Sync after Keycloak server 26.4.0 release

closes #187

Signed-off-by: mposolda <mposolda@gmail.com>

Author: mposolda

.github/workflows/run-tests.yml

@@ -14,7 +14,7 @@ jobs:
     timeout-minutes: 30
     strategy:
       matrix:
-        keycloak_server_version: [ "26.0", "26.2", "26.3", "nightly" ]
+        keycloak_server_version: [ "26.0", "26.2", "26.4", "nightly" ]
     steps:
       - uses: actions/checkout@v4
 

admin-client/src/main/java/org/keycloak/admin/client/Config.java

@@ -33,6 +33,7 @@ public class Config {
     private String clientSecret;
     private String grantType;
     private String scope;
+    private boolean useDPoP = false;
 
     public Config(String serverUrl, String realm, String username, String password, String clientId, String clientSecret) {
         this(serverUrl, realm, username, password, clientId, clientSecret, PASSWORD, null);
@@ -125,4 +126,12 @@ public static void checkGrantType(String grantType) {
                     " (only " + PASSWORD + " and " + CLIENT_CREDENTIALS + " are supported)");
         }
     }
+
+    public boolean isUseDPoP() {
+        return useDPoP;
+    }
+
+    public void setUseDPoP(boolean useDPoP) {
+        this.useDPoP = useDPoP;
+    }
 }

admin-client/src/main/java/org/keycloak/admin/client/Keycloak.java

@@ -16,8 +16,10 @@
  */
 package org.keycloak.admin.client;
 
+import jakarta.ws.rs.client.ClientRequestFilter;
 import jakarta.ws.rs.client.WebTarget;
 import org.keycloak.admin.client.resource.BearerAuthFilter;
+import org.keycloak.admin.client.resource.DPoPAuthFilter;
 import org.keycloak.admin.client.resource.RealmResource;
 import org.keycloak.admin.client.resource.RealmsResource;
 import org.keycloak.admin.client.resource.ServerInfoResource;
@@ -84,8 +86,9 @@ public static ResteasyClientProvider getClientProvider() {
     private final Client client;
     private boolean closed = false;
 
-    Keycloak(String serverUrl, String realm, String username, String password, String clientId, String clientSecret, String grantType, Client resteasyClient, String authtoken, String scope) {
+    Keycloak(String serverUrl, String realm, String username, String password, String clientId, String clientSecret, String grantType, Client resteasyClient, String authtoken, String scope, boolean useDPoP) {
         config = new Config(serverUrl, realm, username, password, clientId, clientSecret, grantType, scope);
+        config.setUseDPoP(useDPoP);
         client = resteasyClient != null ? resteasyClient : newRestEasyClient(null, null, false);
         authToken = authtoken;
         tokenManager = authtoken == null ? new TokenManager(config, client) : null;
@@ -98,42 +101,87 @@ private static Client newRestEasyClient(Object customJacksonProvider, SSLContext
         return CLIENT_PROVIDER.newRestEasyClient(customJacksonProvider, sslContext, disableTrustManager);
     }
 
-    private BearerAuthFilter newAuthFilter() {
+    private ClientRequestFilter newAuthFilter() {
+        if (config.isUseDPoP()) {
+            if (authToken != null) throw new IllegalArgumentException("Not supported to require DPoP when token is provisioned");
+            return new DPoPAuthFilter(tokenManager, false);
+        }
         return authToken != null ? new BearerAuthFilter(authToken) : new BearerAuthFilter(tokenManager);
     }
-    
+
+    /**
+     *
+     * Creates the java admin client instance to be used to call admin REST API against Keycloak server.
+     *
+     * @param serverUrl Keycloak server URL
+     * @param realm realm name
+     * @param username username of the admin user to be used.
+     * @param password password of the admin user
+     * @param clientId client ID
+     * @param clientSecret client secret. Could be left null in case that clientId parameter points to the public client, which does not require client authentication
+     * @param sslContext ssl context. Could be left null in case that default SSL context should be used.
+     * @param customJacksonProvider custom Jackson provider. Could be left null in case that Jackson provider will be automatically provided by the admin client. Please see <a href="https://www.keycloak.org/securing-apps/admin-client#_admin_client_compatibility">the documentation</a> for additional details regarding the compatibility
+     * @param disableTrustManager If to disable trust manager for SSL checks. It is false by default. The value true should be used just for the development purposes, but should not be used in production
+     * @param authToken access token to be used to call admin REST API. This can be left null if you want admin client to login the user (based on the parameters username, password, clientId and clientSecret) and manage it's own login session. But in case you already have existing session, you can inject the existing access token with the use of this parameter. In that case, it is recommended to leave the properties username, password, clientId or clientSecret empty
+     * @param scope Custom "scope" parameter to be used. Could be left null in case of default scope should be used. That is sufficient for most of the cases.
+     * @return Java admin client instance
+     */
     public static Keycloak getInstance(String serverUrl, String realm, String username, String password, String clientId, String clientSecret, SSLContext sslContext, Object customJacksonProvider, boolean disableTrustManager, String authToken, String scope) {
-        return new Keycloak(serverUrl, realm, username, password, clientId, clientSecret, PASSWORD, newRestEasyClient(customJacksonProvider, sslContext, disableTrustManager), authToken, scope);
+        return new Keycloak(serverUrl, realm, username, password, clientId, clientSecret, PASSWORD, newRestEasyClient(customJacksonProvider, sslContext, disableTrustManager), authToken, scope, false);
     }
 
+    /**
+     * See {@link #getInstance(String, String, String, String, String, String, SSLContext, Object, boolean, String, String)} for the details about the parameters and their default values
+     */
     public static Keycloak getInstance(String serverUrl, String realm, String username, String password, String clientId, String clientSecret, SSLContext sslContext, Object customJacksonProvider, boolean disableTrustManager, String authToken) {
-        return new Keycloak(serverUrl, realm, username, password, clientId, clientSecret, PASSWORD, newRestEasyClient(customJacksonProvider, sslContext, disableTrustManager), authToken, null);
+        return new Keycloak(serverUrl, realm, username, password, clientId, clientSecret, PASSWORD, newRestEasyClient(customJacksonProvider, sslContext, disableTrustManager), authToken, null, false);
     }
 
+    /**
+     * See {@link #getInstance(String, String, String, String, String, String, SSLContext, Object, boolean, String, String)} for the details about the parameters and their default values
+     */
     public static Keycloak getInstance(String serverUrl, String realm, String username, String password, String clientId, String clientSecret) {
         return getInstance(serverUrl, realm, username, password, clientId, clientSecret, null, null, false, null);
     }
 
+    /**
+     * See {@link #getInstance(String, String, String, String, String, String, SSLContext, Object, boolean, String, String)} for the details about the parameters and their default values
+     */
     public static Keycloak getInstance(String serverUrl, String realm, String username, String password, String clientId, String clientSecret, SSLContext sslContext) {
         return getInstance(serverUrl, realm, username, password, clientId, clientSecret, sslContext, null, false, null);
     }
 
+    /**
+     * See {@link #getInstance(String, String, String, String, String, String, SSLContext, Object, boolean, String, String)} for the details about the parameters and their default values
+     */
     public static Keycloak getInstance(String serverUrl, String realm, String username, String password, String clientId, String clientSecret, SSLContext sslContext, Object customJacksonProvider) {
         return getInstance(serverUrl, realm, username, password, clientId, clientSecret, sslContext, customJacksonProvider, false, null);
     }
 
+    /**
+     * See {@link #getInstance(String, String, String, String, String, String, SSLContext, Object, boolean, String, String)} for the details about the parameters and their default values
+     */
     public static Keycloak getInstance(String serverUrl, String realm, String username, String password, String clientId) {
         return getInstance(serverUrl, realm, username, password, clientId, null, null, null, false, null);
     }
 
+    /**
+     * See {@link #getInstance(String, String, String, String, String, String, SSLContext, Object, boolean, String, String)} for the details about the parameters and their default values
+     */
     public static Keycloak getInstance(String serverUrl, String realm, String username, String password, String clientId, SSLContext sslContext) {
         return getInstance(serverUrl, realm, username, password, clientId, null, sslContext, null, false, null);
     }
 
+    /**
+     * See {@link #getInstance(String, String, String, String, String, String, SSLContext, Object, boolean, String, String)} for the details about the parameters and their default values
+     */
     public static Keycloak getInstance(String serverUrl, String realm, String clientId, String authToken) {
         return getInstance(serverUrl, realm, null, null, clientId, null, null, null, false, authToken);
     }
 
+    /**
+     * See {@link #getInstance(String, String, String, String, String, String, SSLContext, Object, boolean, String, String)} for the details about the parameters and their default values
+     */
     public static Keycloak getInstance(String serverUrl, String realm, String clientId, String authToken, SSLContext sllSslContext) {
         return getInstance(serverUrl, realm, null, null, clientId, null, sllSslContext, null, false, authToken);
     }

admin-client/src/main/java/org/keycloak/admin/client/KeycloakBuilder.java

@@ -17,7 +17,6 @@
 
 package org.keycloak.admin.client;
 
-import static org.keycloak.OAuth2Constants.CLIENT_CREDENTIALS;
 import static org.keycloak.OAuth2Constants.PASSWORD;
 
 import jakarta.ws.rs.client.Client;
@@ -35,7 +34,10 @@
  *     .password("pass")
  *     .clientId("client")
  *     .clientSecret("secret")
- *     .resteasyClient(new ResteasyClientBuilder().connectionPoolSize(20).build())
+ *     .resteasyClient(new ResteasyClientBuilderImpl()
+ *                 .connectionPoolSize(20)
+ *                 .build()
+ *                 .register(org.keycloak.admin.client.JacksonProvider.class, 100))
  *     .build();
  * </pre>
  * <p>Example usage with grant_type=client_credentials</p>
@@ -63,6 +65,7 @@ public class KeycloakBuilder {
     private Client resteasyClient;
     private String authorization;
     private String scope;
+    private boolean useDPoP = false;
 
     public KeycloakBuilder serverUrl(String serverUrl) {
         this.serverUrl = serverUrl;
@@ -105,6 +108,12 @@ public KeycloakBuilder clientSecret(String clientSecret) {
         return this;
     }
 
+    /**
+     * Custom instance of resteasy client. Please see <a href="https://www.keycloak.org/securing-apps/admin-client#_admin_client_compatibility">the documentation</a> for additional details regarding the compatibility
+     *
+     * @param resteasyClient Custom RestEasy client
+     * @return admin client builder
+     */
     public KeycloakBuilder resteasyClient(Client resteasyClient) {
         this.resteasyClient = resteasyClient;
         return this;
@@ -115,6 +124,17 @@ public KeycloakBuilder authorization(String auth) {
         return this;
     }
 
+    /**
+     * @param useDPoP If true, then admin-client will add DPoP proofs to the token-requests and to the admin REST API requests. DPoP feature must be
+     *                enabled on Keycloak server side to work properly. It is false by default. Parameter is supposed to be used with Keycloak server 26.4.0 or later as
+     *                earlier versions did not support DPoP requests for admin REST API
+     * @return admin client builder
+     */
+    public KeycloakBuilder useDPoP(boolean useDPoP) {
+        this.useDPoP = useDPoP;
+        return this;
+    }
+
     /**
      * Builds a new Keycloak client from this builder.
      */
@@ -145,7 +165,7 @@ public Keycloak build() {
             throw new IllegalStateException("clientId required");
         }
 
-        return new Keycloak(serverUrl, realm, username, password, clientId, clientSecret, grantType, resteasyClient, authorization, scope);
+        return new Keycloak(serverUrl, realm, username, password, clientId, clientSecret, grantType, resteasyClient, authorization, scope, useDPoP);
     }
 
     private KeycloakBuilder() {

admin-client/src/main/java/org/keycloak/admin/client/resource/BearerAuthFilter.java

@@ -34,7 +34,7 @@ public class BearerAuthFilter implements ClientRequestFilter, ClientResponseFilt
 
     public static final String AUTH_HEADER_PREFIX = "Bearer ";
     private final String tokenString;
-    private final TokenManager tokenManager;
+    protected final TokenManager tokenManager;
 
     public BearerAuthFilter(String tokenString) {
         this.tokenString = tokenString;
@@ -66,12 +66,17 @@ public void filter(ClientRequestContext requestContext, ClientResponseContext re
             for (Object authHeader : authHeaders) {
                 if (authHeader instanceof String) {
                     String headerValue = (String) authHeader;
-                    if (headerValue.startsWith(AUTH_HEADER_PREFIX)) {
-                        String token = headerValue.substring( AUTH_HEADER_PREFIX.length() );
+                    String authHeaderPrefix = getAuthHeaderPrefix();
+                    if (headerValue.startsWith(authHeaderPrefix)) {
+                        String token = headerValue.substring( authHeaderPrefix.length() );
                         tokenManager.invalidate( token );
                     }
                 }
             }
         }
     }
+
+    protected String getAuthHeaderPrefix() {
+        return AUTH_HEADER_PREFIX;
+    }
 }

admin-client/src/main/java/org/keycloak/admin/client/resource/ClientsResource.java

@@ -20,6 +20,7 @@
 import org.keycloak.representations.idm.ClientRepresentation;
 
 import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.DELETE;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.POST;
 import jakarta.ws.rs.Path;
@@ -66,4 +67,8 @@ List<ClientRepresentation> findAll(@QueryParam("clientId") String clientId,
     @Produces(MediaType.APPLICATION_JSON)
     List<ClientRepresentation> query(@QueryParam("q") String searchQuery);
 
+    @Path("{id}")
+    @DELETE
+    Response delete(@PathParam("id") String id);
+
 }

admin-client/src/main/java/org/keycloak/admin/client/resource/DPoPAuthFilter.java

@@ -0,0 +1,66 @@
+/*
+ * Copyright 2025 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.admin.client.resource;
+
+import java.io.IOException;
+
+import jakarta.ws.rs.client.ClientRequestContext;
+import jakarta.ws.rs.core.HttpHeaders;
+import org.keycloak.admin.client.token.TokenManager;
+import org.keycloak.util.DPoPGenerator;
+
+import static org.keycloak.OAuth2Constants.DPOP_HTTP_HEADER;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class DPoPAuthFilter extends BearerAuthFilter {
+
+    private final boolean tokenRequest;
+
+    public DPoPAuthFilter(TokenManager tokenManager, boolean tokenRequest) {
+        super(tokenManager);
+        this.tokenRequest = tokenRequest;
+    }
+
+    @Override
+    public void filter(ClientRequestContext requestContext) throws IOException {
+        String requestUri = requestContext.getUri().toString();
+        if (tokenRequest) {
+            if (requestUri.endsWith("/token")) {
+                // Request for obtain new accessToken or refresh-token request
+                String dpop = DPoPGenerator.generateRsaSignedDPoPProof(tokenManager.getDpopKeyPair(), requestContext.getMethod(), requestUri, null);
+                requestContext.getHeaders().add(DPOP_HTTP_HEADER, dpop);
+            }
+        } else {
+            // Regular request to admin REST API
+            String accessToken = tokenManager.getAccessTokenString();
+            String dpop = DPoPGenerator.generateRsaSignedDPoPProof(tokenManager.getDpopKeyPair(), requestContext.getMethod(), requestUri, accessToken);
+            requestContext.getHeaders().add(DPOP_HTTP_HEADER, dpop);
+
+            String authHeader = DPOP_HTTP_HEADER + " " + accessToken;
+            requestContext.getHeaders().add(HttpHeaders.AUTHORIZATION, authHeader);
+        }
+    }
+
+
+    @Override
+    protected String getAuthHeaderPrefix() {
+        return DPOP_HTTP_HEADER;
+    }
+}

admin-client/src/main/java/org/keycloak/admin/client/resource/RealmResource.java

@@ -420,4 +420,7 @@ Response testLDAPConnection(@FormParam("action") String action, @FormParam("conn
 
     @Path("client-types")
     ClientTypesResource clientTypes();
+
+    @Path("workflows")
+    WorkflowsResource workflows();
 }