saml backchannel logout

broker/core/src/main/java/org/keycloak/broker/provider/FederatedIdentity.java

@@ -32,6 +32,8 @@ public class FederatedIdentity {
     private String email;
     private String token;
     private String identityProviderId;
+    private String brokerSessionId;
+    private String brokerUserId;
 
     public FederatedIdentity(String id) {
         if (id == null) {
@@ -102,6 +104,22 @@ public void setIdentityProviderId(String identityProviderId) {
         this.identityProviderId = identityProviderId;
     }
 
+    public String getBrokerSessionId() {
+        return brokerSessionId;
+    }
+
+    public void setBrokerSessionId(String brokerSessionId) {
+        this.brokerSessionId = brokerSessionId;
+    }
+
+    public String getBrokerUserId() {
+        return brokerUserId;
+    }
+
+    public void setBrokerUserId(String brokerUserId) {
+        this.brokerUserId = brokerUserId;
+    }
+
     @Override
     public String toString() {
         return "{" +

broker/oidc/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java

@@ -129,16 +129,7 @@ protected String extractTokenFromResponse(String response, String tokenName) {
     }
 
     protected FederatedIdentity getFederatedIdentity(Map<String, String> notes, String response) {
-        AccessTokenResponse tokenResponse = null;
-        try {
-            tokenResponse = JsonSerialization.readValue(response, AccessTokenResponse.class);
-        } catch (IOException e) {
-            throw new IdentityBrokerException("Could not decode access token response.", e);
-        }
-        String accessToken = tokenResponse.getToken();
-        notes.put(FEDERATED_ACCESS_TOKEN, accessToken);
-        notes.put(FEDERATED_REFRESH_TOKEN, tokenResponse.getRefreshToken());
-        notes.put(FEDERATED_TOKEN_EXPIRATION, Long.toString(tokenResponse.getExpiresIn()));
+        String accessToken = extractTokenFromResponse(response, OAUTH2_PARAMETER_ACCESS_TOKEN);
 
         if (accessToken == null) {
             throw new IdentityBrokerException("No access token from server.");
@@ -147,6 +138,7 @@ protected FederatedIdentity getFederatedIdentity(Map<String, String> notes, Stri
         return doGetFederatedIdentity(accessToken);
     }
 
+
     protected FederatedIdentity doGetFederatedIdentity(String accessToken) {
         return null;
     }
@@ -213,12 +205,7 @@ public Response authResponse(@QueryParam(AbstractOAuth2IdentityProvider.OAUTH2_P
             try {
 
                 if (authorizationCode != null) {
-                    String response = SimpleHttp.doPost(getConfig().getTokenUrl())
-                            .param(OAUTH2_PARAMETER_CODE, authorizationCode)
-                            .param(OAUTH2_PARAMETER_CLIENT_ID, getConfig().getClientId())
-                            .param(OAUTH2_PARAMETER_CLIENT_SECRET, getConfig().getClientSecret())
-                            .param(OAUTH2_PARAMETER_REDIRECT_URI, uriInfo.getAbsolutePath().toString())
-                            .param(OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE).asString();
+                    String response = generateTokenRequest(authorizationCode).asString();
 
                     HashMap<String, String> userNotes = new HashMap<String, String>();
                     FederatedIdentity federatedIdentity = getFederatedIdentity(userNotes, response);
@@ -236,5 +223,14 @@ public Response authResponse(@QueryParam(AbstractOAuth2IdentityProvider.OAUTH2_P
             event.error(Errors.IDENTITY_PROVIDER_LOGIN_FAILURE);
             return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, headers, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
         }
+
+        public SimpleHttp generateTokenRequest(String authorizationCode) {
+            return SimpleHttp.doPost(getConfig().getTokenUrl())
+                    .param(OAUTH2_PARAMETER_CODE, authorizationCode)
+                    .param(OAUTH2_PARAMETER_CLIENT_ID, getConfig().getClientId())
+                    .param(OAUTH2_PARAMETER_CLIENT_SECRET, getConfig().getClientSecret())
+                    .param(OAUTH2_PARAMETER_REDIRECT_URI, uriInfo.getAbsolutePath().toString())
+                    .param(OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE);
+        }
     }
 }

broker/oidc/src/main/java/org/keycloak/broker/oidc/KeycloakIdentityProvider.java

@@ -0,0 +1,69 @@
+package org.keycloak.broker.oidc;
+
+import org.keycloak.broker.oidc.util.SimpleHttp;
+import org.keycloak.constants.AdapterConstants;
+import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.models.RealmModel;
+import org.keycloak.representations.adapters.action.AdminAction;
+import org.keycloak.representations.adapters.action.LogoutAction;
+import org.keycloak.util.JsonSerialization;
+
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.core.Response;
+import java.io.IOException;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class KeycloakIdentityProvider extends OIDCIdentityProvider {
+
+    public KeycloakIdentityProvider(OIDCIdentityProviderConfig config) {
+        super(config);
+    }
+
+    protected class KeycloakEndpoint extends OIDCEndpoint {
+        public KeycloakEndpoint(AuthenticationCallback callback, RealmModel realm) {
+            super(callback, realm);
+        }
+
+        @POST
+        @Path(AdapterConstants.K_LOGOUT)
+        public Response backchannelLogout(String input) {
+            JWSInput token = new JWSInput(input);
+            if (!token.verify(getConfig().getSigningCertificate())) {
+                return Response.status(400).build();            }
+            LogoutAction action = null;
+            try {
+                action = JsonSerialization.readValue(token.getContent(), LogoutAction.class);
+            } catch (IOException e) {
+                throw new RuntimeException(e);
+            }
+            if (!validateAction(action)) return Response.status(400).build();
+            if (action.getAdapterSessionIds() != null) {
+
+            }
+            throw new RuntimeException("not impelmented yet");
+        }
+
+        protected boolean validateAction(AdminAction action)  {
+            if (!action.validate()) {
+                logger.warn("admin request failed, not validated" + action.getAction());
+                return false;
+            }
+            if (action.isExpired()) {
+                logger.warn("admin request failed, expired token");
+                return false;
+            }
+            if (!getConfig().getClientId().equals(action.getResource())) {
+                logger.warn("Resource name does not match");
+                return false;
+
+            }
+            return true;
+        }
+
+
+    }
+}

broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java

@@ -18,19 +18,24 @@
 package org.keycloak.broker.oidc;
 
 import org.codehaus.jackson.JsonNode;
+import org.jboss.resteasy.logging.Logger;
 import org.keycloak.broker.oidc.util.SimpleHttp;
 import org.keycloak.broker.provider.AuthenticationRequest;
 import org.keycloak.broker.provider.FederatedIdentity;
 import org.keycloak.broker.provider.IdentityBrokerException;
 import org.keycloak.broker.provider.IdentityProvider;
+import org.keycloak.constants.AdapterConstants;
 import org.keycloak.events.Errors;
 import org.keycloak.events.EventBuilder;
 import org.keycloak.events.EventType;
 import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.crypto.RSAProvider;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserSessionModel;
 import org.keycloak.representations.AccessTokenResponse;
 import org.keycloak.representations.IDToken;
+import org.keycloak.representations.adapters.action.AdminAction;
+import org.keycloak.representations.adapters.action.LogoutAction;
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.managers.EventsManager;
 import org.keycloak.services.messages.Messages;
@@ -39,10 +44,13 @@
 import org.keycloak.services.resources.flows.Flows;
 import org.keycloak.util.JsonSerialization;
 
+import javax.ws.rs.Consumes;
 import javax.ws.rs.GET;
+import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriBuilder;
 import javax.ws.rs.core.UriInfo;
@@ -53,6 +61,7 @@
  * @author Pedro Igor
  */
 public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig> {
+    protected static final Logger logger = Logger.getLogger(OIDCIdentityProvider.class);
 
     public static final String OAUTH2_PARAMETER_PROMPT = "prompt";
     public static final String SCOPE_OPENID = "openid";
@@ -78,6 +87,8 @@ public OIDCEndpoint(AuthenticationCallback callback, RealmModel realm) {
             super(callback, realm);
         }
 
+
+
         @GET
         @Path("logout_response")
         public Response logoutResponse(@Context UriInfo uriInfo,
@@ -229,10 +240,6 @@ private IDToken validateIdToken(String encodedToken) {
         }
     }
 
-    private String decodeJWS(String token) {
-        return new JWSInput(token).readContentAsString();
-    }
-
     @Override
     protected String getDefaultScopes() {
         return "openid";

broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java

@@ -47,5 +47,14 @@ public String getLogoutUrl() {
     public void setLogoutUrl(String url) {
         getConfig().put("logoutUrl", url);
     }
+    public String getSigningCertificate() {
+        return getConfig().get("signingCertificate");
+    }
+
+    public void setSigningCertificate(String signingCertificate) {
+        getConfig().put("signingCertificate", signingCertificate);
+    }
+
+
 
 }

broker/saml/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java

@@ -78,6 +78,8 @@
 public class SAMLEndpoint {
     protected static final Logger logger = Logger.getLogger(SAMLEndpoint.class);
     public static final String SAML_FEDERATED_SESSION_INDEX = "SAML_FEDERATED_SESSION_INDEX";
+    public static final String SAML_FEDERATED_SUBJECT = "SAML_FEDERATED_SUBJECT";
+    public static final String SAML_FEDERATED_SUBJECT_NAMEFORMAT = "SAML_FEDERATED_SUBJECT_NAMEFORMAT";
     protected RealmModel realm;
     protected EventBuilder event;
     protected SAMLIdentityProviderConfig config;
@@ -179,7 +181,7 @@ protected Response handleSamlRequest(String samlRequest, String relayState) {
             SAMLDocumentHolder holder = extractRequestDocument(samlRequest);
             RequestAbstractType requestAbstractType = (RequestAbstractType) holder.getSamlObject();
             // validate destination
-            if (!uriInfo.getAbsolutePath().toString().equals(requestAbstractType.getDestination())) {
+            if (!uriInfo.getAbsolutePath().equals(requestAbstractType.getDestination())) {
                 event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
                 event.error(Errors.INVALID_SAML_RESPONSE);
                 event.detail(Details.REASON, "invalid_destination");
@@ -210,66 +212,55 @@ protected Response handleSamlRequest(String samlRequest, String relayState) {
         }
 
         protected Response logoutRequest(LogoutRequestType request, String relayState) {
-            UserModel user = session.users().getUserByUsername(request.getNameID().getValue(), realm);
-            if (user == null) {
-                event.event(EventType.LOGOUT);
-                event.error(Errors.USER_SESSION_NOT_FOUND);
-                return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, headers, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
-            }
-            List<UserSessionModel> sessions = session.sessions().getUserSessions(realm, user);
-            if (sessions == null || sessions.size() == 0) {
-                event.event(EventType.LOGOUT);
-                event.error(Errors.USER_SESSION_NOT_FOUND);
-                return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, headers, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
-            }
-            for (UserSessionModel userSession : sessions) {
-                String brokerId = userSession.getNote(IdentityBrokerService.BROKER_PROVIDER_ID);
-                if (!config.getAlias().equals(brokerId)) continue;
-                boolean logout = false;
-                if (request.getSessionIndex() == null || request.getSessionIndex().size() == 0) {
-                    logout = true;
-                } else {
-                    for (String sessionIndex : request.getSessionIndex()) {
-                        if (sessionIndex.equals(userSession.getNote(SAML_FEDERATED_SESSION_INDEX))) {
-                            logout = true;
-                            break;
-                        }
-                    }
-                }
-                if (logout) {
+            String brokerUserId = config.getAlias() + "." + request.getNameID().getValue();
+            if (request.getSessionIndex() == null || request.getSessionIndex().isEmpty()) {
+                List<UserSessionModel> userSessions = session.sessions().getUserSessionByBrokerUserId(realm, brokerUserId);
+                for (UserSessionModel userSession : userSessions) {
                     try {
                         AuthenticationManager.backchannelLogout(session, realm, userSession, uriInfo, clientConnection, headers);
                     } catch (Exception e) {
-                        logger.error("Failed to logout", e);
+                        logger.warn("failed to do backchannel logout for userSession", e);
                     }
                 }
 
-                String issuerURL = getEntityId(uriInfo, realm);
-                SAML2LogoutResponseBuilder builder = new SAML2LogoutResponseBuilder();
-                builder.logoutRequestID(request.getID());
-                builder.destination(config.getSingleLogoutServiceUrl());
-                builder.issuer(issuerURL);
-                builder.relayState(relayState);
-                if (config.isWantAuthnRequestsSigned()) {
-                    builder.signWith(realm.getPrivateKey(), realm.getPublicKey(), realm.getCertificate())
-                           .signDocument();
-                }
-                try {
-                    if (config.isPostBindingResponse()) {
-                        return builder.postBinding().response();
-                    } else {
-                        return builder.redirectBinding().response();
+            }  else {
+                for (String sessionIndex : request.getSessionIndex()) {
+                    String brokerSessionId = brokerUserId + "." + sessionIndex;
+                    UserSessionModel userSession = session.sessions().getUserSessionByBrokerSessionId(realm, brokerSessionId);
+                    if (userSession != null) {
+                        try {
+                            AuthenticationManager.backchannelLogout(session, realm, userSession, uriInfo, clientConnection, headers);
+                        } catch (Exception e) {
+                            logger.warn("failed to do backchannel logout for userSession", e);
+                        }
                     }
-                } catch (ConfigurationException e) {
-                    throw new RuntimeException(e);
-                } catch (ProcessingException e) {
-                    throw new RuntimeException(e);
-                } catch (IOException e) {
-                    throw new RuntimeException(e);
                 }
+            }
 
+            String issuerURL = getEntityId(uriInfo, realm);
+            SAML2LogoutResponseBuilder builder = new SAML2LogoutResponseBuilder();
+            builder.logoutRequestID(request.getID());
+            builder.destination(config.getSingleLogoutServiceUrl());
+            builder.issuer(issuerURL);
+            builder.relayState(relayState);
+            if (config.isWantAuthnRequestsSigned()) {
+                builder.signWith(realm.getPrivateKey(), realm.getPublicKey(), realm.getCertificate())
+                        .signDocument();
+            }
+            try {
+                if (config.isPostBindingResponse()) {
+                    return builder.postBinding().response();
+                } else {
+                    return builder.redirectBinding().response();
+                }
+            } catch (ConfigurationException e) {
+                throw new RuntimeException(e);
+            } catch (ProcessingException e) {
+                throw new RuntimeException(e);
+            } catch (IOException e) {
+                throw new RuntimeException(e);
             }
-            throw new RuntimeException("Unreachable");
+
         }
 
         private String getEntityId(UriInfo uriInfo, RealmModel realm) {
@@ -283,8 +274,8 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                 SubjectType.STSubType subType = subject.getSubType();
                 NameIDType subjectNameID = (NameIDType) subType.getBaseID();
                 Map<String, String> notes = new HashMap<>();
-                notes.put("SAML_FEDERATED_SUBJECT", subjectNameID.getValue());
-                if (subjectNameID.getFormat() != null) notes.put("SAML_FEDERATED_SUBJECT_NAMEFORMAT", subjectNameID.getFormat().toString());
+                notes.put(SAML_FEDERATED_SUBJECT, subjectNameID.getValue());
+                if (subjectNameID.getFormat() != null) notes.put(SAML_FEDERATED_SUBJECT_NAMEFORMAT, subjectNameID.getFormat().toString());
                 FederatedIdentity identity = new FederatedIdentity(subjectNameID.getValue());
 
                 identity.setUsername(subjectNameID.getValue());
@@ -304,7 +295,10 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                         break;
                     }
                 }
+                String brokerUserId = config.getAlias() + "." + subjectNameID.getValue();
+                identity.setBrokerUserId(brokerUserId);
                 if (authn != null && authn.getSessionIndex() != null) {
+                    identity.setBrokerSessionId(identity.getBrokerUserId() + "." + authn.getSessionIndex());
                     notes.put(SAML_FEDERATED_SESSION_INDEX, authn.getSessionIndex());
                 }
                 return callback.authenticated(notes, config, identity, relayState);

broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java

@@ -122,8 +122,8 @@ public Response keycloakInitiatedBrowserLogout(UserSessionModel userSession, Uri
 
         SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder()
                 .issuer(getEntityId(uriInfo, realm))
-                .sessionIndex(userSession.getNote("SAML_FEDERATED_SESSION_INDEX"))
-                .userPrincipal(userSession.getNote("SAML_FEDERATED_SUBJECT"), userSession.getNote("SAML_FEDERATED_SUBJECT_NAMEFORMAT"))
+                .sessionIndex(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SESSION_INDEX))
+                .userPrincipal(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT), userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT_NAMEFORMAT))
                 .destination(getConfig().getSingleLogoutServiceUrl());
         if (getConfig().isWantAuthnRequestsSigned()) {
             logoutBuilder.signWith(realm.getPrivateKey(), realm.getPublicKey(), realm.getCertificate())