I have the following Setup:
Keycloak 9.0.0 running on port 8180
Spring Boot server application running on port 8080
Demo client application using CxfTypeSafeClientBuilder to access server service
The Keycloak - Spring Boot interaction is working fine and I can receive tokens from Keycloak and the demo service is validating the token if I pass it as Authorization header.
How should I configure the CxfTypeSafeClientBuilder / RestClientBuilder to handle the JWT tokens I get from the Keycloak instance? Do I have to build my own ClientResponseFilter, if so how to handle expired tokens?
Are there any existing implementations / standards I didn't find?
JAX-RS webservice interface:
#Path("/demo")
public interface IDemoService {
#GET
#Path("/test")
String test();
}
Simple Spring Security configuration:
http.cors().and().csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.sessionAuthenticationStrategy(sessionAuthenticationStrategy()).and().authorizeRequests().antMatchers("/**")
.authenticated();
EDIT: new workaround to get initial access- and refresh token from server:
AccessTokenResponse tokens = AuthUtil.getAuthTokens("http://localhost:8180/auth", "share-server", "test", "test", "share-server-service-login");
String accessToken = tokens.getToken();
String refreshToken = tokens.getRefreshToken();
Client doing service calls until the token expires:
URI apiUri = new URI("http://localhost:8080/services/");
RestClientBuilder client = new CxfTypeSafeClientBuilder().baseUri(apiUri).register(new TokenFilter(accessToken, refreshToken));
IDemoService service = client.build(IDemoService.class);
for (int i = 0; i < 200; i++) {
System.out.println("client: " + new Date() + " " + service.test());
Thread.sleep(10000);
}
TokenFilter which works until the access-token expires:
public static class TokenFilter implements ClientRequestFilter, ClientResponseFilter {
private String accessToken;
private String refreshToken;
public TokenFilter(String accessToken, String refreshToken) {
this.accessToken = accessToken;
this.refreshToken = refreshToken;
}
#Override
public void filter(ClientRequestContext requestContext, ClientResponseContext responseContext) throws IOException {
if (responseContext.getStatus() == 401 && "invalid_token".equals(responseContext.getStatusInfo().getReasonPhrase())) {
// maybe handle send the refresh token... probalby should be handled earlier using the 'expires' value
}
}
#Override
public void filter(ClientRequestContext requestContext) throws IOException {
if (accessToken != null && !accessToken.isEmpty()) {
requestContext.getHeaders().add(HttpHeaders.AUTHORIZATION, "Bearer" + " " + accessToken);
}
}
}
Found a better solution with only dependencies on keycloak-authz-client:
String serverUrl = "http://localhost:8180/auth";
String realm = "share-server";
String clientId = "share-server-service-login";
String clientSecret = "e70752a6-8910-4043-8926-03661f43398c";
String username = "test";
String password = "test";
Map<String, Object> credentials = new HashMap<>();
credentials.put("secret", clientSecret);
Configuration configuration = new Configuration(serverUrl, realm, clientId, credentials, null);
AuthzClient authzClient = AuthzClient.create(configuration);
AuthorizationResource authorizationResource = authzClient.authorization(username, password);
URI apiUri = new URI("http://localhost:8080/services/");
RestClientBuilder client = new CxfTypeSafeClientBuilder().baseUri(apiUri).register(new TokenFilter(authorizationResource));
IDemoService service = client.build(IDemoService.class);
for (int i = 0; i < 200; i++) {
System.out.println("client: " + new Date() + " " + service.test());
Thread.sleep(10000);
}
authorizationResource.authorize() will use org.keycloak.authorization.client.util.TokenCallable.call() in the background which validates the token expiration time and automatically refreshes the token if necessary.
so String accessToken = authorize.getToken(); will always be the current valid token.
#Priority(Priorities.AUTHENTICATION)
public static class TokenFilter implements ClientRequestFilter {
private AuthorizationResource authorizationResource;
public TokenFilter(AuthorizationResource authorizationResource) {
this.authorizationResource = authorizationResource;
}
#Override
public void filter(ClientRequestContext requestContext) throws IOException {
AuthorizationResponse authorize = authorizationResource.authorize();
String accessToken = authorize.getToken();
System.out.println(accessToken);
if (accessToken != null && !accessToken.isEmpty()) {
requestContext.getHeaders().add(HttpHeaders.AUTHORIZATION, "Bearer" + " " + accessToken);
}
}
}
I found a solution which automatically refreshes the access token but now I have a dependency to keycloak-client-registration-cli (which is actually intended to provide a console).
There might be better solutions with a less heavy dependencies.
Currently no handling if login fails or other exception handling implemented.
String serverUrl = "http://localhost:8180/auth";
String realm = "share-server";
String clientId = "share-server-service-login";
String username = "test";
String password = "test";
// initial token after login
AccessTokenResponse token = AuthUtil.getAuthTokens(serverUrl, realm, username, password, clientId);
String accessToken = token.getToken();
String refreshToken = token.getRefreshToken();
ConfigData configData = new ConfigData();
configData.setRealm(realm);
configData.setServerUrl(serverUrl);
RealmConfigData realmConfigData = configData.sessionRealmConfigData();
realmConfigData.setClientId(clientId);
realmConfigData.setExpiresAt(System.currentTimeMillis() + token.getExpiresIn() * 1000);
realmConfigData.setRefreshExpiresAt(System.currentTimeMillis() + token.getRefreshExpiresIn() * 1000);
realmConfigData.setToken(accessToken);
realmConfigData.setRefreshToken(refreshToken);
ConfigUtil.setupInMemoryHandler(configData);
URI apiUri = new URI("http://localhost:8080/services/");
RestClientBuilder client = new CxfTypeSafeClientBuilder().baseUri(apiUri).register(new TokenFilter(configData));
IDemoService service = client.build(IDemoService.class);
for (int i = 0; i < 200; i++) {
System.out.println("client: " + new Date() + " " + service.test());
Thread.sleep(10000);
}
Filter which automatically refreshes the access token if expired using AuthUtil.ensureToken(configData):
#Priority(Priorities.AUTHENTICATION)
public static class TokenFilter implements ClientRequestFilter {
private ConfigData configData;
public TokenFilter(ConfigData configData) {
this.configData = configData;
}
#Override
public void filter(ClientRequestContext requestContext) throws IOException {
String accessToken = AuthUtil.ensureToken(configData);
if (accessToken != null && !accessToken.isEmpty()) {
requestContext.getHeaders().add(HttpHeaders.AUTHORIZATION, "Bearer" + " " + accessToken);
}
}
}
More generic solution using Apache CXF OAuth2 (cxf-rt-rs-security-oauth2), without ClientRequestFilter.
The BearerAuthSupplier automatically handles refreshTokens and receives new accessTokens.
String serverUrl = "http://localhost:8180/auth";
String realm = "share-server";
String clientId = "share-server-service-login";
String clientSecret = "e70752a6-8910-4043-8926-03661f43398c";
String username = "test";
String password = "test";
String tokenUri = serverUrl + "/realms/" + realm + "/protocol/openid-connect/token";
Consumer consumer = new Consumer(clientId);
ResourceOwnerGrant grant = new ResourceOwnerGrant(username, password);
ClientAccessToken initial = OAuthClientUtils.getAccessToken(tokenUri, consumer, grant, true);
BearerAuthSupplier supplier = new BearerAuthSupplier();
supplier.setAccessToken(initial.getTokenKey());
supplier.setRefreshToken(initial.getRefreshToken());
supplier.setConsumer(consumer);
supplier.setAccessTokenServiceUri(tokenUri);
HTTPConduitConfigurer httpConduitConfigurer = new HTTPConduitConfigurer() {
#Override
public void configure(String name, String address, HTTPConduit c) {
c.setAuthSupplier(supplier);
}
};
Bus bus = BusFactory.getThreadDefaultBus();
bus.setExtension(httpConduitConfigurer, HTTPConduitConfigurer.class);
URI apiUri = new URI("http://localhost:8080/services/");
RestClientBuilder client = new CxfTypeSafeClientBuilder().baseUri(apiUri);
IDemoService service = client.build(IDemoService.class);
for (int i = 0; i < 200; i++) {
System.out.println("client: " + new Date() + " " + service.test());
Thread.sleep(5 * 60 * 1000);
}
Instead of login in with username and password (ResourceOwnerGrant) also possible to use client credentials with ClientCredentialsGrant.
ClientCredentialsGrant grant = new ClientCredentialsGrant();
grant.setClientId(clientId);
grant.setClientSecret(clientSecret);
Related
We are trying to connect to webservice (from Java) that has ADFS SAML authentication.
All the examples I have seen, use Basic Authentication over HTTPS. (I am just using HttpsURLConnection to make a request for now, not using anything like Axis or JAX-WS)
I am not sure how to approach ADFS SAML authentication. Here's what I understand so far (don't know much about SAML):
I make one request, pass username/password and get the
authentication token back
Save the authentication token
Pass the token as some SOAP attribute in my calls where I invoke an
actual operation on the webservice
No idea under which attribute would I put this authentication token though
Is my above approach correct? If so, is there some library that I can use that does all this?
If not how can I go about doing this manually?
Please let me know if there are other or better ways of going about this.
If you are trying to build native app then can use below code. i has tried to use power bi rest apis. once you gets token you can use that in api calls.
public class PublicClient {
private final static String AUTHORITY = "https://login.microsoftonline.com/common";
private final static String CLIENT_ID = "XXXX-xxxx-xxx-xxx-xxxX";
private final static String RESOURCE = "https://analysis.windows.net/powerbi/api";
public static void main(String args[]) throws Exception {
try (BufferedReader br = new BufferedReader(new InputStreamReader(System.in))) {
System.out.print("Enter username: ");
String username = br.readLine();
System.out.print("Enter password: ");
String password = br.readLine();
AuthenticationResult result = getAccessTokenFromUserCredentials(
username, password);
System.out.println("Access Token - " + result.getAccessToken());
System.out.println("Refresh Token - " + result.getRefreshToken());
System.out.println("ID Token Expires on - " + result.getExpiresOn());
}
}
private static AuthenticationResult getAccessTokenFromUserCredentials(
String username, String password) throws Exception {
AuthenticationContext context = null;
AuthenticationResult result = null;
ExecutorService service = null;
try {
service = Executors.newFixedThreadPool(1);
context = new AuthenticationContext(AUTHORITY, false, service);
Future<AuthenticationResult> future = context.acquireToken(
RESOURCE, CLIENT_ID, username, password, null);
result = future.get();
} finally {
service.shutdown();
}
if (result == null) {
throw new ServiceUnavailableException(
"authentication result was null");
}
return result;
}
}
I am working on a java server which is sending Firebase Cloud Messaging notification to devices using OAUTH 2.0 authentication.
According to guide (https://firebase.google.com/docs/cloud-messaging/auth-server?authuser=0) I have generated key from an account service with editor role, but I keep getting 403 SENDER_ID_MISMATCH error.
Any suggestion?
public class FcmManager {
private static final String DEVICE_NOTIFICATION_URL = "https://fcm.googleapis.com/v1/projects/myprojectid/messages:send";
private static final String JSON_STR_DEVICE_NOTIFICATION = "{\"message\":{\"token\" : " +"\"%s\"" + ",\"notification\" : " +
"{\"body\" : \"%s\",\"title\" : \"%s\"}}}";
public static boolean sendNotificationDevice(DeviceNotification deviceNotification, String msgTitle,
String msgBody) throws Exception{
String accessToken = getAccessToken();
System.out.println(msgBody);
String jsonStr = String.format(JSON_STR_DEVICE_NOTIFICATION, deviceNotification.getToken()
,msgBody,msgTitle);
System.out.println(jsonStr);
F.Promise<String> response = WS.url(DEVICE_NOTIFICATION_URL)
.setContentType("application/json").setHeader("Authorization","Bearer " +
accessToken).post(jsonStr).map(
new F.Function<WS.Response, String>() {
public String apply(WS.Response response) {
String result = response.getBody();
System.out.println(result);
return result;
}
}
);
return true;
}
private static String getAccessToken() throws IOException {
GoogleCredential googleCredential = GoogleCredential
.fromStream(new FileInputStream("mygeneratedkeyfromaccountservice.json"))
.createScoped(Arrays.asList("https://www.googleapis.com/auth/firebase.messaging"));
googleCredential.refreshToken();
return googleCredential.getAccessToken();
}
}
This is what i have:
static AccessToken accessToken = new DefaultFacebookClient().obtainExtendedAccessToken("<my app id>", "<my app secret>");
static FacebookClient client = new DefaultFacebookClient();
public static void main(String args[]) {
System.out.print("Enter Your Status: ");
BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
String status= null;
try {
userName = br.readLine();
System.out.println("..........");
} catch (IOException ioe) {
System.out.println("!");
System.exit(1);
}
FacebookType publishMessageResponse =
client.publish("me/feed", FacebookType.class,
Parameter.with("message", status));
So first line gets the token and stores it as type AccessToken but what good does that do to me because next line i need to provide the access token as a string and i can't convert it. Any Help?
First of all don't confuse app token with user token (more info)
To get user token you have to
Provide a way for user to authenticate against Facebook (more info) and receive "code" - an encrypted string unique to each login request.
Get the user token using this code.
You can get user token with pure RestFB the following way:
private FacebookClient.AccessToken getFacebookUserToken(String code, String redirectUrl) throws IOException {
String appId = "YOUR_APP_ID";
String secretKey = "YOUR_SECRET_KEY";
WebRequestor wr = new DefaultWebRequestor();
WebRequestor.Response accessTokenResponse = wr.executeGet(
"https://graph.facebook.com/oauth/access_token?client_id=" + appId + "&redirect_uri=" + redirectUrl
+ "&client_secret=" + secretKey + "&code=" + code);
return DefaultFacebookClient.AccessToken.fromQueryString(accessTokenResponse.getBody());
}
The call is simple:
FacebookClient.AccessToken token = getFacebookUserToken(code, redirectUrl);
String accessToken = token.getAccessToken();
Date expires = token.getExpires();
In addition to what Jack said about AccessToken.getAccessToken() returning the string value of accessToken, you can avoid instantiating DefaultFacebookClient twice by extending DefaultFacebookClient like this:
import com.restfb.DefaultFacebookClient;
public class LoggedInFacebookClient extends DefaultFacebookClient {
public LoggedInFacebookClient(String appId, String appSecret) {
AccessToken accessToken = this.obtainAppAccessToken(appId, appSecret);
this.accessToken = accessToken.getAccessToken();
}
}
Try the following code:
AccessToken accessToken = new DefaultFacebookClient().obtainAppAccessToken(appid,appsecret);
String token=accessToken.getAccessToken();
Per restfb.FacebookClient.AccessToken, you should be able to call accessToken.getAccessToken() -- that should return the String you are looking for.
This will work
AccessToken accessToken = new DefaultFacebookClient().obtainAppAccessToken("XXXX", "XXXX");
String token=accessToken.getAccessToken();
DefaultFacebookClient facebookClient = new DefaultFacebookClient(token);
I have static content configured like this:
ContextHandler staticContext = new ContextHandler();
staticContext.setContextPath("/");
staticContext.setResourceBase(".");
staticContext.setClassLoader(Thread.currentThread().getContextClassLoader());
ResourceHandler resourceHandler = new ResourceHandler();
resourceHandler.setDirectoriesListed(true);
resourceHandler.setWelcomeFiles(new String[]{"index.html"});
resourceHandler.setResourceBase(webDir);
staticContext.setHandler(resourceHandler);
And now I want to set Basic HTTP Auth for all my static files. How can I do this?
PS. I'm using embedded Jetty withour web.xml
Override ResourceHandler#handle() with something like:
public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
String authHeader = request.getHeader("Authorization");
if (authHeader != null && authHeader.startsWith("Basic ")) {
String[] up = parseBasic(authHeader.substring(authHeader.indexOf(" ") + 1));
String username = up[0];
String password = up[1];
if (authenticateUser(username, password)) {
super.handle(target, baseRequest, request, response);
return;
}
}
response.setHeader("WWW-Authenticate", "BASIC realm=\"SecureFiles\"");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Please provide username and password");
}
private boolean authenticateUser(String username, String password) {
// Perform authentication here
return true; // .. if authentication is successful
}
private String[] parseBasic(String enc) {
byte[] bytes = Base64.decodeBase64(enc.getBytes());
String s = new String(bytes);
int pos = s.indexOf( ":" );
if( pos >= 0 )
return new String[] { s.substring( 0, pos ), s.substring( pos + 1 ) };
else
return new String[] { s, null };
}
The Base64.decodeBase64 above is from Apache Commons Codec. Of course you can find a library that does Basic Auth for you, but here you can see what happens under the covers. Another approach could be to use a Basic Auth filter and install that into your context.
I am trying to write a server side Facebook Notification service in my GWT app. The idea is that I will run this as a timertask or cron job sort of.
With the code below, I get a login URL, I want to be able to Login programmatically as this is intended to be automated (Headless sort of way). I was gonna try do a submit with HTMLunit but I thought the FB API should cater for this.
Please advice.
public class NotificationServiceImpl extends RemoteServiceServlet implements NotificationService {
/**serialVersionUID*/
private static final long serialVersionUID = 6893572879522128833L;
private static final String FACEBOOK_USER_CLIENT = "facebook.user.client";
long facebookUserID;
public String sendMessage(Notification notification) throws IOException {
String api_key = notification.getApi_key();
String secret = notification.getSecret_key();
try {
// MDC.put(ipAddress, req.getRemoteAddr());
HttpServletRequest request = getThreadLocalRequest();
HttpServletResponse response = getThreadLocalResponse();
HttpSession session = getThreadLocalRequest().getSession(true);
// session.setAttribute("api_key", api_key);
IFacebookRestClient<Document> userClient = getUserClient(session);
if(userClient == null) {
System.out.println("User session doesn't have a Facebook API client setup yet. Creating one and storing it in the user's session.");
userClient = new FacebookXmlRestClient(api_key, secret);
session.setAttribute(FACEBOOK_USER_CLIENT, userClient);
}
System.out.println("Creating a FacebookWebappHelper, which copies fb_ request param data into the userClient");
FacebookWebappHelper<Document> facebook = new FacebookWebappHelper<Document>(request, response, api_key, secret, userClient);
String nextPage = request.getRequestURI();
nextPage = nextPage.substring(nextPage.indexOf("/", 1) + 1); //cut out the first /, the context path and the 2nd /
System.out.println(nextPage);
boolean redirectOccurred = facebook.requireLogin(nextPage);
if(redirectOccurred) {
return null;
}
redirectOccurred = facebook.requireFrame(nextPage);
if(redirectOccurred) {
return null;
}
try {
facebookUserID = userClient.users_getLoggedInUser();
if (userClient.users_hasAppPermission(Permission.STATUS_UPDATE)) {
userClient.users_setStatus("Im testing Facebook With Java! This status is written using my Java code! Can you see it? Cool :D", false);
}
} catch(FacebookException ex) {
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Error while fetching user's facebook ID");
System.out.println("Error while getting cached (supplied by request params) value " +
"of the user's facebook ID or while fetching it from the Facebook service " +
"if the cached value was not present for some reason. Cached value = {}" + userClient.getCacheUserId());
return null;
}
// MDC.put(facebookUserId, String.valueOf(facebookUserID));
// chain.doFilter(request, response);
} finally {
// MDC.remove(ipAddress);
// MDC.remove(facebookUserId);
}
return String.valueOf(facebookUserID);
}
public static FacebookXmlRestClient getUserClient(HttpSession session) {
return (FacebookXmlRestClient)session.getAttribute(FACEBOOK_USER_CLIENT);
}
}
Error message:
[ERROR] com.google.gwt.user.client.rpc.InvocationException: <script type="text/javascript">
[ERROR] top.location.href = "http://www.facebook.com/login.php?v=1.0&api_key=MY_KEY&next=notification";
[ERROR] </script>