This repository has been archived by the owner on Mar 18, 2024. It is now read-only.
/
KeycloakAuthenticationFilter.java
107 lines (83 loc) · 3.47 KB
/
KeycloakAuthenticationFilter.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
package org.camunda.community.auth.keycloak.filter;
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import org.camunda.bpm.engine.ProcessEngine;
import org.camunda.bpm.engine.rest.util.EngineUtil;
import org.camunda.community.auth.keycloak.KeycloakHelper;
import org.camunda.bpm.engine.rest.security.auth.AuthenticationResult;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.representations.AccessToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* OAuth2 Authentication Provider for usage with Keycloak and KeycloakIdentityProviderPlugin.
*/
public class KeycloakAuthenticationFilter implements Filter {
private static Logger log = LoggerFactory.getLogger(KeycloakAuthenticationFilter.class);
private String claimGroups = "groupIds";
@Override
public void init(FilterConfig filterConfig) {
log.info("Init KeycloakAuthenticationFilter");
//Set group claim from env if available
if (System.getenv("KC_FILTER_CLAIM_GROUPS")!=null &&
!System.getenv("KC_FILTER_CLAIM_GROUPS").isEmpty()) {
this.claimGroups = System.getenv("KC_FILTER_CLAIM_GROUPS");
log.debug("Getting camunda-groups form claim {}",this.claimGroups);
}
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
ProcessEngine engine = EngineUtil.lookupProcessEngine("default");
final HttpServletRequest req = (HttpServletRequest) request;
KeycloakPrincipal<?> principal = (KeycloakPrincipal<?>) req.getUserPrincipal();
if (principal == null) {
log.warn("Principal is null - auth not possible");
clearAuthentication(engine);
return;
}
String name = KeycloakHelper.getUsernameFromPrincipal(principal);
if (name == null || name.isEmpty()) {
log.warn("Username is null - auth not possible");
clearAuthentication(engine);
return;
}
log.debug("Got username "+name+" from token");
AccessToken accessToken = principal.getKeycloakSecurityContext().getToken();
try {
engine.getIdentityService().setAuthentication(name, getUserGroups(accessToken));
chain.doFilter(request, response);
} finally {
clearAuthentication(engine);
}
}
@Override
public void destroy() {
}
private void clearAuthentication(ProcessEngine engine) {
engine.getIdentityService().clearAuthentication();
}
/**
* Get user groups from Access-Token claims
* It is not possible to get the groups from the keycloak-identity-plugin
* because in case of a keycloak-client that performs the the api-call, the user-id
* is not a real keycloak-user
*
* @param accessToken
* @return Array-List of groups
*/
@SuppressWarnings("unchecked")
private List<String> getUserGroups(AccessToken accessToken){
List<String> groupIds = new ArrayList<String>();
Map<String, Object> otherClaims = accessToken.getOtherClaims();
if (otherClaims.containsKey(claimGroups)) {
groupIds = (ArrayList<String>) otherClaims.get(claimGroups);
log.debug("Found groups in token " + groupIds.toString());
}
return groupIds;
}
}