tothbt/keycloak-bundle
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Abdellah ELMAKHROUBI
2020-11-19 15:26:54 +01:00
commit b303c94643
11 changed files with 908 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

215
Security/Authenticator/KeycloakBearerAuthenticator.php Normal file
View File

@@ -0,0 +1,215 @@
<?php
namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\Authenticator;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Guard\AbstractGuardAuthenticator;
class KeycloakBearerAuthenticator extends AbstractGuardAuthenticator
{
/**
* Returns a response that directs the user to authenticate.
*
* This is called when an anonymous request accesses a resource that
* requires authentication. The job of this method is to return some
* response that "helps" the user start into the authentication process.
*
* Examples:
*
* - For a form login, you might redirect to the login page
*
* return new RedirectResponse('/login');
*
* - For an API token authentication system, you return a 401 response
*
* return new Response('Auth header required', 401);
*
* @param Request $request The request that resulted in an AuthenticationException
* @param AuthenticationException|null $authException The exception that started the authentication process
*
* @return JsonResponse
*/
public function start(Request $request, AuthenticationException $authException = null)
{
$data = [
// you might translate this message
'message' => 'Auth header required'
];
return new JsonResponse($data, Response::HTTP_UNAUTHORIZED);
}
/**
* Does the authenticator support the given Request?
*
* If this returns false, the authenticator will be skipped.
*
* @param Request $request
*
* @return bool
*/
public function supports(Request $request)
{
return !empty($request->headers->get('Authorization'));
}
/**
* Get the authentication credentials from the request and return them
* as any type (e.g. an associate array).
*
* Whatever value you return here will be passed to getUser() and checkCredentials()
*
* For example, for a form login, you might:
*
* return [
* 'username' => $request->request->get('_username'),
* 'password' => $request->request->get('_password'),
* ];
*
* Or for an API token that's on a header, you might use:
*
* return ['api_key' => $request->headers->get('X-API-TOKEN')];
*
* @param Request $request
*
* @return mixed Any non-null value
*
* @throws \UnexpectedValueException If null is returned
*/
public function getCredentials(Request $request)
{
return [
'token' => $request->headers->get('Authorization'),
];
}
/**
* Return a UserInterface object based on the credentials.
*
* The *credentials* are the return value from getCredentials()
*
* You may throw an AuthenticationException if you wish. If you return
* null, then a UsernameNotFoundException is thrown for you.
*
* @param mixed $credentials
* @param UserProviderInterface $userProvider
*
* @throws AuthenticationException
*
* @return UserInterface|null
*/
public function getUser($credentials, UserProviderInterface $userProvider)
{
$token = $credentials['token'];
if (!$token) {
throw new BadCredentialsException('Token is not present in the request headers');
}
try {
$user = $userProvider->loadUserByUsername($this->formatToken($token));
} catch (\Exception $e) {
throw new BadCredentialsException(sprintf('Error when introspecting the token: %s', $e->getMessage()));
}
return $user;
}
/**
* Returns true if the credentials are valid.
*
* If any value other than true is returned, authentication will
* fail. You may also throw an AuthenticationException if you wish
* to cause authentication to fail.
*
* The *credentials* are the return value from getCredentials()
*
* @param mixed $credentials
* @param UserInterface $user
*
* @return bool
*
* @throws AuthenticationException
*/
public function checkCredentials($credentials, UserInterface $user)
{
return true;
}
/**
* Called when authentication executed, but failed (e.g. wrong username password).
*
* This should return the Response sent back to the user, like a
* RedirectResponse to the login page or a 403 response.
*
* If you return null, the request will continue, but the user will
* not be authenticated. This is probably not what you want to do.
*
* @param Request $request
* @param AuthenticationException $exception
*
* @return Response|null
*/
public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
{
return new JsonResponse(['error' => $exception->getMessage()], Response::HTTP_FORBIDDEN);
}
/**
* Called when authentication executed and was successful!
*
* This should return the Response sent back to the user, like a
* RedirectResponse to the last page they visited.
*
* If you return null, the current request will continue, and the user
* will be authenticated. This makes sense, for example, with an API.
*
* @param Request $request
* @param TokenInterface $token
* @param string $providerKey The provider (i.e. firewall) key
*
* @return Response|null
*/
public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
{
return null;
}
/**
* Does this method support remember me cookies?
*
* Remember me cookie will be set if *all* of the following are met:
* A) This method returns true
* B) The remember_me key under your firewall is configured
* C) The "remember me" functionality is activated. This is usually
* done by having a _remember_me checkbox in your form, but
* can be configured by the "always_remember_me" and "remember_me_parameter"
* parameters under the "remember_me" firewall key
* D) The onAuthenticationSuccess method returns a Response object
*
* @return bool
*/
public function supportsRememberMe()
{
return false;
}
/**
* @param string $token
* @return string
*/
protected function formatToken(string $token): string
{
return trim(preg_replace('/^(?:\s+)?Bearer\s/', '', $token));
}
}

301
Security/User/KeycloakBearerUser.php Normal file
View File

@@ -0,0 +1,301 @@
<?php
namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\User;
use Symfony\Component\Security\Core\User\UserInterface;
class KeycloakBearerUser implements UserInterface, \Serializable
{
/**
* @var string
*/
private $sub;
/**
* @var string
*/
private $name;
/**
* @var string
*/
private $email;
/**
* @var string
*/
private $given_name;
/**
* @var string
*/
private $family_name;
/**
* @var string
*/
private $preferred_username;
/**
* @var array
*/
private $roles;
/**
* @var string
*/
private $accessToken;
/**
* KeycloakBearerUser constructor.
* @param string $sub
* @param string $name
* @param string $email
* @param string $given_name
* @param string $family_name
* @param string $preferred_username
* @param array $roles
* @param string $accessToken
*/
public function __construct(
string $sub,
string $name,
string $email,
string $given_name,
string $family_name,
string $preferred_username,
array $roles,
string $accessToken
)
{
$this->sub = $sub;
$this->name = $name;
$this->email = $email;
$this->given_name = $given_name;
$this->family_name = $family_name;
$this->preferred_username = $preferred_username;
$this->roles = $roles;
$this->accessToken = $accessToken;
}
/**
* @return string
*/
public function getSub(): string
{
return $this->sub;
}
/**
* @param string $sub
*/
public function setSub(string $sub): void
{
$this->sub = $sub;
}
/**
* @return string
*/
public function getName(): string
{
return $this->name;
}
/**
* @param string $name
*/
public function setName(string $name): void
{
$this->name = $name;
}
/**
* @return string
*/
public function getEmail(): string
{
return $this->email;
}
/**
* @param string $email
*/
public function setEmail(string $email): void
{
$this->email = $email;
}
/**
* @return string
*/
public function getGivenName(): string
{
return $this->given_name;
}
/**
* @param string $given_name
*/
public function setGivenName(string $given_name): void
{
$this->given_name = $given_name;
}
/**
* @return string
*/
public function getFamilyName(): string
{
return $this->family_name;
}
/**
* @param string $family_name
*/
public function setFamilyName(string $family_name): void
{
$this->family_name = $family_name;
}
/**
* @param string $preferred_username
*/
public function setPreferredUsername(string $preferred_username): void
{
$this->preferred_username = $preferred_username;
}
/**
* @return string
*/
public function getAccessToken(): string
{
return $this->accessToken;
}
/**
* @param string $accessToken
*/
public function setAccessToken(string $accessToken): void
{
$this->accessToken = $accessToken;
}
/**
* Returns the roles granted to the user.
*
* public function getRoles()
* {
* return ['ROLE_USER'];
* }
*
* Alternatively, the roles might be stored on a ``roles`` property,
* and populated in any number of different ways when the user object
* is created.
*
* @return array (Role|string)[] The user roles
*/
public function getRoles()
{
return $this->roles;
}
/**
* Returns the password used to authenticate the user.
*
* This should be the encoded password. On authentication, a plain-text
* password will be salted, encoded, and then compared to this value.
*
* @return string The password
*/
public function getPassword()
{
// TODO: Implement getPassword() method.
return $this->sub;
}
/**
* Returns the salt that was originally used to encode the password.
*
* This can return null if the password was not encoded using a salt.
*
* @return string|null The salt
*/
public function getSalt()
{
// TODO: Implement getSalt() method.
return null;
}
/**
* Returns the username used to authenticate the user.
*
* @return string The username
*/
public function getUsername()
{
// TODO: Implement getUsername() method.
return $this->preferred_username;
}
/**
* Removes sensitive data from the user.
*
* This is important if, at any given point, sensitive information like
* the plain-text password is stored on this object.
*/
public function eraseCredentials()
{
// TODO: Implement eraseCredentials() method.
}
/**
* String representation of object
* @link http://php.net/manual/en/serializable.serialize.php
* @return string the string representation of the object or null
* @since 5.1.0
*/
public function serialize()
{
return serialize(array(
$this->sub,
$this->name,
$this->email,
$this->given_name,
$this->family_name,
$this->preferred_username,
$this->roles,
$this->accessToken
));
}
/**
* Constructs the object
* @link http://php.net/manual/en/serializable.unserialize.php
* @param string $serialized <p>
* The string representation of the object.
* </p>
* @return void
* @since 5.1.0
*/
public function unserialize($serialized)
{
list (
$this->sub,
$this->name,
$this->email,
$this->given_name,
$this->family_name,
$this->preferred_username,
$this->roles,
$this->accessToken
) = unserialize($serialized, ['allowed_classes' => false]);
}
}

138
Security/User/KeycloakBearerUserProvider.php Normal file
View File

@@ -0,0 +1,138 @@
<?php
namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\User;
use GuzzleHttp\Client;
use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
class KeycloakBearerUserProvider implements UserProviderInterface
{
/**
* @var string
*/
private $issuer;
/**
* @var string
*/
private $realm;
/**
* @var string
*/
private $client_id;
/**
* @var string
*/
private $client_secret;
/**
* KeycloakBearerUserProvider constructor.
* @param string $issuer
* @param string $realm
* @param string $client_id
* @param string $client_secret
*/
public function __construct(string $issuer, string $realm, string $client_id, string $client_secret)
{
$this->issuer = $issuer;
$this->realm = $realm;
$this->client_id = $client_id;
$this->client_secret = $client_secret;
}
/**
* Loads the user for the given username.
*
* This method must throw UsernameNotFoundException if the user is not
* found.
*
* @param string $accessToken The username
*
* @return UserInterface
*
* @throws UsernameNotFoundException if the user is not found
*/
public function loadUserByUsername($accessToken)
{
$client = new Client([
'base_uri' => $this->issuer,
]);
$response = $client->post('/auth/realms/'.$this->realm.'/protocol/openid-connect/token/introspect', [
'auth' => [$this->client_id, $this->client_secret],
'form_params' => [
'token' => $accessToken,
],
'proxy' => [
'http' => '', // Use this proxy with "http"
'https' => '', // Use this proxy with "https",
],
'http_errors' => false
]);
$jwt = json_decode($response->getBody(), true);
if (!$jwt['active']) {
throw new \UnexpectedValueException('The token does not exist or is not valid anymore');
}
if (!isset($jwt['resource_access'][$this->client_id])) {
throw new \UnexpectedValueException('The token does not have the necessary permissions!');
}
return new KeycloakBearerUser(
$jwt['sub'],
$jwt['name'],
$jwt['email'],
$jwt['given_name'],
$jwt['family_name'],
$jwt['preferred_username'],
$jwt['resource_access'][$this->client_id]['roles'],
$accessToken
);
}
/**
* Refreshes the user.
*
* It is up to the implementation to decide if the user data should be
* totally reloaded (e.g. from the database), or if the UserInterface
* object can just be merged into some internal array of users / identity
* map.
*
* @return UserInterface
*
* @throws UnsupportedUserException if the user is not supported
* @throws UsernameNotFoundException if the user is not found
*/
public function refreshUser(UserInterface $user)
{
if (!$user instanceof KeycloakBearerUser) {
throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
}
$user = $this->loadUserByUsername($user->getAccessToken());
if (!$user) {
throw new UsernameNotFoundException();
}
return $user;
}
/**
* Whether this provider supports the given user class.
*
* @param string $class
*
* @return bool
*/
public function supportsClass($class)
{
return KeycloakBearerUser::class === $class;
}
}