feat: allow to check for more Keycloak issuers (#289)

augi · web-flow · commit bc58bc331646 · 2021-11-18T13:51:18.000+01:00
* feat: allow to check for more Keycloak issuers

* chore: formatting
diff --git a/keycloak/src/main/java/com/avast/grpc/jwt/keycloak/server/IssuersCheck.java b/keycloak/src/main/java/com/avast/grpc/jwt/keycloak/server/IssuersCheck.java
@@ -0,0 +1,28 @@
+package com.avast.grpc.jwt.keycloak.server;
+
+import org.keycloak.TokenVerifier;
+import org.keycloak.common.VerificationException;
+import org.keycloak.representations.JsonWebToken;
+
+public class IssuersCheck implements TokenVerifier.Predicate<JsonWebToken> {
+  private final String[] issuers;
+
+  public IssuersCheck(String[] issuers) {
+    this.issuers = issuers;
+  }
+
+  @Override
+  public boolean test(JsonWebToken t) throws VerificationException {
+    for (String i : issuers) {
+      if (i.equals(t.getIssuer())) {
+        return true;
+      }
+    }
+    throw new VerificationException(
+        "Invalid token issuer. Was '"
+            + t.getIssuer()
+            + "' but expected one of: "
+            + String.join(" ", issuers));
+  }
+}
+;
diff --git a/keycloak/src/main/java/com/avast/grpc/jwt/keycloak/server/KeycloakJwtServerInterceptor.java b/keycloak/src/main/java/com/avast/grpc/jwt/keycloak/server/KeycloakJwtServerInterceptor.java
@@ -24,7 +24,10 @@ public static KeycloakJwtServerInterceptor fromConfig(Config config) {
             Clock.systemUTC());
     KeycloakJwtTokenParser tokenParser =
         new KeycloakJwtTokenParser(
-            fc.getString("serverUrl"), fc.getString("realm"), publicKeyProvider);
+            fc.getString("serverUrl"),
+            fc.getString("realm"),
+            fc.getStringList("allowedIssuers"),
+            publicKeyProvider);
     tokenParser = tokenParser.withExpectedAudience(fc.getString("expectedAudience"));
     tokenParser = tokenParser.withExpectedIssuedFor(fc.getString("expectedIssuedFor"));
     return new KeycloakJwtServerInterceptor(tokenParser);
diff --git a/keycloak/src/main/java/com/avast/grpc/jwt/keycloak/server/KeycloakJwtTokenParser.java b/keycloak/src/main/java/com/avast/grpc/jwt/keycloak/server/KeycloakJwtTokenParser.java
@@ -2,8 +2,10 @@
 
 import com.avast.grpc.jwt.server.JwtTokenParser;
 import com.google.common.base.Strings;
+import java.util.List;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CompletionException;
+import java.util.stream.Collectors;
 import org.keycloak.TokenVerifier;
 import org.keycloak.common.VerificationException;
 import org.keycloak.constants.ServiceUrlConstants;
@@ -18,13 +20,19 @@ public class KeycloakJwtTokenParser implements JwtTokenParser<AccessToken> {
   protected String expectedIssuedFor;
 
   public KeycloakJwtTokenParser(
-      String serverUrl, String realm, KeycloakPublicKeyProvider publicKeyProvider) {
+      String serverUrl,
+      String realm,
+      List<String> allowedIssuers,
+      KeycloakPublicKeyProvider publicKeyProvider) {
     this.publicKeyProvider = publicKeyProvider;
-    String realmUrl =
-        serverUrl + ServiceUrlConstants.REALM_INFO_PATH.replace("{realm-name}", realm);
+
+    String suffix = ServiceUrlConstants.REALM_INFO_PATH.replace("{realm-name}", realm);
+    List<String> issuers =
+        allowedIssuers.stream().map(i -> i + suffix).collect(Collectors.toList());
+    issuers.add(0, serverUrl + suffix);
     this.checks =
         new TokenVerifier.Predicate[] {
-          new TokenVerifier.RealmUrlCheck(realmUrl),
+          new IssuersCheck(issuers.toArray(new String[0])),
           TokenVerifier.SUBJECT_EXISTS_CHECK,
           new TokenVerifier.TokenTypeCheck(TokenUtil.TOKEN_TYPE_BEARER),
           TokenVerifier.IS_ACTIVE
diff --git a/keycloak/src/main/resources/reference.conf b/keycloak/src/main/resources/reference.conf
@@ -10,6 +10,7 @@ keycloakDefaults {
   // for server
   expectedAudience = ""
   expectedIssuedFor = ""
+  allowedIssuers = [] // list of additional allowed issuers, e.g. "https://sso-new.example.com/auth"
   minTimeBetweenJwksRequests = 10 seconds
   publicKeyCacheTtl = 1 day
 }

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ keycloakDefaults {`
`10`	`10`	`// for server`
`11`	`11`	`expectedAudience = ""`
`12`	`12`	`expectedIssuedFor = ""`
	`13`	`+ allowedIssuers = [] // list of additional allowed issuers, e.g. "https://sso-new.example.com/auth"`
`13`	`14`	`minTimeBetweenJwksRequests = 10 seconds`
`14`	`15`	`publicKeyCacheTtl = 1 day`
`15`	`16`	`}`