From 56a94511286cc3cb12429f805d3baeaaf1097530 Mon Sep 17 00:00:00 2001 From: mposolda Date: Wed, 1 Apr 2015 22:12:26 +0200 Subject: [PATCH 1/2] minor improve in fuse example --- .../main/java/org/keycloak/example/CamelHelloProcessor.java | 1 - examples/fuse/fuse-admin/README.md | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/examples/fuse/camel/src/main/java/org/keycloak/example/CamelHelloProcessor.java b/examples/fuse/camel/src/main/java/org/keycloak/example/CamelHelloProcessor.java index fc67a65621e6..6ef2be24c08a 100644 --- a/examples/fuse/camel/src/main/java/org/keycloak/example/CamelHelloProcessor.java +++ b/examples/fuse/camel/src/main/java/org/keycloak/example/CamelHelloProcessor.java @@ -20,7 +20,6 @@ public void process(Exchange exchange) throws Exception { String username = accessToken.getPreferredUsername(); String fullName = accessToken.getName(); - // send a html response with fullName from LDAP exchange.getOut().setBody("Hello " + username + "! Your full name is " + fullName + "."); } } diff --git a/examples/fuse/fuse-admin/README.md b/examples/fuse/fuse-admin/README.md index d22d45dfd153..faa26870ca46 100644 --- a/examples/fuse/fuse-admin/README.md +++ b/examples/fuse/fuse-admin/README.md @@ -29,10 +29,10 @@ This file contains configuration of the client application, which is used by JAA 4) Start Fuse and install `keycloak` JAAS realm into Fuse. This could be done easily by installing `keycloak-jaas` feature, which has JAAS realm predefined (you are able to override it by using your own `keycloak` JAAS realm with higher ranking). As long as you already installed `keycloak-fuse-example` feature as mentioned -in [examples readme](../README.md), you can skip this step as `keycloak-jaas` is installed already. Otherwise use those commands (replace Keycloak version with current one): +in [examples readme](../README.md), you can skip this step as `keycloak-jaas` is installed already. Otherwise use those commands (replace Keycloak version in this command with the current version): ``` -features:addurl mvn:org.keycloak/keycloak-osgi-features/1.1.0.Final/xml/features +features:addurl mvn:org.keycloak/keycloak-osgi-features/1.2.0.Beta1/xml/features features:install keycloak-jaas ``` From 6a34ad36f5e3971b366ab9e5e37146cce364cd42 Mon Sep 17 00:00:00 2001 From: mposolda Date: Thu, 2 Apr 2015 13:02:24 +0200 Subject: [PATCH 2/2] Fix clustering when auth-server-url-for-backend-requests is used --- .../main/java/org/keycloak/RSATokenVerifier.java | 2 +- examples/demo-template/testrealm.json | 10 ---------- .../org/keycloak/adapters/KeycloakDeployment.java | 14 ++++++++++---- .../adapters/OAuthRequestAuthenticator.java | 2 +- .../adapters/KeycloakDeploymentBuilderTest.java | 2 +- .../docker-cluster/shared-files/deploy-examples.sh | 3 +++ 6 files changed, 16 insertions(+), 17 deletions(-) diff --git a/core/src/main/java/org/keycloak/RSATokenVerifier.java b/core/src/main/java/org/keycloak/RSATokenVerifier.java index c68da0fba215..1c324d622433 100755 --- a/core/src/main/java/org/keycloak/RSATokenVerifier.java +++ b/core/src/main/java/org/keycloak/RSATokenVerifier.java @@ -39,7 +39,7 @@ public static AccessToken verifyToken(String tokenString, PublicKey realmKey, St throw new VerificationException("Realm URL is null. Make sure to add auth-server-url to the configuration of your adapter!"); } if (!realmUrl.equals(token.getIssuer())) { - throw new VerificationException("Token audience doesn't match domain."); + throw new VerificationException("Token audience doesn't match domain. Token issuer is " + token.getIssuer() + ", but URL from configuration is " + realmUrl); } if (checkActive && !token.isActive()) { diff --git a/examples/demo-template/testrealm.json b/examples/demo-template/testrealm.json index 7cf597a3832c..031e20bc54ef 100755 --- a/examples/demo-template/testrealm.json +++ b/examples/demo-template/testrealm.json @@ -146,16 +146,6 @@ "adminUrl": "/database", "baseUrl": "/database", "bearerOnly": true - }, - { - "name": "rest-resources", - "enabled": true, - "publicClient": true, - "adminUrl": "/rest-resources", - "baseUrl": "/rest-resources", - "redirectUris": [ - "/rest-resources/*" - ] } ], "oauthClients": [ diff --git a/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java b/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java index f792046bc41e..478ead24ae08 100755 --- a/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java +++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java @@ -90,7 +90,8 @@ public String getAuthServerBaseUrl() { public void setAuthServerBaseUrl(AdapterConfig config) { this.authServerBaseUrl = config.getAuthServerUrl(); - if (authServerBaseUrl == null && config.getAuthServerUrlForBackendRequests() == null) return; + String authServerURLForBackendReqs = config.getAuthServerUrlForBackendRequests(); + if (authServerBaseUrl == null && authServerURLForBackendReqs == null) return; URI authServerUri = null; if (authServerBaseUrl != null) { @@ -98,7 +99,6 @@ public void setAuthServerBaseUrl(AdapterConfig config) { } if (authServerUri == null || authServerUri.getHost() == null) { - String authServerURLForBackendReqs = config.getAuthServerUrlForBackendRequests(); if (authServerURLForBackendReqs != null) { relativeUrls = RelativeUrlsUsed.BROWSER_ONLY; @@ -116,7 +116,13 @@ public void setAuthServerBaseUrl(AdapterConfig config) { relativeUrls = RelativeUrlsUsed.NEVER; KeycloakUriBuilder serverBuilder = KeycloakUriBuilder.fromUri(authServerBaseUrl); resolveBrowserUrls(serverBuilder); - resolveNonBrowserUrls(serverBuilder); + + if (authServerURLForBackendReqs == null) { + resolveNonBrowserUrls(serverBuilder); + } else { + serverBuilder = KeycloakUriBuilder.fromUri(authServerURLForBackendReqs); + resolveNonBrowserUrls(serverBuilder); + } } } @@ -132,6 +138,7 @@ protected void resolveBrowserUrls(KeycloakUriBuilder authUrlBuilder) { String login = authUrlBuilder.clone().path(ServiceUrlConstants.AUTH_PATH).build(getRealm()).toString(); authUrl = KeycloakUriBuilder.fromUri(login); + realmInfoUrl = authUrlBuilder.clone().path(ServiceUrlConstants.REALM_INFO_PATH).build(getRealm()).toString(); } /** @@ -145,7 +152,6 @@ protected void resolveNonBrowserUrls(KeycloakUriBuilder authUrlBuilder) { tokenUrl = authUrlBuilder.clone().path(ServiceUrlConstants.TOKEN_PATH).build(getRealm()).toString(); logoutUrl = KeycloakUriBuilder.fromUri(authUrlBuilder.clone().path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH).build(getRealm()).toString()); accountUrl = authUrlBuilder.clone().path(ServiceUrlConstants.ACCOUNT_SERVICE_PATH).build(getRealm()).toString(); - realmInfoUrl = authUrlBuilder.clone().path(ServiceUrlConstants.REALM_INFO_PATH).build(getRealm()).toString(); registerNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_REGISTER_NODE_PATH).build(getRealm()).toString(); unregisterNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH).build(getRealm()).toString(); } diff --git a/integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java b/integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java index 68688e60da8e..ea66837c1097 100755 --- a/integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java +++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java @@ -322,7 +322,7 @@ protected AuthChallenge resolveCode(String code) { } log.debug("Token Verification succeeded!"); } catch (VerificationException e) { - log.error("failed verification of token"); + log.error("failed verification of token: " + e.getMessage()); return challenge(403); } if (tokenResponse.getNotBeforePolicy() > deployment.getNotBefore()) { diff --git a/integration/adapter-core/src/test/java/org/keycloak/adapters/KeycloakDeploymentBuilderTest.java b/integration/adapter-core/src/test/java/org/keycloak/adapters/KeycloakDeploymentBuilderTest.java index a40b83ec3d8a..c326d766c803 100644 --- a/integration/adapter-core/src/test/java/org/keycloak/adapters/KeycloakDeploymentBuilderTest.java +++ b/integration/adapter-core/src/test/java/org/keycloak/adapters/KeycloakDeploymentBuilderTest.java @@ -33,7 +33,7 @@ public void load() throws Exception { assertTrue(deployment.isExposeToken()); assertEquals("234234-234234-234234", deployment.getResourceCredentials().get("secret")); assertEquals(20, ((ThreadSafeClientConnManager) deployment.getClient().getConnectionManager()).getMaxTotal()); - assertEquals("https://localhost:8443/auth/realms/demo/protocol/openid-connect/token", deployment.getTokenUrl()); + assertEquals("https://backend:8443/auth/realms/demo/protocol/openid-connect/token", deployment.getTokenUrl()); assertTrue(deployment.isAlwaysRefreshToken()); assertTrue(deployment.isRegisterNodeAtStartup()); assertEquals(1000, deployment.getRegisterNodePeriod()); diff --git a/testsuite/docker-cluster/shared-files/deploy-examples.sh b/testsuite/docker-cluster/shared-files/deploy-examples.sh index 2ddee7dbad98..6f29e4a1478e 100644 --- a/testsuite/docker-cluster/shared-files/deploy-examples.sh +++ b/testsuite/docker-cluster/shared-files/deploy-examples.sh @@ -33,6 +33,9 @@ for I in *.war/WEB-INF/keycloak.json; do sed -i -e 's/\"bearer-only\" : true,/&\n \"credentials\" : \{ \"secret\": \"password\" \},/' $I; done; +# Configure database.war +sed -i -e 's/\"auth-server-url\": \"\/auth\",/\"auth-server-url\": \"http:\/\/localhost:8000\/auth\",/' database.war/WEB-INF/keycloak.json; + # Enable distributable for customer-portal sed -i -e 's/<\/module-name>/&\n /' customer-portal.war/WEB-INF/web.xml