HAWKULAR-615 - Workaround to request a token from the same server tha…

…t issued it

common/pom.xml

@@ -49,6 +49,11 @@
       <artifactId>cdi-api</artifactId>
       <scope>provided</scope>
     </dependency>
+    <dependency>
+      <groupId>org.keycloak</groupId>
+      <artifactId>keycloak-core</artifactId>
+      <scope>provided</scope>
+    </dependency>
   </dependencies>
 </project>
 

common/src/main/java/org/hawkular/accounts/common/ApplicationResources.java

@@ -17,6 +17,10 @@
 package org.hawkular.accounts.common;
 
 import java.io.StringReader;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
 
 import javax.enterprise.context.ApplicationScoped;
 import javax.enterprise.inject.Produces;
@@ -40,6 +44,7 @@ public class ApplicationResources {
     private String serverUrl;
     private String resourceName;
     private String secret;
+    private Set<String> hostSynonyms;
 
     public void setServletContext(ServletContext servletContext) {
         this.servletContext = servletContext;
@@ -85,6 +90,16 @@ public String getResourceNameSecret() {
         return secret;
     }
 
+    @Produces @HostSynonyms
+    public Set<String> getHostSynonyms() {
+        if (hostSynonyms == null) {
+            String synonyms = System.getProperty("org.hawkular.accounts.host.synonyms", "localhost,127.0.0.1,0.0.0.0");
+            hostSynonyms = Collections.unmodifiableSet(new HashSet<>(Arrays.asList(synonyms.split(","))));
+        }
+
+        return hostSynonyms;
+    }
+
     private void parseRealmConfiguration() {
         JsonReader jsonReader = Json.createReader(new StringReader(getRealmConfiguration()));
         JsonObject configurationJson = jsonReader.readObject();

common/src/main/java/org/hawkular/accounts/common/HostSynonyms.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright 2015 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.hawkular.accounts.common;
+
+import static java.lang.annotation.ElementType.FIELD;
+import static java.lang.annotation.ElementType.METHOD;
+import static java.lang.annotation.ElementType.PARAMETER;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import javax.inject.Qualifier;
+
+/**
+ * @author Juraci Paixão Kröhling
+ */
+@Qualifier
+@Retention(RUNTIME)
+@Target({FIELD, PARAMETER, METHOD})
+public @interface HostSynonyms {
+}

common/src/main/java/org/hawkular/accounts/common/TokenVerifier.java

@@ -16,11 +16,18 @@
  */
 package org.hawkular.accounts.common;
 
+import java.io.IOException;
+import java.net.URL;
 import java.net.URLEncoder;
+import java.util.Set;
 
 import javax.enterprise.context.ApplicationScoped;
 import javax.inject.Inject;
 
+import org.keycloak.VerificationException;
+import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.representations.AccessToken;
+
 /**
  * @author Juraci Paixão Kröhling
  */
@@ -32,11 +39,41 @@ public class TokenVerifier {
     @Inject @RealmName
     private String realm;
 
+    @Inject @HostSynonyms
+    private Set<String> hostSynonyms;
+
     @Inject
     AuthServerRequestExecutor executor;
 
     public String verify(String token) throws Exception {
-        String tokenUrl = baseUrl
+        JWSInput jwsInput;
+        try {
+            jwsInput = new JWSInput(token);
+        } catch (Exception e) {
+            throw new VerificationException("Couldn't parse token", e);
+        }
+
+        AccessToken accessToken;
+        try {
+            accessToken = jwsInput.readJsonContent(AccessToken.class);
+        } catch (IOException e) {
+            throw new VerificationException("Couldn't parse token signature", e);
+        }
+
+        URL backendUrl = new URL(accessToken.getIssuer());
+        URL baseUrlToCall = new URL(baseUrl);
+        if (!backendUrl.getHost().equalsIgnoreCase(baseUrlToCall.getHost())) {
+            if (hostSynonyms.contains(backendUrl.getHost())) {
+                baseUrlToCall = new URL(
+                        backendUrl.getProtocol(),
+                        backendUrl.getHost(),
+                        backendUrl.getPort(),
+                        baseUrlToCall.getPath()
+                );
+            }
+        }
+
+        String tokenUrl = baseUrlToCall.toString()
                 + "/realms/"
                 + URLEncoder.encode(realm, "UTF-8")
                 + "/protocol/openid-connect/validate";