From b902f181d294eaca64bed76f5d006907f8640603 Mon Sep 17 00:00:00 2001 From: cgeorgilakis-grnet Date: Thu, 11 Jul 2024 12:53:20 +0300 Subject: [PATCH] Initial OIDC Authnauthorities mapper --- .github/workflows/ci.yml | 20 ++ .github/workflows/releases.yml | 46 ++++ .gitignore | 22 ++ CHANGELOG.md | 4 + LICENCE | 201 ++++++++++++++++++ README.md | 11 + pom.xml | 42 ++++ .../oidc/AuthnAuthorityRepresentation.java | 27 +++ .../mappers/OIDCAuthnAuthoritiesMapper.java | 117 ++++++++++ .../org.keycloak.protocol.ProtocolMapper | 1 + 10 files changed, 491 insertions(+) create mode 100644 .github/workflows/ci.yml create mode 100644 .github/workflows/releases.yml create mode 100644 .gitignore create mode 100644 CHANGELOG.md create mode 100644 LICENCE create mode 100644 README.md create mode 100644 pom.xml create mode 100644 src/main/java/org/keycloak/protocol/oidc/AuthnAuthorityRepresentation.java create mode 100644 src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAuthnAuthoritiesMapper.java create mode 100644 src/main/resources/META-INF/services/org.keycloak.protocol.ProtocolMapper diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..a69da8d --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,20 @@ +name: Java CI +on: [push] +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Set up JDK 17 + uses: actions/setup-java@v2 + with: + java-version: '17' + distribution: 'adopt' + - name: Build with Maven + run: mvn --batch-mode --update-snapshots verify + - run: mkdir staging && cp target/*.jar staging + - uses: actions/upload-artifact@v2 + with: + name: Package + path: staging + diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml new file mode 100644 index 0000000..9192d18 --- /dev/null +++ b/.github/workflows/releases.yml @@ -0,0 +1,46 @@ +on: + push: + tags: + - '*' # Push events to matching any tag *, i.e. 'v1.0', 'v20.15.10' or even 'mod1' + +name: Create Release + +jobs: + build: + name: Create Release + runs-on: ubuntu-latest + steps: + + - name: Set up JDK 17 + uses: actions/setup-java@v2 + with: + java-version: '17' + distribution: 'adopt' + + - uses: actions/checkout@v2 + + - name: Build with Maven + run: mvn --batch-mode --update-snapshots verify + + - name: Create Release + id: create_release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token + with: + tag_name: ${{ github.ref }} + release_name: Release ${{ github.ref }} + draft: false + prerelease: false + + - name: Upload jar + id: upload-jar + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps + asset_path: target/keycloak-oidc-authnauthorities-mapper.jar + asset_name: keycloak-oidc-authnauthorities-mapper.jar + asset_content_type: application/java-archive + diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e34bffd --- /dev/null +++ b/.gitignore @@ -0,0 +1,22 @@ +# OS stuff +################### +.DS_Store + +# Intellij +################### +.idea +*.iml + +# Eclipse # +########### +.project +.settings +.classpath +# reverting this as e.g. /distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/ +# should not be ignored +#bin/ +.factorypath + +# Maven # +######### +target diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..97d755e --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,4 @@ +# Changelog +All notable changes in keycloak-oidc-authnauthorities-mapper will be documented in this file. + + diff --git a/LICENCE b/LICENCE new file mode 100644 index 0000000..efd0629 --- /dev/null +++ b/LICENCE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2021 GRNET + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md new file mode 100644 index 0000000..0fac850 --- /dev/null +++ b/README.md @@ -0,0 +1,11 @@ +# keycloak-oidc-authnauthorities-mapper +A pluggable OIDC protocol mapper for keycloak. To be used in eosc installations + +### Installation instructions (versions >= 1.2.0): + +1. Compile the plugin jar i.e. 'mvn clean install' or just get a built one from the "Releases" link on the right sidebar. +2. Drop the jar into the folder $KEYCLOAK_BASE/standalone/deployments/ and let all the hot-deploy magic commence. + +### Use instructions + +If the installation is successful, you will be able to use the OIDC protocol mapper **AuthnAuthorities Mapper** as named in the UI droplist of the mappers type selection. diff --git a/pom.xml b/pom.xml new file mode 100644 index 0000000..1968bd6 --- /dev/null +++ b/pom.xml @@ -0,0 +1,42 @@ + + + 4.0.0 + + org.keycloak + keycloak-oidc-authnauthorities-mapper + 1.0.0 + + + 22.0.10 + 17 + 17 + + + + + org.keycloak + keycloak-server-spi + ${keycloak.version} + provided + + + org.keycloak + keycloak-server-spi-private + ${keycloak.version} + provided + + + org.keycloak + keycloak-services + ${keycloak.version} + provided + + + + + ${project.artifactId} + + + \ No newline at end of file diff --git a/src/main/java/org/keycloak/protocol/oidc/AuthnAuthorityRepresentation.java b/src/main/java/org/keycloak/protocol/oidc/AuthnAuthorityRepresentation.java new file mode 100644 index 0000000..fce6a00 --- /dev/null +++ b/src/main/java/org/keycloak/protocol/oidc/AuthnAuthorityRepresentation.java @@ -0,0 +1,27 @@ +package org.keycloak.protocol.oidc; + +public class AuthnAuthorityRepresentation { + + private String id; + private String name; + public AuthnAuthorityRepresentation(String id, String name){ + this.id = id; + this.name = name; + } + + public String getId() { + return id; + } + + public void setId(String id) { + this.id = id; + } + + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } +} diff --git a/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAuthnAuthoritiesMapper.java b/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAuthnAuthoritiesMapper.java new file mode 100644 index 0000000..13df629 --- /dev/null +++ b/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAuthnAuthoritiesMapper.java @@ -0,0 +1,117 @@ +package org.keycloak.protocol.oidc.mappers; + +import com.fasterxml.jackson.core.type.TypeReference; +import org.jboss.logging.Logger; +import org.keycloak.events.Details; +import org.keycloak.models.IdentityProviderModel; +import org.keycloak.models.ProtocolMapperModel; +import org.keycloak.models.RealmModel; +import org.keycloak.models.UserSessionModel; +import org.keycloak.protocol.oidc.AuthnAuthorityRepresentation; +import org.keycloak.protocol.oidc.OIDCLoginProtocol; +import org.keycloak.provider.ProviderConfigProperty; +import org.keycloak.representations.IDToken; +import org.keycloak.util.JsonSerialization; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.LinkedList; +import java.util.List; +import java.util.Map; + +public class OIDCAuthnAuthoritiesMapper extends AbstractOIDCProtocolMapper implements OIDCAccessTokenMapper, OIDCIDTokenMapper, UserInfoTokenMapper, TokenIntrospectionTokenMapper { + + private static final Logger logger = Logger.getLogger(OIDCAuthnAuthoritiesMapper.class); + private static final List configProperties = new ArrayList<>(); + private static final String IDENTITY_PROVIDER_AUTHN_AUTHORITIES = "identity_provider_authnAuthorities"; + private static final String IDENTITY_PROVIDER_ID = "identity_provider_id"; + + + static { + OIDCAttributeMapperHelper.addAttributeConfig(configProperties, OIDCAuthnAuthoritiesMapper.class); + } + + public static final String PROVIDER_ID = "oidc-oidc-authnauthorities-mapper"; + + + public List getConfigProperties() { + return configProperties; + } + + @Override + public String getId() { + return PROVIDER_ID; + } + + @Override + public String getDisplayType() { + return "Authnauthorities"; + } + + @Override + public String getDisplayCategory() { + return TOKEN_MAPPER_CATEGORY; + } + + @Override + public String getHelpText() { + return "Map user authnAuthorities to a token claim."; + } + + protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession) { + + LinkedList authnAuthorities = getAuthnAuthorities(userSession); + if (authnAuthorities.isEmpty()) return; + try { + OIDCAttributeMapperHelper.mapClaim(token, mappingModel, JsonSerialization.writeValueAsString(authnAuthorities)); + } catch (IOException e) { + logger.warn("Problem creating claim for oidc-oidc-authnauthorities-mapper"); + e.printStackTrace(); + } + } + + private LinkedList getAuthnAuthorities(UserSessionModel userSession) { + LinkedList authnAuthorities = new LinkedList<>(); + String previousAauthnAuthorities = userSession.getNote(IDENTITY_PROVIDER_AUTHN_AUTHORITIES); + if (userSession.getNote(Details.IDENTITY_PROVIDER) != null) { + RealmModel realm = userSession.getRealm(); + IdentityProviderModel idp = realm.getIdentityProviderByAlias(userSession.getNote(Details.IDENTITY_PROVIDER)); + //add first authn autohrities + authnAuthorities.add(new AuthnAuthorityRepresentation(userSession.getNote(IDENTITY_PROVIDER_ID), getIdPName(idp))); + } + if (previousAauthnAuthorities != null) { + try { + authnAuthorities.addAll(JsonSerialization.readValue(previousAauthnAuthorities, new TypeReference>() { + })); + } catch (IOException e) { + logger.warn("Problem decoding identity_provider_authnAuthorities"); + e.printStackTrace(); + } + } + return authnAuthorities; + } + + private String getIdPName(IdentityProviderModel idp) { + return idp.getDisplayName() != null ? idp.getDisplayName() : idp.getAlias(); + } + + public static ProtocolMapperModel createClaimMapper(String name, + String tokenClaimName, String jsonType, + boolean accessToken, boolean idToken, boolean userInfo, boolean introspectionEndpoint) { + ProtocolMapperModel mapper = new ProtocolMapperModel(); + mapper.setName(name); + mapper.setProtocolMapper(PROVIDER_ID); + mapper.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); + Map config = new HashMap<>(); + config.put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, tokenClaimName); + config.put(OIDCAttributeMapperHelper.JSON_TYPE, jsonType); + if (accessToken) config.put(OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN, "true"); + if (idToken) config.put(OIDCAttributeMapperHelper.INCLUDE_IN_ID_TOKEN, "true"); + if (userInfo) config.put(OIDCAttributeMapperHelper.INCLUDE_IN_USERINFO, "true"); + if (introspectionEndpoint) config.put(OIDCAttributeMapperHelper.INCLUDE_IN_INTROSPECTION, "true"); + mapper.setConfig(config); + return mapper; + } + +} diff --git a/src/main/resources/META-INF/services/org.keycloak.protocol.ProtocolMapper b/src/main/resources/META-INF/services/org.keycloak.protocol.ProtocolMapper new file mode 100644 index 0000000..f581c6f --- /dev/null +++ b/src/main/resources/META-INF/services/org.keycloak.protocol.ProtocolMapper @@ -0,0 +1 @@ +org.keycloak.protocol.oidc.mappers.OIDCAuthnAuthoritiesMapper \ No newline at end of file