Java Code Examples for org.keycloak.models.ClientModel#getManagementUrl()

The following examples show how to use org.keycloak.models.ClientModel#getManagementUrl() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: SamlService.java    From keycloak with Apache License 2.0 6 votes vote down vote up 
/**
 * Checks the client configuration to return the redirect URL and the binding type.
 * POST is preferred, only if the SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE
 * and management URL are empty REDIRECT is chosen.
 *
 * @param client Client to create client session for
 * @return a two string array [samlUrl, bindingType] or null if error
 */
private String[] getUrlAndBindingForIdpInitiatedSso(ClientModel client) {
    String postUrl = client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE);
    String getUrl = client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE);
    if (postUrl != null && !postUrl.trim().isEmpty()) {
        // first the POST binding URL
        return new String[] {postUrl.trim(), SamlProtocol.SAML_POST_BINDING};
    } else if (client.getManagementUrl() != null && !client.getManagementUrl().trim().isEmpty()) {
        // second the management URL and POST
        return new String[] {client.getManagementUrl().trim(), SamlProtocol.SAML_POST_BINDING};
    } else if (getUrl != null && !getUrl.trim().isEmpty()){
        // last option REDIRECT binding and URL
        return new String[] {getUrl.trim(), SamlProtocol.SAML_REDIRECT_BINDING};
    } else {
        // error
        return null;
    }
}
Example 2
Source File: SamlSPDescriptorClientInstallation.java    From keycloak with Apache License 2.0 6 votes vote down vote up 
public static String getSPDescriptorForClient(ClientModel client) {
    SamlClient samlClient = new SamlClient(client);
    String assertionUrl;
    String logoutUrl;
    String binding;
    if (samlClient.forcePostBinding()) {
        assertionUrl = client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE);
        logoutUrl = client.getAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE);
        binding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
    } else { //redirect binding
        assertionUrl = client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE);
        logoutUrl = client.getAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE);
        binding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
    }
    if (assertionUrl == null || assertionUrl.trim().isEmpty()) assertionUrl = client.getManagementUrl();
    if (assertionUrl == null || assertionUrl.trim().isEmpty()) assertionUrl = FALLBACK_ERROR_URL_STRING;
    if (logoutUrl == null || logoutUrl.trim().isEmpty()) logoutUrl = client.getManagementUrl();
    if (logoutUrl == null || logoutUrl.trim().isEmpty()) logoutUrl = FALLBACK_ERROR_URL_STRING;
    String nameIdFormat = samlClient.getNameIDFormat();
    if (nameIdFormat == null) nameIdFormat = SamlProtocol.SAML_DEFAULT_NAMEID_FORMAT;
    String spCertificate = SPMetadataDescriptor.xmlKeyInfo("        ", null, samlClient.getClientSigningCertificate(), KeyTypes.SIGNING.value(), true);
    String encCertificate = SPMetadataDescriptor.xmlKeyInfo("        ", null, samlClient.getClientEncryptingCertificate(), KeyTypes.ENCRYPTION.value(), true);
    return SPMetadataDescriptor.getSPDescriptor(binding, assertionUrl, logoutUrl, samlClient.requiresClientSignature(), 
            samlClient.requiresAssertionSignature(), samlClient.requiresEncryption(),
            client.getClientId(), nameIdFormat, spCertificate, encCertificate);
}
Example 3
Source File: SamlProtocol.java    From keycloak with Apache License 2.0 5 votes vote down vote up 
public static String getLogoutServiceUrl(KeycloakSession session, ClientModel client, String bindingType) {
    String logoutServiceUrl = null;
    if (SAML_POST_BINDING.equals(bindingType)) {
        logoutServiceUrl = client.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE);
    } else {
        logoutServiceUrl = client.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE);
    }
    if (logoutServiceUrl == null)
        logoutServiceUrl = client.getManagementUrl();
    if (logoutServiceUrl == null || logoutServiceUrl.trim().equals(""))
        return null;
    return ResourceAdminManager.resolveUri(session, client.getRootUrl(), logoutServiceUrl);

}
Example 4
Source File: ResourceAdminManager.java    From keycloak with Apache License 2.0 5 votes vote down vote up 
public static String getManagementUrl(KeycloakSession session, ClientModel client) {
    String mgmtUrl = client.getManagementUrl();
    if (mgmtUrl == null || mgmtUrl.equals("")) {
        return null;
    }

    String absoluteURI = ResolveRelative.resolveRelativeUri(session, client.getRootUrl(), mgmtUrl);

    // this is for resolving URI like "http://${jboss.host.name}:8080/..." in order to send request to same machine and avoid request to LB in cluster environment
    return StringPropertyReplacer.replaceProperties(absoluteURI);
}
Example 5
Source File: SamlService.java    From keycloak with Apache License 2.0 4 votes vote down vote up 
protected Response loginRequest(String relayState, AuthnRequestType requestAbstractType, ClientModel client) {
    SamlClient samlClient = new SamlClient(client);

    if (! validateDestination(requestAbstractType, samlClient, Errors.INVALID_SAML_AUTHN_REQUEST)) {
        return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
    }

    String bindingType = getBindingType(requestAbstractType);
    if (samlClient.forcePostBinding())
        bindingType = SamlProtocol.SAML_POST_BINDING;
    String redirect;
    URI redirectUri = requestAbstractType.getAssertionConsumerServiceURL();
    if (redirectUri != null && ! "null".equals(redirectUri.toString())) { // "null" is for testing purposes
        redirect = RedirectUtils.verifyRedirectUri(session, redirectUri.toString(), client);
    } else {
        if (bindingType.equals(SamlProtocol.SAML_POST_BINDING)) {
            redirect = client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE);
        } else {
            redirect = client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE);
        }
        if (redirect == null || redirect.trim().isEmpty()) {
            redirect = client.getManagementUrl();
        }

    }

    if (redirect == null) {
        event.error(Errors.INVALID_REDIRECT_URI);
        return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REDIRECT_URI);
    }

    AuthenticationSessionModel authSession = createAuthenticationSession(client, relayState);

    authSession.setProtocol(SamlProtocol.LOGIN_PROTOCOL);
    authSession.setRedirectUri(redirect);
    authSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
    authSession.setClientNote(SamlProtocol.SAML_BINDING, bindingType);
    authSession.setClientNote(GeneralConstants.RELAY_STATE, relayState);
    authSession.setClientNote(SamlProtocol.SAML_REQUEST_ID, requestAbstractType.getID());

    // Handle NameIDPolicy from SP
    NameIDPolicyType nameIdPolicy = requestAbstractType.getNameIDPolicy();
    final URI nameIdFormatUri = nameIdPolicy == null ? null : nameIdPolicy.getFormat();
    if (nameIdFormatUri != null && ! samlClient.forceNameIDFormat()) {
        String nameIdFormat = nameIdFormatUri.toString();
        // TODO: Handle AllowCreate too, relevant for persistent NameID.
        if (isSupportedNameIdFormat(nameIdFormat)) {
            authSession.setClientNote(GeneralConstants.NAMEID_FORMAT, nameIdFormat);
        } else {
            event.detail(Details.REASON, "unsupported_nameid_format");
            event.error(Errors.INVALID_SAML_AUTHN_REQUEST);
            return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.UNSUPPORTED_NAME_ID_FORMAT);
        }
    }

    //Reading subject/nameID in the saml request
    SubjectType subject = requestAbstractType.getSubject();
    if (subject != null) {
        SubjectType.STSubType subType = subject.getSubType();
        if (subType != null) {
            BaseIDAbstractType baseID = subject.getSubType().getBaseID();
            if (baseID instanceof NameIDType) {
                NameIDType nameID = (NameIDType) baseID;
                authSession.setClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, nameID.getValue());
            }

        }
    }

    if (null != requestAbstractType.isForceAuthn()
        && requestAbstractType.isForceAuthn()) {
        authSession.setAuthNote(SamlProtocol.SAML_LOGIN_REQUEST_FORCEAUTHN, SamlProtocol.SAML_FORCEAUTHN_REQUIREMENT);
    }
    

    for(Iterator<SamlAuthenticationPreprocessor> it = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(session); it.hasNext();) {
        requestAbstractType = it.next().beforeProcessingLoginRequest(requestAbstractType, authSession);
    }

    //If unset we fall back to default "false"
    final boolean isPassive = (null != requestAbstractType.isIsPassive() && requestAbstractType.isIsPassive().booleanValue());
    return newBrowserAuthentication(authSession, isPassive, redirectToAuthentication);
}