Merge pull request #1175 from patriot1burke/master

broker token exchange refactor

broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java

@@ -129,8 +129,9 @@ public Response logoutResponse(@Context UriInfo uriInfo,
     @Override
     public Response keycloakInitiatedBrowserLogout(UserSessionModel userSession, UriInfo uriInfo, RealmModel realm) {
         if (getConfig().getLogoutUrl() == null || getConfig().getLogoutUrl().trim().equals("")) return null;
+        String sessionId = userSession.getId();
         UriBuilder logoutUri = UriBuilder.fromUri(getConfig().getLogoutUrl())
-                                         .queryParam("state", userSession.getId());
+                                         .queryParam("state", sessionId);
         String idToken = userSession.getNote(FEDERATED_ID_TOKEN);
         if (idToken != null) logoutUri.queryParam("id_token_hint", idToken);
         String redirect = RealmsResource.brokerUrl(uriInfo)

broker/saml/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java

@@ -7,6 +7,8 @@
 import org.keycloak.broker.provider.IdentityBrokerException;
 import org.keycloak.broker.provider.IdentityProvider;
 import org.keycloak.dom.saml.v2.assertion.AssertionType;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
+import org.keycloak.dom.saml.v2.assertion.AttributeType;
 import org.keycloak.dom.saml.v2.assertion.AuthnStatementType;
 import org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType;
 import org.keycloak.dom.saml.v2.assertion.NameIDType;
@@ -36,6 +38,7 @@
 import org.keycloak.saml.processing.api.saml.v2.response.SAML2Response;
 import org.keycloak.saml.processing.core.parsers.saml.SAMLParser;
 import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
+import org.keycloak.saml.processing.core.saml.v2.constants.X500SAMLProfileConstants;
 import org.keycloak.saml.processing.core.util.JAXPValidationUtil;
 import org.keycloak.saml.processing.core.util.XMLEncryptionUtil;
 import org.keycloak.saml.processing.core.util.XMLSignatureUtil;
@@ -295,6 +298,19 @@ protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder h
                         break;
                     }
                 }
+                if (assertion.getAttributeStatements() != null ) {
+                    for (AttributeStatementType attrStatement : assertion.getAttributeStatements()) {
+                        for (AttributeStatementType.ASTChoiceType choice : attrStatement.getAttributes()) {
+                            AttributeType attribute = choice.getAttribute();
+                            if (X500SAMLProfileConstants.EMAIL.getFriendlyName().equals(attribute.getFriendlyName())
+                                    || X500SAMLProfileConstants.EMAIL.get().equals(attribute.getName())) {
+                                if (!attribute.getAttributeValue().isEmpty()) identity.setEmail(attribute.getAttributeValue().get(0).toString());
+                            }
+                        }
+
+                    }
+
+                }
                 String brokerUserId = config.getAlias() + "." + subjectNameID.getValue();
                 identity.setBrokerUserId(brokerUserId);
                 identity.setIdpConfig(config);

model/api/src/main/java/org/keycloak/migration/MigrationProvider.java

@@ -1,9 +1,10 @@
 package org.keycloak.migration;
 
-import java.util.List;
 import org.keycloak.provider.Provider;
 import org.keycloak.representations.idm.ProtocolMapperRepresentation;
 
+import java.util.List;
+
 /**
  * Various common utils needed for migration from older version to newer
  *

model/api/src/main/java/org/keycloak/models/ClientModel.java

@@ -116,10 +116,6 @@ public interface ClientModel extends RoleContainerModel {
 
     void setNotBefore(int notBefore);
 
-    void updateIdentityProviders(List<ClientIdentityProviderMappingModel> identityProviders);
-    List<ClientIdentityProviderMappingModel> getIdentityProviders();
-    boolean isAllowedRetrieveTokenFromIdentityProvider(String providerId);
-
     Set<ProtocolMapperModel> getProtocolMappers();
     ProtocolMapperModel addProtocolMapper(ProtocolMapperModel model);
     void removeProtocolMapper(ProtocolMapperModel mapping);

model/api/src/main/java/org/keycloak/models/Constants.java

@@ -8,6 +8,7 @@ public interface Constants {
     String ADMIN_CONSOLE_CLIENT_ID = "security-admin-console";
 
     String ACCOUNT_MANAGEMENT_CLIENT_ID = "account";
+    String BROKER_SERVICE_CLIENT_ID = "broker";
 
     String INSTALLED_APP_URN = "urn:ietf:wg:oauth:2.0:oob";
     String INSTALLED_APP_URL = "http://localhost";

model/api/src/main/java/org/keycloak/models/PasswordPolicy.java

@@ -1,5 +1,7 @@
 package org.keycloak.models;
 
+import org.keycloak.models.utils.Pbkdf2PasswordEncoder;
+
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Comparator;
@@ -8,8 +10,6 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import org.keycloak.models.utils.Pbkdf2PasswordEncoder;
-
 /**
  * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
  */

model/api/src/main/java/org/keycloak/models/entities/ProtocolMapperEntity.java

@@ -1,7 +1,5 @@
 package org.keycloak.models.entities;
 
-import org.keycloak.models.ProtocolMapperModel;
-
 import java.util.Map;
 
 /**

model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java

@@ -1,7 +1,6 @@
 package org.keycloak.models.utils;
 
 import org.keycloak.models.ClientModel;
-import org.keycloak.models.ClientIdentityProviderMappingModel;
 import org.keycloak.models.ClientSessionModel;
 import org.keycloak.models.FederatedIdentityModel;
 import org.keycloak.models.IdentityProviderMapperModel;
@@ -14,8 +13,6 @@
 import org.keycloak.models.UserFederationProviderModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserSessionModel;
-import org.keycloak.representations.idm.ApplicationRepresentation;
-import org.keycloak.representations.idm.ClientIdentityProviderMappingRepresentation;
 import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.CredentialRepresentation;
 import org.keycloak.representations.idm.FederatedIdentityRepresentation;
@@ -261,10 +258,6 @@ public static ClientRepresentation toRepresentation(ClientModel clientModel) {
             rep.setRegisteredNodes(new HashMap<>(clientModel.getRegisteredNodes()));
         }
 
-        if (!clientModel.getIdentityProviders().isEmpty()) {
-            rep.setIdentityProviders(toRepresentation(clientModel.getIdentityProviders()));
-        }
-
         if (!clientModel.getProtocolMappers().isEmpty()) {
             List<ProtocolMapperRepresentation> mappings = new LinkedList<>();
             for (ProtocolMapperModel model : clientModel.getProtocolMappers()) {
@@ -276,21 +269,6 @@ public static ClientRepresentation toRepresentation(ClientModel clientModel) {
         return rep;
     }
 
-    private static List<ClientIdentityProviderMappingRepresentation> toRepresentation(List<ClientIdentityProviderMappingModel> identityProviders) {
-        ArrayList<ClientIdentityProviderMappingRepresentation> representations = new ArrayList<ClientIdentityProviderMappingRepresentation>();
-
-        for (ClientIdentityProviderMappingModel model : identityProviders) {
-            ClientIdentityProviderMappingRepresentation representation = new ClientIdentityProviderMappingRepresentation();
-
-            representation.setId(model.getIdentityProvider());
-            representation.setRetrieveToken(model.isRetrieveToken());
-
-            representations.add(representation);
-        }
-
-        return representations;
-    }
-
     public static UserFederationProviderRepresentation toRepresentation(UserFederationProviderModel model) {
         UserFederationProviderRepresentation rep = new UserFederationProviderRepresentation();
         rep.setId(model.getId());

model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java

@@ -6,7 +6,6 @@
 import org.keycloak.migration.MigrationProvider;
 import org.keycloak.models.BrowserSecurityHeaders;
 import org.keycloak.models.ClaimMask;
-import org.keycloak.models.ClientIdentityProviderMappingModel;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.FederatedIdentityModel;
 import org.keycloak.models.IdentityProviderMapperModel;
@@ -23,7 +22,6 @@
 import org.keycloak.models.UserModel;
 import org.keycloak.representations.idm.ApplicationRepresentation;
 import org.keycloak.representations.idm.ClaimRepresentation;
-import org.keycloak.representations.idm.ClientIdentityProviderMappingRepresentation;
 import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.CredentialRepresentation;
 import org.keycloak.representations.idm.FederatedIdentityRepresentation;
@@ -41,7 +39,6 @@
 import org.keycloak.util.UriUtils;
 
 import java.io.IOException;
-import java.net.URI;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -612,8 +609,6 @@ public static ClientModel createClient(KeycloakSession session, RealmModel realm
             }
         }
 
-        client.updateIdentityProviders(toModel(resourceRep.getIdentityProviders(), realm));
-
         return client;
     }
 
@@ -662,7 +657,6 @@ public static void updateClient(ClientRepresentation rep, ClientModel resource)
             }
         }
 
-        updateClientIdentityProviders(rep.getIdentityProviders(), resource);
     }
 
     public static long getClaimsMask(ClaimRepresentation rep) {
@@ -918,37 +912,4 @@ public static IdentityProviderMapperModel toModel(IdentityProviderMapperRepresen
         return model;
     }
 
-    private static List<ClientIdentityProviderMappingModel> toModel(List<ClientIdentityProviderMappingRepresentation> repIdentityProviders, RealmModel realm) {
-        List<ClientIdentityProviderMappingModel> result = new ArrayList<ClientIdentityProviderMappingModel>();
-
-        if (repIdentityProviders != null) {
-            for (ClientIdentityProviderMappingRepresentation rep : repIdentityProviders) {
-                ClientIdentityProviderMappingModel identityProviderMapping = new ClientIdentityProviderMappingModel();
-
-                identityProviderMapping.setIdentityProvider(rep.getId());
-                identityProviderMapping.setRetrieveToken(rep.isRetrieveToken());
-
-                result.add(identityProviderMapping);
-            }
-        }
-
-        return result;
-    }
-
-    private static void updateClientIdentityProviders(List<ClientIdentityProviderMappingRepresentation> identityProviders, ClientModel resource) {
-        if (identityProviders != null) {
-            List<ClientIdentityProviderMappingModel> result = new ArrayList<ClientIdentityProviderMappingModel>();
-
-            for (ClientIdentityProviderMappingRepresentation mappingRepresentation : identityProviders) {
-                ClientIdentityProviderMappingModel identityProviderMapping = new ClientIdentityProviderMappingModel();
-
-                identityProviderMapping.setIdentityProvider(mappingRepresentation.getId());
-                identityProviderMapping.setRetrieveToken(mappingRepresentation.isRetrieveToken());
-
-                result.add(identityProviderMapping);
-            }
-
-            resource.updateIdentityProviders(result);
-        }
-    }
 }

model/api/src/main/java/org/keycloak/models/utils/reflection/MethodPropertyImpl.java

@@ -1,13 +1,13 @@
 package org.keycloak.models.utils.reflection;
 
+import org.keycloak.util.reflections.Reflections;
+
 import java.beans.Introspector;
 import java.lang.annotation.Annotation;
 import java.lang.reflect.Member;
 import java.lang.reflect.Method;
 import java.lang.reflect.Type;
 
-import org.keycloak.util.reflections.Reflections;
-
 /**
  * A bean property based on the value represented by a getter/setter method pair
  */

model/api/src/main/java/org/keycloak/provider/ConfiguredProvider.java

@@ -1,7 +1,5 @@
 package org.keycloak.provider;
 
-import org.keycloak.provider.ProviderConfigProperty;
-
 import java.util.List;
 
 /**

model/api/src/main/java/org/keycloak/provider/ProviderEventManager.java

@@ -1,8 +1,5 @@
 package org.keycloak.provider;
 
-import org.keycloak.provider.ProviderEvent;
-import org.keycloak.provider.ProviderEventListener;
-
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
  * @version $Revision: 1 $

model/api/src/test/java/org/keycloak/models/PasswordPolicyTest.java

@@ -1,11 +1,11 @@
 package org.keycloak.models;
 
-import static org.junit.Assert.fail;
+import org.junit.Assert;
+import org.junit.Test;
 
 import java.util.regex.PatternSyntaxException;
 
-import org.junit.Assert;
-import org.junit.Test;
+import static org.junit.Assert.fail;
 
 /**
  * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>

model/file/src/main/java/org/keycloak/models/file/FileUserProvider.java

@@ -16,34 +16,33 @@
  */
 package org.keycloak.models.file;
 
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashSet;
-
-import org.keycloak.models.ProtocolMapperModel;
-import org.keycloak.models.file.adapter.UserAdapter;
+import org.keycloak.connections.file.FileConnectionProvider;
+import org.keycloak.connections.file.InMemoryModel;
+import org.keycloak.models.ClientModel;
+import org.keycloak.models.CredentialValidationOutput;
 import org.keycloak.models.FederatedIdentityModel;
 import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.ModelDuplicateException;
+import org.keycloak.models.ProtocolMapperModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserFederationProviderModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserProvider;
+import org.keycloak.models.entities.FederatedIdentityEntity;
+import org.keycloak.models.entities.UserEntity;
+import org.keycloak.models.file.adapter.UserAdapter;
+import org.keycloak.models.utils.CredentialValidation;
 import org.keycloak.models.utils.KeycloakModelUtils;
 
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.regex.Pattern;
-import org.keycloak.connections.file.FileConnectionProvider;
-import org.keycloak.connections.file.InMemoryModel;
-import org.keycloak.models.ClientModel;
-import org.keycloak.models.CredentialValidationOutput;
-import org.keycloak.models.ModelDuplicateException;
-import org.keycloak.models.entities.FederatedIdentityEntity;
-import org.keycloak.models.entities.UserEntity;
-import org.keycloak.models.utils.CredentialValidation;
 
 /**
  * UserProvider for JSON persistence.