tothbt/keycloak-bundle
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: tothbt:develop
Branches Tags
tothbt:master tothbt:2.0 tothbt:develop
tothbt:v2.0.0 tothbt:v1.3.2 tothbt:v1.2.2 tothbt:v1.1.1 tothbt:v1.0.2 tothbt:v1.3.1 tothbt:v1.3.0 tothbt:v1.2.1 tothbt:v1.2.0 tothbt:v1.1.0 tothbt:v1.0.1
..
compare: tothbt:v1.0.2
Branches Tags
tothbt:2.0 tothbt:master tothbt:develop
tothbt:v2.0.0 tothbt:v1.3.2 tothbt:v1.2.2 tothbt:v1.1.1 tothbt:v1.0.2 tothbt:v1.3.1 tothbt:v1.3.0 tothbt:v1.2.1 tothbt:v1.2.0 tothbt:v1.1.0 tothbt:v1.0.1

1 Commits
develop ... v1.0.2

Author SHA1 Message Date
El. Abdellah
1b7ebc6a80 remove /auth from Keycloak Token URL 2022-04-22 11:42:07 +02:00
12 changed files with 267 additions and 196 deletions
Expand all files Collapse all files

6
ABELkeycloakBearerOnlyAdapterBundle.php
View File

@@ -5,15 +5,11 @@ namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle;
use ABEL\Bundle\keycloakBearerOnlyAdapterBundle\DependencyInjection\ABELkeycloakBearerOnlyAdapterExtension; use ABEL\Bundle\keycloakBearerOnlyAdapterBundle\DependencyInjection\ABELkeycloakBearerOnlyAdapterExtension;
use Symfony\Component\DependencyInjection\Extension\ExtensionInterface;
use Symfony\Component\HttpKernel\Bundle\Bundle; use Symfony\Component\HttpKernel\Bundle\Bundle;
class ABELkeycloakBearerOnlyAdapterBundle extends Bundle class ABELkeycloakBearerOnlyAdapterBundle extends Bundle
{ {
/** public function getContainerExtension()
* @return ExtensionInterface|null
*/
public function getContainerExtension(): ?ExtensionInterface
{ {
if (null === $this->extension) { if (null === $this->extension) {
$this->extension = new ABELkeycloakBearerOnlyAdapterExtension(); $this->extension = new ABELkeycloakBearerOnlyAdapterExtension();

2
DependencyInjection/ABELkeycloakBearerOnlyAdapterExtension.php
View File

@@ -27,7 +27,7 @@ class ABELkeycloakBearerOnlyAdapterExtension extends Extension
$definition->replaceArgument(4, $config['ssl_verification']); $definition->replaceArgument(4, $config['ssl_verification']);
} }
public function getAlias(): string public function getAlias()
{ {
return 'abel_keycloak_bearer_only_adapter'; return 'abel_keycloak_bearer_only_adapter';
} }

52
README.md
View File

@@ -5,15 +5,10 @@ This Symfony bundle is an adapter that allows securing API using keycloak Bearer
## Installation ## Installation
> Befor installing the bundle, automatic packages configuration can be activated with the following command:
> ```
> composer config extra.symfony.allow-contrib true
> ```
With composer: With composer:
``` ```
composer require abel/keycloak-bearer-only-adapter-bundle $ composer require abel/keycloak-bearer-only-adapter-bundle
``` ```
## Configuration ## Configuration
@@ -22,15 +17,6 @@ If you want to set up keycloak locally you can download it [here](https://www.ke
### Bundle configuration ### Bundle configuration
#### Via a recipe (Automatic)
This bundle hase a Symfony recipe that allow the automation of configuration via the Symfony Flex Composer plugin.
To enable recipe for your project, run the following command:
```
composer config extra.symfony.allow-contrib true
```
#### Manual
Having a running keycloak locally or in Docker and already configured a client with **Access Type = bearer-only** Having a running keycloak locally or in Docker and already configured a client with **Access Type = bearer-only**
here is the configuration to use: here is the configuration to use:
@@ -41,28 +27,27 @@ abel_keycloak_bearer_only_adapter:
realm: '%env(OAUTH_KEYCLOAK_REALM)%' # your keycloak realm name realm: '%env(OAUTH_KEYCLOAK_REALM)%' # your keycloak realm name
client_id: '%env(OAUTH_KEYCLOAK_CLIENT_ID)%' # your keycloak client id client_id: '%env(OAUTH_KEYCLOAK_CLIENT_ID)%' # your keycloak client id
client_secret: '%env(OAUTH_KEYCLOAK_CLIENT_SECRET)%' # your keycloak client secret client_secret: '%env(OAUTH_KEYCLOAK_CLIENT_SECRET)%' # your keycloak client secret
#ssl_verification: False # by default ssl_verification is set to False
``` ```
The best practice is to load your configuration from **.env** file. The best practice is to load your configuration from **.env** file.
``` ```
# .env # .env
... ...
###> Abel_keycloak_bearer_only_adapter ### ###> Keycloak ###
OAUTH_KEYCLOAK_ISSUER=keycloak:8080 KEYCLOAK_ISSUER=http://keycloak.local:8080
OAUTH_KEYCLOAK_REALM=my_realm KEYCLOAK_REALM=my_realm
OAUTH_KEYCLOAK_CLIENT_ID=my_bearer_client KEYCLOAK_CLIENT_ID=my_bearer_client
OAUTH_KEYCLOAK_CLIENT_SECRET=my_bearer_client_secret KEYCLOAK_CLIENT_SECRET=my_bearer_client_secret
###< Abel_keycloak_bearer_only_adapter ### ###< Keycloak ###
... ...
``` ```
In case of using Keycloak with Docker locally replace **issuer** value with your keycloak container reference in the network In case of using Keycloak with Docker locally replace **issuer** value with your keycloak container reference in the network
For example, you can use the service name, or container IPAdresse that you can get using this command: For example, you can use the container IPAdresse, that you can get using this command:
``` ```
docker inspect <container id> | grep "IPAddress" $ docker inspect <container id> | grep "IPAddress"
``` ```
### Symfony security configuration ### Symfony security configuration
@@ -73,7 +58,6 @@ Here is a simple configuration that restrict access to ```/api/*``` routes only
```yaml ```yaml
# config/packages/security.yaml # config/packages/security.yaml
security: security:
enable_authenticator_manager: true
providers: providers:
keycloak_bearer_user_provider: keycloak_bearer_user_provider:
id: ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\User\KeycloakBearerUserProvider id: ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\User\KeycloakBearerUserProvider
@@ -83,23 +67,13 @@ security:
security: false security: false
api: api:
pattern: ^/api/ pattern: ^/api/
guard:
provider: keycloak_bearer_user_provider provider: keycloak_bearer_user_provider
custom_authenticators: authenticators:
- ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\Authenticator\KeycloakBearerAuthenticator - ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\Authenticator\KeycloakBearerAuthenticator
stateless: true stateless: true
main:
anonymous: ~
access_control: access_control:
- { path: ^/api/, roles: ROLE_API } - { path: ^/api/, roles: ROLE_API }
``` ```
> :information_source: Referring to Symfony [documentation](https://symfony.com/doc/5.3/security.html#roles), roles must start with **ROLE_** (otherwise, things won't work as expected)
### Keycloak configuration
To configure keycloak to work with this bundle, [here](./Resources/docs/keycloak-config-guide.md) is a step by step documentation for a basic configuration of keycloak.
### Compatibility
| Bundle Version | Symfony Version |
| ------------------------------------------------------|--------------------|
| V1.0.1 | >=4.0.0 <5.0.0 |
| V1.1.* (uses old authentication systeme with guard) | >=5.0.0 <6.0.0 |
| V1.2.* (uses new authentication systeme) | >=5.3.0 <6.0.0 |

42
Resources/docs/keycloak-config-guide.md
View File

@@ -1,42 +0,0 @@
# Keycloak Configuration guide
### Create a realm
We assume that you already have a realm, if not you can create a realm from the Administration UI, go to ```Realm list > Add realm```
![Create a realm](screenshots/create-a-realm.png)
it will appear in the realm list after creation.
### Create a client
You must define a client that will configure the scope of your application security.
Make sure you already are in your newly created realm and create a new client by going in ```Configure > Clients > Create```.
![Create a client](screenshots/create-a-client.png)
Once created, you can configure it by going in ``` Configure > Clients > [Your client]```
Here is a sample configuration that work with our bundle :
![Configure client](screenshots/config-client.png)
> Note that the client Access type is bearer-only.
### Create roles
In keycloak, roles are an abstraction of permissions for our application (used in security.yaml).
In our case we need to define a role named **ROLE_API**
You can configure it in ```Configure > Clients > [Your client] > Roles```
![Create a role](screenshots/create-a-role.png)
### Assign a role to a user
Last but not least we need to affect our role to our users.
To add role, go to ```Manage > Users > View all users > [Some User] > Role Mappings```.
* In the **Client Roles** dropdown, select your client that contains our role(s).
* Select Roles in **Available Roles** list, then click **Add selected** to assign role to the user.
And your all done, now you can use your client to secure your API.

BIN
Resources/docs/screenshots/config-client.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 27 KiB

BIN
Resources/docs/screenshots/create-a-client.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 13 KiB

BIN
Resources/docs/screenshots/create-a-realm.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 12 KiB

BIN
Resources/docs/screenshots/create-a-role.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 8.3 KiB

235
Security/Authenticator/KeycloakBearerAuthenticator.php
View File

@@ -3,20 +3,207 @@
namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\Authenticator; namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\Authenticator;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException; use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException; use Symfony\Component\Security\Core\Exception\BadCredentialsException;
use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator; use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge; use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Http\Authenticator\Passport\Passport; use Symfony\Component\Security\Guard\AbstractGuardAuthenticator;
use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
class KeycloakBearerAuthenticator extends AbstractAuthenticator class KeycloakBearerAuthenticator extends AbstractGuardAuthenticator
{ {
/**
* Returns a response that directs the user to authenticate.
*
* This is called when an anonymous request accesses a resource that
* requires authentication. The job of this method is to return some
* response that "helps" the user start into the authentication process.
*
* Examples:
*
* - For a form login, you might redirect to the login page
*
* return new RedirectResponse('/login');
*
* - For an API token authentication system, you return a 401 response
*
* return new Response('Auth header required', 401);
*
* @param Request $request The request that resulted in an AuthenticationException
* @param AuthenticationException|null $authException The exception that started the authentication process
*
* @return JsonResponse
*/
public function start(Request $request, AuthenticationException $authException = null)
{
$data = [
// you might translate this message
'message' => 'Auth header required'
];
return new JsonResponse($data, Response::HTTP_UNAUTHORIZED);
}
/**
* Does the authenticator support the given Request?
*
* If this returns false, the authenticator will be skipped.
*
* @param Request $request
*
* @return bool
*/
public function supports(Request $request)
{
return !empty($request->headers->get('Authorization'));
}
/**
* Get the authentication credentials from the request and return them
* as any type (e.g. an associate array).
*
* Whatever value you return here will be passed to getUser() and checkCredentials()
*
* For example, for a form login, you might:
*
* return [
* 'username' => $request->request->get('_username'),
* 'password' => $request->request->get('_password'),
* ];
*
* Or for an API token that's on a header, you might use:
*
* return ['api_key' => $request->headers->get('X-API-TOKEN')];
*
* @param Request $request
*
* @return mixed Any non-null value
*
* @throws \UnexpectedValueException If null is returned
*/
public function getCredentials(Request $request)
{
return [
'token' => $request->headers->get('Authorization'),
];
}
/**
* Return a UserInterface object based on the credentials.
*
* The *credentials* are the return value from getCredentials()
*
* You may throw an AuthenticationException if you wish. If you return
* null, then a UsernameNotFoundException is thrown for you.
*
* @param mixed $credentials
* @param UserProviderInterface $userProvider
*
* @throws AuthenticationException
*
* @return UserInterface|null
*/
public function getUser($credentials, UserProviderInterface $userProvider)
{
$token = $credentials['token'];
if (!$token) {
throw new BadCredentialsException('Token is not present in the request headers');
}
try {
$user = $userProvider->loadUserByUsername($this->formatToken($token));
} catch (\Exception $e) {
throw new BadCredentialsException(sprintf('Error when introspecting the token: %s', $e->getMessage()));
}
return $user;
}
/**
* Returns true if the credentials are valid.
*
* If any value other than true is returned, authentication will
* fail. You may also throw an AuthenticationException if you wish
* to cause authentication to fail.
*
* The *credentials* are the return value from getCredentials()
*
* @param mixed $credentials
* @param UserInterface $user
*
* @return bool
*
* @throws AuthenticationException
*/
public function checkCredentials($credentials, UserInterface $user)
{
return true;
}
/**
* Called when authentication executed, but failed (e.g. wrong username password).
*
* This should return the Response sent back to the user, like a
* RedirectResponse to the login page or a 403 response.
*
* If you return null, the request will continue, but the user will
* not be authenticated. This is probably not what you want to do.
*
* @param Request $request
* @param AuthenticationException $exception
*
* @return Response|null
*/
public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
{
return new JsonResponse(['error' => $exception->getMessage()], Response::HTTP_FORBIDDEN);
}
/**
* Called when authentication executed and was successful!
*
* This should return the Response sent back to the user, like a
* RedirectResponse to the last page they visited.
*
* If you return null, the current request will continue, and the user
* will be authenticated. This makes sense, for example, with an API.
*
* @param Request $request
* @param TokenInterface $token
* @param string $providerKey The provider (i.e. firewall) key
*
* @return Response|null
*/
public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
{
return null;
}
/**
* Does this method support remember me cookies?
*
* Remember me cookie will be set if *all* of the following are met:
* A) This method returns true
* B) The remember_me key under your firewall is configured
* C) The "remember me" functionality is activated. This is usually
* done by having a _remember_me checkbox in your form, but
* can be configured by the "always_remember_me" and "remember_me_parameter"
* parameters under the "remember_me" firewall key
* D) The onAuthenticationSuccess method returns a Response object
*
* @return bool
*/
public function supportsRememberMe()
{
return false;
}
/** /**
* @param string $token * @param string $token
* @return string * @return string
@@ -25,38 +212,4 @@ class KeycloakBearerAuthenticator extends AbstractAuthenticator
{ {
return trim(preg_replace('/^(?:\s+)?[B-b]earer\s/', '', $token)); return trim(preg_replace('/^(?:\s+)?[B-b]earer\s/', '', $token));
} }
public function supports(Request $request): ?bool
{
return true;
}
public function authenticate(Request $request): Passport
{
$token = $request->headers->get('Authorization');
if (null === $token || empty($token)) {
// The token header was empty, authentication fails with HTTP Status
// Code 401 "Unauthorized"
throw new CustomUserMessageAuthenticationException('Token is not present in the request headers');
}
return new SelfValidatingPassport(new UserBadge($this->formatToken($token)));
}
public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
{
return null;
}
public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
{
$data = [
// you may want to customize or obfuscate the message first
'message' => strtr($exception->getMessageKey(), $exception->getMessageData())
// or to translate this message
// $this->translator->trans($exception->getMessageKey(), $exception->getMessageData())
];
return new JsonResponse($data, Response::HTTP_UNAUTHORIZED);
}
} }

10
Security/User/KeycloakBearerUser.php
View File

@@ -202,7 +202,7 @@ class KeycloakBearerUser implements UserInterface, \Serializable
* *
* @return array (Role|string)[] The user roles * @return array (Role|string)[] The user roles
*/ */
public function getRoles(): array public function getRoles()
{ {
return $this->roles; return $this->roles;
} }
@@ -245,14 +245,6 @@ class KeycloakBearerUser implements UserInterface, \Serializable
return $this->preferred_username; return $this->preferred_username;
} }
/**
* @return string
*/
public function getUserIdentifier(): string
{
return $this->preferred_username;
}
/** /**
* Removes sensitive data from the user. * Removes sensitive data from the user.
* *

96
Security/User/KeycloakBearerUserProvider.php
View File

@@ -5,15 +5,13 @@ namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\User;
use GuzzleHttp\Client; use GuzzleHttp\Client;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
use Symfony\Component\Security\Core\Exception\UnsupportedUserException; use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
use Symfony\Component\Security\Core\Exception\UserNotFoundException; use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\User\UserInterface; use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface; use Symfony\Component\Security\Core\User\UserProviderInterface;
class KeycloakBearerUserProvider implements UserProviderInterface
class KeycloakBearerUserProvider implements UserProviderInterface{ {
/** /**
* @var string * @var string
*/ */
@@ -52,55 +50,24 @@ class KeycloakBearerUserProvider implements UserProviderInterface{
} }
/** /**
* Refreshes the user after being reloaded from the session. * Loads the user for the given username.
* *
* When a user is logged in, at the beginning of each request, the * This method must throw UsernameNotFoundException if the user is not
* User object is loaded from the session and then this method is * found.
* called. Your job is to make sure the user's data is still fresh by,
* for example, re-querying for fresh User data.
* *
* If your firewall is "stateless: true" (for a pure API, which is our case), this * @param string $accessToken The username
* method is not called. But it is implement it anyway.
* *
* @return UserInterface * @return UserInterface
*
* @throws UsernameNotFoundException if the user is not found
*/ */
public function refreshUser(UserInterface $user): UserInterface public function loadUserByUsername($accessToken)
{
if (!$user instanceof KeycloakBearerUser) {
throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
}
$user = $this->loadUserByIdentifier($user->getAccessToken());
if (!$user) {
throw new UserNotFoundException();
}
return $user;
}
/**
* @param string $class
* @return bool
*/
public function supportsClass(string $class)
{
return KeycloakBearerUser::class === $class || is_subclass_of($class, KeycloakBearerUser::class);
}
/**
* @param string $accessToken
* @return UserInterface
*/
public function loadUserByIdentifier(string $accessToken): UserInterface
{ {
$client = new Client([ $client = new Client([
'base_uri' => $this->issuer, 'base_uri' => $this->issuer,
]); ]);
$response = $client->post('/auth/realms/'.$this->realm.'/protocol/openid-connect/token/introspect', [ $response = $client->post('/realms/'.$this->realm.'/protocol/openid-connect/token/introspect', [
'auth' => [$this->client_id, $this->client_secret], 'auth' => [$this->client_id, $this->client_secret],
'form_params' => [ 'form_params' => [
'token' => $accessToken, 'token' => $accessToken,
@@ -116,11 +83,11 @@ class KeycloakBearerUserProvider implements UserProviderInterface{
$jwt = json_decode($response->getBody(), true); $jwt = json_decode($response->getBody(), true);
if (!$jwt['active']) { if (!$jwt['active']) {
throw new CustomUserMessageAuthenticationException('The token does not exist or is not valid anymore'); throw new \UnexpectedValueException('The token does not exist or is not valid anymore');
} }
if (!isset($jwt['resource_access'][$this->client_id])) { if (!isset($jwt['resource_access'][$this->client_id])) {
throw new CustomUserMessageAuthenticationException('The token does not have the necessary permissions!'); throw new \UnexpectedValueException('The token does not have the necessary permissions!');
} }
return new KeycloakBearerUser( return new KeycloakBearerUser(
@@ -136,11 +103,42 @@ class KeycloakBearerUserProvider implements UserProviderInterface{
} }
/** /**
* @param string $username * Refreshes the user.
*
* It is up to the implementation to decide if the user data should be
* totally reloaded (e.g. from the database), or if the UserInterface
* object can just be merged into some internal array of users / identity
* map.
*
* @return UserInterface * @return UserInterface
*
* @throws UnsupportedUserException if the user is not supported
* @throws UsernameNotFoundException if the user is not found
*/ */
public function loadUserByUsername(string $username): UserInterface public function refreshUser(UserInterface $user)
{ {
return $this->loadUserByIdentifier($username); if (!$user instanceof KeycloakBearerUser) {
throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
}
$user = $this->loadUserByUsername($user->getAccessToken());
if (!$user) {
throw new UsernameNotFoundException();
}
return $user;
}
/**
* Whether this provider supports the given user class.
*
* @param string $class
*
* @return bool
*/
public function supportsClass($class)
{
return KeycloakBearerUser::class === $class;
} }
} }

10
composer.json
View File

@@ -11,11 +11,11 @@
], ],
"minimum-stability": "stable", "minimum-stability": "stable",
"require": { "require": {
"php": ">=7.2.5", "php": "^7.1",
"symfony/config": "^6.0", "symfony/config": "^4.0",
"symfony/dependency-injection": "^6.0", "symfony/dependency-injection": "^4.0",
"symfony/http-kernel": "^6.0", "symfony/http-kernel": "^4.0",
"symfony/security-bundle": "^6.0", "symfony/security-bundle": "^4.0",
"guzzlehttp/guzzle": "^6.3", "guzzlehttp/guzzle": "^6.3",
"ext-json": "*" "ext-json": "*"
}, },