[ELY-2584] Add the ability to specify that the OIDC Authentication Request should include request and request_uri parameters

[PrarthonaPaul]

https://issues.redhat.com/browse/ELY-2584
Analysis doc: wildfly/wildfly-proposals#532
Relevant discussion page:

• Signing JWTs with symmetrical secret key keycloak/keycloak#24514
• Sending Request Object by reference keycloak/keycloak#23150
• Hows does a client communicate public Key to Keycloak that will be used to verify signed and encrypted JWTs? keycloak/keycloak#22729

[Skyllarr]

@PrarthonaPaul Looks good! I've just had a quick look at it and added some minor comments, I'll look at it more and its affiliated wildfly PR later this week

[Skyllarr]

@PrarthonaPaul Just a minor, please put a version as a property to the properties tag in the parent pom

[PrarthonaPaul]

Hi @Skyllarr
I am not sure how to do this. Do you have an example of this being done for another dependency?
Thanks!

[Skyllarr]

@PrarthonaPaul In the parent pom.xml we have properties tag where you can find versions of libraries, see here. Place your keycloak-services dependency there. Then, as with other libraries in that parent pom.xml, place your dependency to the dependencyManagement tag the same way as other deps are. Then you can just use this dependency in child modules without having to specify a version. So in http/oidc/pom.xml you will then be able to place it without a version tag

[PrarthonaPaul]

Thank you!
I have updated the pom files to reflect this.

[Skyllarr]

@PrarthonaPaul Just a minor, can this method be protected instead of public?

[PrarthonaPaul]

Yes, I have changed it to protected.

[Skyllarr]

@PrarthonaPaul Just a minor, should the "client-keystore" stay here as possible configuration property because of backwards compatibility? Users could have been using it before?

[PrarthonaPaul]

oh! Thanks for noticing it! I have fixed it! Also changed the class to add a new variable called clientKeyStoreFile that's different from clientKeystore along with a getter and setter for that.

[Skyllarr]

@PrarthonaPaul Just a minor, please put this exception into the ElytronMessages class

[PrarthonaPaul]

Added! Thanks

[Skyllarr]

Just a minor, let's not forget to change this from JKS to PKCS12

[PrarthonaPaul]

Fixed!
Thanks for going though the code!

[PrarthonaPaul]

Currently if request or request_uri is not supported, then the authentication is sent as usual.
However, we can change it so that if it is not supported, then we throw a runtime error.
Another thing we can do, is keep it as is, but add a log message saying "Request/request_uri is not supported by the OpenID provider. Request is sent using the Oauth2 format"

[Skyllarr]

@PrarthonaPaul Thinking.. this should be discussed in the proposal, I see you asked me this there as well. If the authentication is sent as oauth despite a different configuration it has to be logged as a minimum.

I think we should log this and then document that the request and the request_uri methods are used only if available with the OpenID provider, if not available a warning message will be logged. I will write this on the proposal as well

[PrarthonaPaul]

I have fixed the elytron code and the docs to reflect it.
Will change it in the proposal as well. Thanks!

[PrarthonaPaul]

Hi @Skyllarr
I am not sure how to do this. Do you have an example of this being done for another dependency?
Thanks!

[PrarthonaPaul]

Yes, I have changed it to protected.

[PrarthonaPaul]

oh! Thanks for noticing it! I have fixed it! Also changed the class to add a new variable called clientKeyStoreFile that's different from clientKeystore along with a getter and setter for that.

[PrarthonaPaul]

Added! Thanks

[PrarthonaPaul]

Fixed!
Thanks for going though the code!

[PrarthonaPaul]

For now, when the user wants to sign using symmetric keys, we are signing using the client secret. However, I am not sure what to do when they use JWT as client credentials instead of client secret.

[Skyllarr]

@PrarthonaPaul Can they use JWT as a client credential? Can you please describe the background for the situation you are asking about?

in the proposal you mentioned:

In order to sign the jwt using an algorithm other than none, the user must specify the KeyPair used.

So I thought the keypair can be used in all situations for signing but you might be asking about something else

[PrarthonaPaul]

Yes, sorry.
According to this doc: https://www.keycloak.org/docs/latest/securing_apps/#_client_authentication_adapter
we can either set up the client credentials to be just the client secret, which is a just a hash/SHA (like 19666a4f-32dd-4049-b082-684c74115f28).
But you can also configure it using a JWT. But it is not related to the request RFE.
This is what the options are for specifying the client credentials:

Now the reason I am using the client secret to sign a JWT for my RFE is because as we found out HS keys are symmetric. And from what I have seen instead of creating a certificate, we create a secret that is shared between the client. For Keycloak, the client secret is something that is shared between the client and the server.

But what I am wondering is what happens when the user configures the client credentials as a JWT or X509 certificate?

[fjuma]

Since this is a generic helper method that will also be used in OidcRequestAuthenticator, it would be better to move this method to either an existing utility class or introduce a new utility class and include this method there.

[PrarthonaPaul]

Sounds good.
Does this class: https://github.com/wildfly-security/wildfly-elytron/blob/2.x/http/oidc/src/main/java/org/wildfly/security/http/oidc/ClientCredentialsProviderUtils.java look like a good one to move this function to?
If not, then we can create another utility class called JWTClientCredentialsProviderUtils.java or something.

[fjuma]

Since the method will also be used for signing the authentication request in addition to being used for client credentials handling, I think we could create another utility class but try to give it a more generic name (e.g., JWTSigningUtils or something along those lines).

[PrarthonaPaul]

Okay! Sounds good! Thanks :)

[PrarthonaPaul]

This is done!

[fjuma]

Is this something that's used for tests? It shouldn't be added to the constants class.

[PrarthonaPaul]

moved relevant constants to KeycloakConfiguration class.

[fjuma]

Same here, this looks like something that's only needed for tests, it shouldn't be in the Oidc constants class.

[PrarthonaPaul]

moved to keycloakConfiguration class

[fjuma]

Please check all the new constants introduced in this class, it looks like these were meant for tests purposes.

[PrarthonaPaul]

removed

[fjuma]

Note that this class already contains some constants with similar names and also makes use of the AlgorithmIdentifiers class.

These newly added constants appear to be specific to the Keycloak OpenID provider.

Are these really needed?

Can we get the allowed values from discovery?

[PrarthonaPaul]

Fixed!
I am using AlgorithmIdentifiers class and throwing an exception if the algorithm is not supported.

[fjuma]

Same comment as above here.

[PrarthonaPaul]

removed

[fjuma]

Same here, can we get these accepted values through discovery instead?

[PrarthonaPaul]

It seems like most of these, I use for testing, and some of them I don't use at all.
So, I can remove/move those to a test Class, like KeycloakConfiguration. For some of the others, I am using them in the actual implementation. So, I can replace them using AlgorithmIdentifiers.
I can get them using Discovery and I think I do get them. But I don't think I use them yet.

[fjuma]

Which endpoint is this?

[fjuma]

I don't see something that corresponds to this added in OidcProviderMetadata, is this necessary? Or is it just the pushedAuthorizationRequestEndpoint that's needed?

[fjuma]

Actually I do see authorization_endpoint already referenced in the existing OidcProviderMetadata code. But just to understand better, is the authorizationEndpoint variable that's being introduced here used anywhere?

[PrarthonaPaul]

It has this endpoint: http://localhost:8080/realms/myrealm/protocol/openid-connect/auth/device
I don't think I use it tho. So I can get rid of it.

[PrarthonaPaul]

removed

[fjuma]

I don't think we need to create the realm key set here. It would be better to do this when we know we actually need to make use of it (similar to JWKPublicKeyLocator where we use the jwks url when we know we need to).

[PrarthonaPaul]

moved to OidcPublicKeyExtractor

[fjuma]

"realm" is terminology specific to Keycloak so I don't think we should use it in the method name here.

This method is meant to obtain the encryption keys from the OpenID provider, right? We should rename this method to reflect that.

[PrarthonaPaul]

removed the function from this class and moved it to a utility class. New function is called extractPublicKeySet

[fjuma]

Can we make use of the Oidc.sendJsonHttpRequest method here to simplify the logic below?

[PrarthonaPaul]

I tried doing this and kept getting a class mismatch for the JsonSerialization.readValue() function.
I tried this for the JsonWebKeySet, String, and StringBuilder classes.
When I was initially writing this function, I was also trying to use JsonSerialization.readValue() and did not succeed. Which is why I had to do this workaround.

[fjuma]

There should be an example in JWKPublicKeyLocator where we call sendJsonHttpRequest and store the result in a JsonWebKeySet. Did you take a look there to see how that differs from what you were trying to do?

[PrarthonaPaul]

I see what the difference is.
The JWKPublicKeyLocator class uses org.wildfly.security.jose.jwk.JsonWebKeySet and I am using the Jose4j one, which is why the parsing failed before.
I have switched it to the wildfly.security one now and it works.
Thank you!

[fjuma]

s/requestObjectType/authenticationRequestFormat ?

[PrarthonaPaul]

fixed!

[fjuma]

s/algorithm/requestSignatureAlgorithm

[PrarthonaPaul]

fixed

[fjuma]

s/algorithm/requestEncryptionAlgorithm

[PrarthonaPaul]

fixed!

[fjuma]

extra white space before bracket

[PrarthonaPaul]

Fixed!

[fjuma]

We should be consistent with the naming pattern for the signing case, there we used getRequestObjectSigningAlgValuesSupported so we should follow a similar pattern here and below.

[PrarthonaPaul]

fixed!

[fjuma]

We shouldn't use "realm" here. We should rename this to better explain what this returns.

[PrarthonaPaul]

I wasn't using these functions, so I removed anything related to realmKey that I added.

[fjuma]

Note that method names should use camel case, i.e., style wise, getrealm should be getRealm.

However, we should rename this to not mention realm as described in comments above.

[PrarthonaPaul]

moved to utility class and renamed.

[fjuma]

This should make use of ElytronMessages.

[PrarthonaPaul]

Fixed!

[fjuma]

s/The signature algorithm/request object signature algorithm

[fjuma]

s/The encryption algorithm/request object encryption algorithm

[fjuma]

s/The content encryption algorithm/The request object content encryption algorithm

[fjuma]

I think we should use WARN here instead of INFO.

[fjuma]

This looks similar to the PublicKeyLocator interface. Can we make use of the existing interface instead?

[fjuma]

I don't think the JWTSignging interface is needed. We can just use the utility class.

[fjuma]

Likely just a copy/paste issue but "referral mode" needs to be updated.

[fjuma]

Might be good to throw an IllegalArgumentException if only one is specified if that's invalid configuration.

[fjuma]

Since we know that we'll need to encrypt the request object, maybe we can set the public key locator for that here on the oidcClientConfiguration (e.g., oidcClientConfiguration.setEncPublicKeyLocator or something like that) similar to the way we set the public key locator for the SIG case.

[fjuma]

We should be consistent with Keystore or KeyStore in the method names in this file.

[fjuma]

We should be consistent with Keystore vs KeyStore in the method names in this file.

[fjuma]

I think this could be a non-public class that implements PublicKeyLocator, similar to JWKPublicKeyLocator but it would be used to obtain the public key for JWK.Use.ENC instead of JWK.Use.SIG. This should also cache the key like JWKPublicKeyLocator does.

[PrarthonaPaul]

I have followed the PublicKeyLocator class to implement caching.
Please let me know if it makes sense.

[fjuma]

I don't think we need this interface.

[fjuma]

Similar to the scope RFE, we shouldn't need to hardcode information about the unsupported attributes for WildFly. We'll need to add the handling for unsupported attributes in the elytron-oidc-client subsystem.

[fjuma]

We should be consistent with the use of request vs requestObject. I think using requestObject makes sense since that matches the actual attribute names too.

[fjuma]

requestObjectSignatureAlgorithm

[fjuma]

requestObjectEncryptionAlgorithm

[fjuma]

requestObjectContentEncryptionAlgorithm

[fjuma]

Why was this removed?

[fjuma]

Looks like client-key-password was removed?

[fjuma]

Just minor, extra space before the (

[fjuma]

Same comment as on the other PR:

https://github.com/wildfly-security/wildfly-elytron/pull/1925/files#r1532368580

[fjuma]

This can be private static. The deployment can be passed as a parameter.

[fjuma]

Instead of needing to use new JWKPublicKeySetExtractor(), we can get the public key locator to use from the oidcClientConfiguration (e.g., oidcClientConfiguration.getEncPublicKeyLocator) and then make use of that to be obtain the public key.

[fjuma]

I think the logic of finding the "enc" public key would be part of the locator class.

[fjuma]

I think we should add a new message to ElytronMessages for this (there should be other examples there for RuntimeExceptions that wrap another exception).

[PrarthonaPaul]

I have changed this to be a nested try-catch, where the inner try catch surrounds createRequestWithRequestParameter(REQUEST, redirectUriBuilder, redirectUri, state, forwardedQueryParams);
However, log.unableToCreateRequestWithRequestParameter() throws a runtime exception, since it can either be an IO exception, or a joseException or InvalidJwtException.
Alternatively, I could throw these exceptions separately, but earlier in the stack of function calls.

[darranl]

2024?

[PrarthonaPaul]

Thanks, @fjuma and @darranl for your review.
I have addressed your comments on this PR.