Skip to content

Commit

Permalink
Use account-console client for server-side auth check
Browse files Browse the repository at this point in the history
- Also generate PKCE verifier and use challenge parameters

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
  • Loading branch information
thomasdarimont authored and pedroigor committed Oct 17, 2024
1 parent 6a4ec24 commit 729417b
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 1 deletion.
9 changes: 9 additions & 0 deletions core/src/main/java/org/keycloak/AbstractOAuthClient.java
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ public class AbstractOAuthClient {
protected String stateCookiePath;
protected boolean isSecure;
protected boolean publicClient;
protected boolean pkceEnabled;
protected String getStateCode() {
return counter.getAndIncrement() + "/" + UUID.randomUUID().toString();
}
Expand Down Expand Up @@ -126,6 +127,14 @@ public void setRelativeUrlsUsed(RelativeUrlsUsed relativeUrlsUsed) {
this.relativeUrlsUsed = relativeUrlsUsed;
}

public boolean isPkceEnabled() {
return pkceEnabled;
}

public void setPkceEnabled(boolean pkceEnabled) {
this.pkceEnabled = pkceEnabled;
}

protected String stripOauthParametersFromRedirect(String uri) {
KeycloakUriBuilder builder = KeycloakUriBuilder.fromUri(uri)
.replaceQueryParam(OAuth2Constants.CODE, null)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.protocol.oidc.utils.PkceUtils;
import org.keycloak.services.managers.Auth;
import org.keycloak.services.messages.Messages;
import org.keycloak.util.TokenUtil;
Expand All @@ -44,6 +45,7 @@
import jakarta.ws.rs.core.UriInfo;
import java.net.URI;
import java.util.Set;
import java.util.UUID;

/**
* Helper class for securing local services. Provides login basics as well as CSRF check basics
Expand Down Expand Up @@ -180,6 +182,20 @@ public Response redirect(UriInfo uriInfo, String redirectUri) {
.queryParam(OAuth2Constants.RESPONSE_TYPE, OAuth2Constants.CODE)
.queryParam(OAuth2Constants.SCOPE, scopeParam);

if (isPkceEnabled()) {
String pkceChallenge;
try {
// TODO generate PKCE challenge based on server value
String codeVerifier = UUID.randomUUID().toString();
pkceChallenge = PkceUtils.generateS256CodeChallenge(codeVerifier);
} catch (Exception e) {
throw new RuntimeException(e);
}
uriBuilder
.queryParam(OAuth2Constants.CODE_CHALLENGE, pkceChallenge)
.queryParam(OAuth2Constants.CODE_CHALLENGE_METHOD, OAuth2Constants.PKCE_METHOD_S256);
}

URI url = uriBuilder.build();

NewCookie cookie = new NewCookie(getStateCookieName(), state, getStateCookiePath(uriInfo), null, null, -1, isSecure, true);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,8 @@ private Response redirectToLogin(String path) {

var oauthRedirect = new AbstractSecuredLocalService.OAuthRedirect();
oauthRedirect.setAuthUrl(OIDCLoginProtocolService.authUrl(session.getContext().getUri()).build(realm.getName()).toString());
oauthRedirect.setClientId(client.getClientId());
oauthRedirect.setClientId(Constants.ACCOUNT_CONSOLE_CLIENT_ID);
oauthRedirect.setPkceEnabled(true);
oauthRedirect.setSecure(realm.getSslRequired().isRequired(session.getContext().getConnection()));
return oauthRedirect.redirect(session.getContext().getUri(), targetUri.toString());
}
Expand Down

0 comments on commit 729417b

Please sign in to comment.