField = jsonField.trim(); if (jsonField.startsWith(JSON_PATH_DELIMITER) || jsonField.endsWith(JSON_PATH_DELIMITER) || jsonField.startsWith("[")) { logger.warnf("JSON field path is invalid %s", jsonField); return null; } JsonNode profileJsonNode = (JsonNode) context.getContextData().get(CONTEXT_JSON_NODE); String value = getJsonValue(profileJsonNode, jsonField); if (value == null) { logger.debugf("User profile JSON value '%s' is not available.", jsonField); } return value; }