KEYCLOAK-1749 Rotate registration access token, add registration acce…

…ss token to admin console

client-api/src/main/java/org/keycloak/client/registration/ClientRegistration.java

@@ -55,9 +55,10 @@ public AdapterConfig getAdapterConfig(String clientId) throws ClientRegistration
         return resultStream != null ? deserialize(resultStream, AdapterConfig.class) : null;
     }
 
-    public void update(ClientRepresentation client) throws ClientRegistrationException {
+    public ClientRepresentation update(ClientRepresentation client) throws ClientRegistrationException {
         String content = serialize(client);
-        httpUtil.doPut(content, DEFAULT, client.getClientId());
+        InputStream resultStream = httpUtil.doPut(content, DEFAULT, client.getClientId());
+        return resultStream != null ? deserialize(resultStream, ClientRepresentation.class) : null;
     }
 
     public void delete(ClientRepresentation client) throws ClientRegistrationException {

client-api/src/main/java/org/keycloak/client/registration/HttpUtil.java

@@ -80,15 +80,17 @@ InputStream doGet(String... path) throws ClientRegistrationException {
                 responseStream.close();
                 return null;
             } else {
-                responseStream.close();
+                if (responseStream != null) {
+                    responseStream.close();
+                }
                 throw new HttpErrorException(response.getStatusLine());
             }
         } catch (IOException e) {
             throw new ClientRegistrationException("Failed to send request", e);
         }
     }
 
-    void doPut(String content, String... path) throws ClientRegistrationException {
+    InputStream doPut(String content, String... path) throws ClientRegistrationException {
         try {
             HttpPut request = new HttpPut(getUrl(baseUri, path));
 
@@ -100,10 +102,20 @@ void doPut(String content, String... path) throws ClientRegistrationException {
 
             HttpResponse response = httpClient.execute(request);
             if (response.getEntity() != null) {
-                response.getEntity().getContent().close();
+                response.getEntity().getContent();
             }
 
-            if (response.getStatusLine().getStatusCode() != 200) {
+            InputStream responseStream = null;
+            if (response.getEntity() != null) {
+                responseStream = response.getEntity().getContent();
+            }
+
+            if (response.getStatusLine().getStatusCode() == 200) {
+                return responseStream;
+            } else {
+                if (responseStream != null) {
+                    responseStream.close();
+                }
                 throw new HttpErrorException(response.getStatusLine());
             }
         } catch (IOException e) {

forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties

@@ -270,7 +270,10 @@ client-certificate-import=Client Certificate Import
 import-client-certificate=Import Client Certificate
 jwt-import.key-alias.tooltip=Archive alias for your certificate.
 secret=Secret
-regenerate-secret=Regenerate Secret
+regenerate-secret=Regenerate Secretsecret=Secret
+registrationAccessToken=Registration access token
+registrationAccessToken.regenerate=Regenerate registration access token
+registrationAccessToken.tooltip=The registration access token provides access for clients to the client registration service.
 add-role=Add Role
 role-name=Role Name
 composite=Composite

forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js

@@ -30,7 +30,7 @@ module.controller('ClientRoleListCtrl', function($scope, $location, realm, clien
     });
 });
 
-module.controller('ClientCredentialsCtrl', function($scope, $location, realm, client, clientAuthenticatorProviders, clientConfigProperties, Client) {
+module.controller('ClientCredentialsCtrl', function($scope, $location, realm, client, clientAuthenticatorProviders, clientConfigProperties, Client, ClientRegistrationAccessToken, Notifications) {
     $scope.realm = realm;
     $scope.client = angular.copy(client);
     $scope.clientAuthenticatorProviders = clientAuthenticatorProviders;
@@ -68,6 +68,17 @@ module.controller('ClientCredentialsCtrl', function($scope, $location, realm, cl
         }
     }, true);
 
+    $scope.regenerateRegistrationAccessToken = function() {
+        var secret = ClientRegistrationAccessToken.update({ realm : $scope.realm.realm, client : $scope.client.id },
+            function(data) {
+                Notifications.success('The registration access token has been updated.');
+                $scope.client['registrationAccessToken'] = data.registrationAccessToken;
+            },
+            function() {
+                Notifications.error('Failed to update the registration access token');
+            }
+        );
+    };
 });
 
 module.controller('ClientSecretCtrl', function($scope, $location, ClientSecret, Notifications) {

forms/common-themes/src/main/resources/theme/base/admin/resources/js/services.js

@@ -981,6 +981,17 @@ module.factory('ClientSecret', function($resource) {
     });
 });
 
+module.factory('ClientRegistrationAccessToken', function($resource) {
+    return $resource(authUrl + '/admin/realms/:realm/clients/:client/registration-access-token', {
+        realm : '@realm',
+        client : '@client'
+    },  {
+        update : {
+            method : 'POST'
+        }
+    });
+});
+
 module.factory('ClientOrigins', function($resource) {
     return $resource(authUrl + '/admin/realms/:realm/clients/:client/allowed-origins', {
         realm : '@realm',

forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-generic.html

@@ -1,5 +1,5 @@
 <div>
-    <form class="form-horizontal" name="credentialForm" novalidate kc-read-only="!access.manageClients" data-ng-show="currentAuthenticatorConfigProperties.length > 0" data-ng-controller="ClientGenericCredentialsCtrl">
+    <form class="form-horizontal no-margin-top" name="credentialForm" novalidate kc-read-only="!access.manageClients" data-ng-show="currentAuthenticatorConfigProperties.length > 0" data-ng-controller="ClientGenericCredentialsCtrl">
         <fieldset>
             <kc-provider-config realm="realm" config="client.attributes" properties="currentAuthenticatorConfigProperties"></kc-provider-config>
         </fieldset>

forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt.html

@@ -1,5 +1,5 @@
 <div>
-    <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!access.manageClients" data-ng-controller="ClientSignedJWTCtrl">
+    <form class="form-horizontal no-margin-top" name="keyForm" novalidate kc-read-only="!access.manageClients" data-ng-controller="ClientSignedJWTCtrl">
         <div class="form-group">
             <label class="col-md-2 control-label" for="signingCert">{{:: 'certificate' | translate}}</label>
             <kc-tooltip>{{:: 'certificate.tooltip' | translate}}</kc-tooltip>

forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-secret.html

@@ -1,5 +1,5 @@
 <div>
-    <form class="form-horizontal" name="credentialForm" novalidate kc-read-only="!access.manageClients" data-ng-controller="ClientSecretCtrl">
+    <form class="form-horizontal no-margin-top" name="credentialForm" novalidate kc-read-only="!access.manageClients" data-ng-controller="ClientSecretCtrl">
         <div class="form-group">
             <label class="col-md-2 control-label" for="secret">{{:: 'secret' | translate}}</label>
             <div class="col-sm-6">

forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-credentials.html

@@ -28,6 +28,11 @@
     <div data-ng-include="resourceUrl + '/partials/' + clientAuthenticatorConfigPartial">
     </div>
 
+    <hr/>
+
+    <div data-ng-include="resourceUrl + '/partials/client-registration-access-token.html'">
+    </div>
+
 </div>
 
 <kc-menu></kc-menu>

forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-registration-access-token.html

@@ -0,0 +1,18 @@
+<div>
+    <form class="form-horizontal" name="registrationAccessTokenForm" novalidate kc-read-only="!access.manageClients">
+        <div class="form-group">
+            <label class="col-md-2 control-label" for="registrationAccessToken">{{:: 'registrationAccessToken' | translate}}</label>
+            <div class="col-sm-6">
+                <div class="row">
+                    <div class="col-sm-6">
+                        <input readonly kc-select-action="click" class="form-control" type="text" id="registrationAccessToken" name="registrationAccessToken" data-ng-model="client.registrationAccessToken">
+                    </div>
+                    <div class="col-sm-6" data-ng-show="access.manageClients">
+                        <button type="submit" data-ng-click="regenerateRegistrationAccessToken()" class="btn btn-default">{{:: 'registrationAccessToken.regenerate' | translate}}</button>
+                    </div>
+                </div>
+            </div>
+            <kc-tooltip>{{:: 'registrationAccessToken.tooltip' | translate}}</kc-tooltip>
+        </div>
+    </form>
+</div>

forms/common-themes/src/main/resources/theme/keycloak/admin/resources/css/styles.css

@@ -22,6 +22,11 @@ table {
     margin-top: 20px;
 }
 
+.no-margin-top {
+    margin-top: 0px !important;
+}
+
+
 
 /*********** Loading ***********/
 

model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java

@@ -1,6 +1,7 @@
 package org.keycloak.models.utils;
 
 import org.bouncycastle.openssl.PEMWriter;
+import org.keycloak.common.util.Base64Url;
 import org.keycloak.models.AuthenticationExecutionModel;
 import org.keycloak.models.AuthenticationFlowModel;
 import org.keycloak.models.ClientModel;
@@ -26,12 +27,7 @@
 import javax.crypto.spec.SecretKeySpec;
 import java.io.IOException;
 import java.io.StringWriter;
-import java.security.Key;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.PublicKey;
+import java.security.*;
 import java.security.cert.X509Certificate;
 import java.util.HashMap;
 import java.util.LinkedList;
@@ -47,6 +43,8 @@
  */
 public final class KeycloakModelUtils {
 
+    private static final int RANDOM_PASSWORD_BYTES = 32;
+
     private KeycloakModelUtils() {
     }
 
@@ -178,12 +176,22 @@ public static CertificateRepresentation generateKeyPairCertificate(String subjec
         return rep;
     }
 
-    public static UserCredentialModel generateSecret(ClientModel app) {
+    public static UserCredentialModel generateSecret(ClientModel client) {
         UserCredentialModel secret = UserCredentialModel.generateSecret();
-        app.setSecret(secret.getValue());
+        client.setSecret(secret.getValue());
         return secret;
     }
 
+    public static void generateRegistrationAccessToken(ClientModel client) {
+        client.setRegistrationSecret(generatePassword());
+    }
+
+    public static String generatePassword() {
+        byte[] buf = new byte[RANDOM_PASSWORD_BYTES];
+        new SecureRandom().nextBytes(buf);
+        return Base64Url.encode(buf);
+    }
+
     public static String getDefaultClientAuthenticatorType() {
         return "client-secret";
     }

services/src/main/java/org/keycloak/services/clientregistration/ClientRegAuth.java

@@ -24,6 +24,7 @@ public class ClientRegAuth {
     private AccessToken.Access bearerRealmAccess;
 
     private boolean authenticated = false;
+    private boolean registrationAccessToken = false;
 
     public ClientRegAuth(KeycloakSession session, EventBuilder event) {
         this.session = session;
@@ -48,6 +49,7 @@ private void init() {
         if (split[1].indexOf('.') == -1) {
             token = split[1];
             authenticated = true;
+            registrationAccessToken = true;
         } else {
             AuthenticationManager.AuthResult authResult = new AppAuthManager().authenticateBearerToken(session, realm);
             bearerRealmAccess = authResult.getToken().getResourceAccess(Constants.REALM_MANAGEMENT_CLIENT_ID);
@@ -59,6 +61,10 @@ public boolean isAuthenticated() {
         return authenticated;
     }
 
+    public boolean isRegistrationAccessToken() {
+        return registrationAccessToken;
+    }
+
     public void requireCreate() {
         if (!authenticated) {
             event.error(Errors.NOT_ALLOWED);

services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationService.java

@@ -1,5 +1,6 @@
 package org.keycloak.services.clientregistration;
 
+import org.jboss.resteasy.spi.NotFoundException;
 import org.keycloak.events.EventBuilder;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.services.ErrorResponseException;
@@ -28,6 +29,11 @@ public Object getProvider(@PathParam("provider") String providerId) {
         checkSsl();
 
         ClientRegistrationProvider provider = session.getProvider(ClientRegistrationProvider.class, providerId);
+
+        if (provider == null) {
+            throw new NotFoundException("Client registration provider not found");
+        }
+
         provider.setEvent(event);
         provider.setAuth(new ClientRegAuth(session, event));
         return provider;

services/src/main/java/org/keycloak/services/clientregistration/DefaultClientRegistrationProvider.java

@@ -5,6 +5,7 @@
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.ModelDuplicateException;
+import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.models.utils.ModelToRepresentation;
 import org.keycloak.models.utils.RepresentationToModel;
 import org.keycloak.representations.idm.ClientRepresentation;
@@ -38,7 +39,7 @@ public Response create(ClientRepresentation client) {
 
         try {
             ClientModel clientModel = RepresentationToModel.createClient(session, session.getContext().getRealm(), client, true);
-            clientModel.setRegistrationSecret(TokenGenerator.createRegistrationAccessToken());
+            KeycloakModelUtils.generateRegistrationAccessToken(clientModel);
 
             client = ModelToRepresentation.toRepresentation(clientModel);
             URI uri = session.getContext().getUri().getAbsolutePathBuilder().path(clientModel.getId()).build();
@@ -59,6 +60,10 @@ public Response get(@PathParam("clientId") String clientId) {
         ClientModel client = session.getContext().getRealm().getClientByClientId(clientId);
         auth.requireView(client);
 
+        if (auth.isRegistrationAccessToken()) {
+            KeycloakModelUtils.generateRegistrationAccessToken(client);
+        }
+
         event.client(client.getClientId()).success();
         return Response.ok(ModelToRepresentation.toRepresentation(client)).build();
     }
@@ -74,8 +79,14 @@ public Response update(@PathParam("clientId") String clientId, ClientRepresentat
 
         RepresentationToModel.updateClient(rep, client);
 
+        if (auth.isRegistrationAccessToken()) {
+            KeycloakModelUtils.generateRegistrationAccessToken(client);
+        }
+
+        rep = ModelToRepresentation.toRepresentation(client);
+
         event.client(client.getClientId()).success();
-        return Response.status(Response.Status.OK).build();
+        return Response.ok(rep).build();
     }
 
     @DELETE

services/src/main/java/org/keycloak/services/clientregistration/oidc/OIDCClientRegistrationProvider.java

@@ -15,7 +15,6 @@
 import org.keycloak.services.ErrorResponse;
 import org.keycloak.services.clientregistration.ClientRegAuth;
 import org.keycloak.services.clientregistration.ClientRegistrationProvider;
-import org.keycloak.services.clientregistration.TokenGenerator;
 
 import javax.ws.rs.Consumes;
 import javax.ws.rs.POST;

services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java

@@ -214,6 +214,24 @@ public CredentialRepresentation regenerateSecret() {
         return rep;
     }
 
+    /**
+     * Generate a new registration access token for the client
+     *
+     * @return
+     */
+    @Path("registration-access-token")
+    @POST
+    @Produces(MediaType.APPLICATION_JSON)
+    @Consumes(MediaType.APPLICATION_JSON)
+    public ClientRepresentation regenerateRegistrationAccessToken() {
+        auth.requireManage();
+
+        KeycloakModelUtils.generateRegistrationAccessToken(client);
+        ClientRepresentation rep = ModelToRepresentation.toRepresentation(client);
+        adminEvent.operation(OperationType.ACTION).resourcePath(uriInfo).representation(rep).success();
+        return rep;
+    }
+
     /**
      * Get the client secret
      *