diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/ElytronMessages.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/ElytronMessages.java index 1cc55aafdc..0f08ae6d20 100644 --- a/http/oidc/src/main/java/org/wildfly/security/http/oidc/ElytronMessages.java +++ b/http/oidc/src/main/java/org/wildfly/security/http/oidc/ElytronMessages.java @@ -250,5 +250,9 @@ interface ElytronMessages extends BasicLogger { @LogMessage(level = INFO) @Message(id = 23061, value = "The OpenID provider does not support request parameters. Sending the request using OAuth2 format.") void requestParameterNotSupported(); + + @Message(id = 23062, value = "Attribute '%s' is not supported") + IOException unsupportedAttribute(String error); + } diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/Oidc.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/Oidc.java index ee1030b904..f741a7bc4f 100644 --- a/http/oidc/src/main/java/org/wildfly/security/http/oidc/Oidc.java +++ b/http/oidc/src/main/java/org/wildfly/security/http/oidc/Oidc.java @@ -45,6 +45,7 @@ public class Oidc { public static final String ACCEPT = "Accept"; + public static final String AUTHENTICATION_REQUEST_FORMAT = "authentication-request-format"; public static final String OIDC_NAME = "OIDC"; public static final String JSON_CONTENT_TYPE = "application/json"; public static final String HTML_CONTENT_TYPE = "text/html"; @@ -53,6 +54,7 @@ public class Oidc { public static final String DISCOVERY_PATH = ".well-known/openid-configuration"; public static final String KEYCLOAK_REALMS_PATH = "realms/"; public static final String JSON_CONFIG_CONTEXT_PARAM = "org.wildfly.security.http.oidc.json.config"; + public static final String JSON_CONFIG_UNSUPPORTED_ATTRIBUTE_PARAM = "unsupported-attribute"; static final String ACCOUNT_PATH = "account"; public static final String CLIENTS_MANAGEMENT_REGISTER_NODE_PATH = "clients-managements/register-node"; public static final String CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH = "clients-managements/unregister-node"; @@ -74,6 +76,14 @@ public class Oidc { public static final String PASSWORD = "password"; public static final String PROMPT = "prompt"; public static final String REQUEST = "request"; + public static final String REQUEST_OBJECT_CONTENT_ENCRYPTION_ALGORITHM = "request-object-content-encryption-algorithm"; + public static final String REQUEST_OBJECT_ENCRYPTION_ALGORITHM = "request-object-encryption-algorithm"; + public static final String REQUEST_OBJECT_SIGNING_ALGORITHM = "request-object-signing-algorithm"; + public static final String REQUEST_OBJECT_SIGNING_KEYSTORE_FILE = "request-object-signing-keystore-file"; + public static final String REQUEST_OBJECT_SIGNING_KEYSTORE_PASSWORD = "request-object-signing-keystore-password"; + public static final String REQUEST_OBJECT_SIGNING_KEY_PASSWORD = "request-object-signing-key-password"; + public static final String REQUEST_OBJECT_SIGNING_KEY_ALIAS = "request-object-signing-key-alias"; + public static final String REQUEST_OBJECT_SIGNING_KEYSTORE_TYPE = "request-object-signing-keystore-type"; public static final String REQUEST_URI = "request_uri"; public static final String SCOPE = "scope"; public static final String UI_LOCALES = "ui_locales"; diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientConfigurationBuilder.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientConfigurationBuilder.java index ec886a17a8..bca24ce0fb 100644 --- a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientConfigurationBuilder.java +++ b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientConfigurationBuilder.java @@ -21,6 +21,15 @@ import static org.wildfly.security.http.oidc.ElytronMessages.log; import static org.jose4j.jws.AlgorithmIdentifiers.NONE; import static org.wildfly.security.http.oidc.Oidc.AuthenticationFormat.REQUEST_TYPE_OAUTH2; +import static org.wildfly.security.http.oidc.Oidc.AUTHENTICATION_REQUEST_FORMAT; +import static org.wildfly.security.http.oidc.Oidc.REQUEST_OBJECT_CONTENT_ENCRYPTION_ALGORITHM; +import static org.wildfly.security.http.oidc.Oidc.REQUEST_OBJECT_ENCRYPTION_ALGORITHM; +import static org.wildfly.security.http.oidc.Oidc.REQUEST_OBJECT_SIGNING_ALGORITHM; +import static org.wildfly.security.http.oidc.Oidc.REQUEST_OBJECT_SIGNING_KEY_ALIAS; +import static org.wildfly.security.http.oidc.Oidc.REQUEST_OBJECT_SIGNING_KEY_PASSWORD; +import static org.wildfly.security.http.oidc.Oidc.REQUEST_OBJECT_SIGNING_KEYSTORE_FILE; +import static org.wildfly.security.http.oidc.Oidc.REQUEST_OBJECT_SIGNING_KEYSTORE_PASSWORD; +import static org.wildfly.security.http.oidc.Oidc.REQUEST_OBJECT_SIGNING_KEYSTORE_TYPE; import static org.wildfly.security.http.oidc.Oidc.SSLRequired; import static org.wildfly.security.http.oidc.Oidc.TokenStore; @@ -201,6 +210,16 @@ public HttpClient call() { }; } + public static OidcClientConfiguration buildWithoutUnsupportedAttributes(String unsupportedAttributesParam, InputStream is) { + OidcJsonConfiguration oidcJsonConfiguration = loadOidcJsonConfiguration(is); + try { + failIfUnsupportedAttribute(unsupportedAttributesParam, oidcJsonConfiguration); + return new OidcClientConfigurationBuilder().internalBuild(oidcJsonConfiguration); + } catch (IOException e) { + throw new RuntimeException(e); + } + } + public static OidcClientConfiguration build(InputStream is) { OidcJsonConfiguration oidcJsonConfiguration = loadOidcJsonConfiguration(is); return new OidcClientConfigurationBuilder().internalBuild(oidcJsonConfiguration); @@ -221,4 +240,60 @@ public static OidcJsonConfiguration loadOidcJsonConfiguration(InputStream is) { public static OidcClientConfiguration build(OidcJsonConfiguration oidcJsonConfiguration) { return new OidcClientConfigurationBuilder().internalBuild(oidcJsonConfiguration); } + + private static void failIfUnsupportedAttribute(String unsupportedAttributesParameter, OidcJsonConfiguration config) throws IOException { + if (unsupportedAttributesParameter == null) { + return; + } + String[] unsupportedAttributes = unsupportedAttributesParameter.split(" "); + for (String attributeName : unsupportedAttributes) { + switch(attributeName) { + case AUTHENTICATION_REQUEST_FORMAT: + if (config.getAuthenticationRequestFormat()!= null) { + throw log.unsupportedAttribute(attributeName); + } + break; + case REQUEST_OBJECT_CONTENT_ENCRYPTION_ALGORITHM: + if (config.getRequestContentEncryptionMethod()!= null) { + throw log.unsupportedAttribute(attributeName); + } + break; + case REQUEST_OBJECT_ENCRYPTION_ALGORITHM: + if (config.getRequestEncryptAlgorithm()!= null) { + throw log.unsupportedAttribute(attributeName); + } + break; + case REQUEST_OBJECT_SIGNING_ALGORITHM: + if (config.getRequestSignatureAlgorithm()!= null) { + throw log.unsupportedAttribute(attributeName); + } + break; + case REQUEST_OBJECT_SIGNING_KEY_ALIAS: + if (config.getRequestObjectSigningKeyAlias()!= null) { + throw log.unsupportedAttribute(attributeName); + } + break; + case REQUEST_OBJECT_SIGNING_KEY_PASSWORD: + if (config.getRequestObjectSigningKeyPassword()!= null) { + throw log.unsupportedAttribute(attributeName); + } + break; + case REQUEST_OBJECT_SIGNING_KEYSTORE_FILE: + if (config.getRequestObjectSigningKeyStoreFile()!= null) { + throw log.unsupportedAttribute(attributeName); + } + break; + case REQUEST_OBJECT_SIGNING_KEYSTORE_PASSWORD: + if (config.getRequestObjectSigningKeystorePassword()!= null) { + throw log.unsupportedAttribute(attributeName); + } + break; + case REQUEST_OBJECT_SIGNING_KEYSTORE_TYPE: + if (config.getRequestObjectSigningKeystoreType()!= null) { + throw log.unsupportedAttribute(attributeName); + } + break; + } + } + } } diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcConfigurationServletListener.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcConfigurationServletListener.java index 2d89be3c60..7a8fd091c8 100644 --- a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcConfigurationServletListener.java +++ b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcConfigurationServletListener.java @@ -20,6 +20,7 @@ import static org.wildfly.security.http.oidc.ElytronMessages.log; import static org.wildfly.security.http.oidc.Oidc.JSON_CONFIG_CONTEXT_PARAM; +import static org.wildfly.security.http.oidc.Oidc.JSON_CONFIG_UNSUPPORTED_ATTRIBUTE_PARAM; import static org.wildfly.security.http.oidc.Oidc.OIDC_CLIENT_CONFIG_RESOLVER; import static org.wildfly.security.http.oidc.Oidc.OIDC_CLIENT_CONTEXT_KEY; import static org.wildfly.security.http.oidc.Oidc.OIDC_CONFIG_FILE_LOCATION; @@ -66,7 +67,7 @@ public void contextInitialized(ServletContextEvent sce) { if (is == null) { oidcClientConfiguration = new OidcClientConfiguration(); } else { - oidcClientConfiguration = OidcClientConfigurationBuilder.build(is); + oidcClientConfiguration = OidcClientConfigurationBuilder.buildWithoutUnsupportedAttributes(servletContext.getInitParameter(JSON_CONFIG_UNSUPPORTED_ATTRIBUTE_PARAM), is); } clientContext = new OidcClientContext(oidcClientConfiguration); }