tothbt/keycloak-bundle
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: tothbt:v1.3.1
Branches Tags
tothbt:master tothbt:2.0 tothbt:develop
tothbt:v2.0.0 tothbt:v1.3.2 tothbt:v1.2.2 tothbt:v1.1.1 tothbt:v1.0.2 tothbt:v1.3.1 tothbt:v1.3.0 tothbt:v1.2.1 tothbt:v1.2.0 tothbt:v1.1.0 tothbt:v1.0.1
..
compare: tothbt:v1.1.1
Branches Tags
tothbt:2.0 tothbt:master tothbt:develop
tothbt:v2.0.0 tothbt:v1.3.2 tothbt:v1.2.2 tothbt:v1.1.1 tothbt:v1.0.2 tothbt:v1.3.1 tothbt:v1.3.0 tothbt:v1.2.1 tothbt:v1.2.0 tothbt:v1.1.0 tothbt:v1.0.1

1 Commits
v1.3.1 ... v1.1.1

Author SHA1 Message Date
El. Abdellah
764736c493 remove /auth from Keycloak token URL 2022-04-22 11:58:12 +02:00
7 changed files with 262 additions and 151 deletions
Expand all files Collapse all files

6
ABELkeycloakBearerOnlyAdapterBundle.php
View File

@@ -5,15 +5,11 @@ namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle;
use ABEL\Bundle\keycloakBearerOnlyAdapterBundle\DependencyInjection\ABELkeycloakBearerOnlyAdapterExtension;
use Symfony\Component\DependencyInjection\Extension\ExtensionInterface;
use Symfony\Component\HttpKernel\Bundle\Bundle;
class ABELkeycloakBearerOnlyAdapterBundle extends Bundle
{
/**
* @return ExtensionInterface|null
*/
public function getContainerExtension(): ?ExtensionInterface
public function getContainerExtension()
{
if (null === $this->extension) {
$this->extension = new ABELkeycloakBearerOnlyAdapterExtension();

2
DependencyInjection/ABELkeycloakBearerOnlyAdapterExtension.php
View File

@@ -27,7 +27,7 @@ class ABELkeycloakBearerOnlyAdapterExtension extends Extension
$definition->replaceArgument(4, $config['ssl_verification']);
}
public function getAlias(): string
public function getAlias()
{
return 'abel_keycloak_bearer_only_adapter';
}

52
README.md
View File

@@ -5,15 +5,10 @@ This Symfony bundle is an adapter that allows securing API using keycloak Bearer
## Installation
> Befor installing the bundle, automatic packages configuration can be activated with the following command:
> ```
> composer config extra.symfony.allow-contrib true
> ```
With composer:
```
composer require abel/keycloak-bearer-only-adapter-bundle
$ composer require abel/keycloak-bearer-only-adapter-bundle
```
## Configuration
@@ -22,15 +17,6 @@ If you want to set up keycloak locally you can download it [here](https://www.ke
### Bundle configuration
#### Via a recipe (Automatic)
This bundle hase a Symfony recipe that allow the automation of configuration via the Symfony Flex Composer plugin.
To enable recipe for your project, run the following command:
```
composer config extra.symfony.allow-contrib true
```
#### Manual
Having a running keycloak locally or in Docker and already configured a client with **Access Type = bearer-only**
here is the configuration to use:
@@ -48,26 +34,21 @@ The best practice is to load your configuration from **.env** file.
```
# .env
...
###> Abel_keycloak_bearer_only_adapter ###
OAUTH_KEYCLOAK_ISSUER=keycloak:8080
###> Keycloak ###
OAUTH_KEYCLOAK_ISSUER=http://keycloak.local:8080
OAUTH_KEYCLOAK_REALM=my_realm
OAUTH_KEYCLOAK_CLIENT_ID=my_bearer_client
OAUTH_KEYCLOAK_CLIENT_SECRET=my_bearer_client_secret
###< Abel_keycloak_bearer_only_adapter ###
###< Keycloak ###
...
```
> Since Keycloak 17 the default distribution is now powered by **Quarkus**, while the legacy **WildFly** powered distribution will still be around until June 2022 <br>
> The new distribution introduces a number of breaking changes, including: <br>
> - `/auth` removed from the default context path <br>
> ⚠️ **If you are using a legacy version make sure to include /auth in OAUTH_KEYCLOAK_ISSUER** <br>
> Example: `keycloak:8080/auth`
In case of using Keycloak with Docker locally replace **issuer** value with your keycloak container reference in the network
For example, you can use the service name, or container IPAdresse that you can get using this command:
For example, you can use the container IPAdresse, that you can get using this command:
```
docker inspect <container id> | grep "IPAddress"
$ docker inspect <container id> | grep "IPAddress"
```
### Symfony security configuration
@@ -78,7 +59,6 @@ Here is a simple configuration that restrict access to ```/api/*``` routes only
```yaml
# config/packages/security.yaml
security:
enable_authenticator_manager: true
providers:
keycloak_bearer_user_provider:
id: ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\User\KeycloakBearerUserProvider
@@ -88,24 +68,16 @@ security:
security: false
api:
pattern: ^/api/
provider: keycloak_bearer_user_provider
custom_authenticators:
- ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\Authenticator\KeycloakBearerAuthenticator
guard:
provider: keycloak_bearer_user_provider
authenticators:
- ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\Authenticator\KeycloakBearerAuthenticator
stateless: true
main:
anonymous: ~
access_control:
- { path: ^/api/, roles: ROLE_API }
```
> :information_source: Referring to Symfony [documentation](https://symfony.com/doc/5.3/security.html#roles), roles must start with **ROLE_** (otherwise, things won't work as expected)
### Keycloak configuration
To configure keycloak to work with this bundle, [here](./Resources/docs/keycloak-config-guide.md) is a step by step documentation for a basic configuration of keycloak.
### Compatibility
| Bundle Version | Symfony Version |
| ------------------------------------------------------|--------------------|
| V1.0.1 | >=4.0.0 <5.0.0 |
| V1.1.* (uses old authentication systeme with guard) | >=5.0.0 <6.0.0 |
| V1.2.* (uses new authentication systeme) | >=5.3.0 <6.0.0 |
| V1.3.* | =6.0.* |

235
Security/Authenticator/KeycloakBearerAuthenticator.php
View File

@@ -3,20 +3,207 @@
namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\Authenticator;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Guard\AbstractGuardAuthenticator;
class KeycloakBearerAuthenticator extends AbstractAuthenticator
class KeycloakBearerAuthenticator extends AbstractGuardAuthenticator
{
/**
* Returns a response that directs the user to authenticate.
*
* This is called when an anonymous request accesses a resource that
* requires authentication. The job of this method is to return some
* response that "helps" the user start into the authentication process.
*
* Examples:
*
* - For a form login, you might redirect to the login page
*
* return new RedirectResponse('/login');
*
* - For an API token authentication system, you return a 401 response
*
* return new Response('Auth header required', 401);
*
* @param Request $request The request that resulted in an AuthenticationException
* @param AuthenticationException|null $authException The exception that started the authentication process
*
* @return JsonResponse
*/
public function start(Request $request, AuthenticationException $authException = null)
{
$data = [
// you might translate this message
'message' => 'Auth header required'
];
return new JsonResponse($data, Response::HTTP_UNAUTHORIZED);
}
/**
* Does the authenticator support the given Request?
*
* If this returns false, the authenticator will be skipped.
*
* @param Request $request
*
* @return bool
*/
public function supports(Request $request)
{
return !empty($request->headers->get('Authorization'));
}
/**
* Get the authentication credentials from the request and return them
* as any type (e.g. an associate array).
*
* Whatever value you return here will be passed to getUser() and checkCredentials()
*
* For example, for a form login, you might:
*
* return [
* 'username' => $request->request->get('_username'),
* 'password' => $request->request->get('_password'),
* ];
*
* Or for an API token that's on a header, you might use:
*
* return ['api_key' => $request->headers->get('X-API-TOKEN')];
*
* @param Request $request
*
* @return mixed Any non-null value
*
* @throws \UnexpectedValueException If null is returned
*/
public function getCredentials(Request $request)
{
return [
'token' => $request->headers->get('Authorization'),
];
}
/**
* Return a UserInterface object based on the credentials.
*
* The *credentials* are the return value from getCredentials()
*
* You may throw an AuthenticationException if you wish. If you return
* null, then a UsernameNotFoundException is thrown for you.
*
* @param mixed $credentials
* @param UserProviderInterface $userProvider
*
* @throws AuthenticationException
*
* @return UserInterface|null
*/
public function getUser($credentials, UserProviderInterface $userProvider)
{
$token = $credentials['token'];
if (!$token) {
throw new BadCredentialsException('Token is not present in the request headers');
}
try {
$user = $userProvider->loadUserByUsername($this->formatToken($token));
} catch (\Exception $e) {
throw new BadCredentialsException(sprintf('Error when introspecting the token: %s', $e->getMessage()));
}
return $user;
}
/**
* Returns true if the credentials are valid.
*
* If any value other than true is returned, authentication will
* fail. You may also throw an AuthenticationException if you wish
* to cause authentication to fail.
*
* The *credentials* are the return value from getCredentials()
*
* @param mixed $credentials
* @param UserInterface $user
*
* @return bool
*
* @throws AuthenticationException
*/
public function checkCredentials($credentials, UserInterface $user)
{
return true;
}
/**
* Called when authentication executed, but failed (e.g. wrong username password).
*
* This should return the Response sent back to the user, like a
* RedirectResponse to the login page or a 403 response.
*
* If you return null, the request will continue, but the user will
* not be authenticated. This is probably not what you want to do.
*
* @param Request $request
* @param AuthenticationException $exception
*
* @return Response|null
*/
public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
{
return new JsonResponse(['error' => $exception->getMessage()], Response::HTTP_FORBIDDEN);
}
/**
* Called when authentication executed and was successful!
*
* This should return the Response sent back to the user, like a
* RedirectResponse to the last page they visited.
*
* If you return null, the current request will continue, and the user
* will be authenticated. This makes sense, for example, with an API.
*
* @param Request $request
* @param TokenInterface $token
* @param string $providerKey The provider (i.e. firewall) key
*
* @return Response|null
*/
public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
{
return null;
}
/**
* Does this method support remember me cookies?
*
* Remember me cookie will be set if *all* of the following are met:
* A) This method returns true
* B) The remember_me key under your firewall is configured
* C) The "remember me" functionality is activated. This is usually
* done by having a _remember_me checkbox in your form, but
* can be configured by the "always_remember_me" and "remember_me_parameter"
* parameters under the "remember_me" firewall key
* D) The onAuthenticationSuccess method returns a Response object
*
* @return bool
*/
public function supportsRememberMe()
{
return false;
}
/**
* @param string $token
* @return string
@@ -25,38 +212,4 @@ class KeycloakBearerAuthenticator extends AbstractAuthenticator
{
return trim(preg_replace('/^(?:\s+)?[B-b]earer\s/', '', $token));
}
public function supports(Request $request): ?bool
{
return true;
}
public function authenticate(Request $request): Passport
{
$token = $request->headers->get('Authorization');
if (null === $token || empty($token)) {
// The token header was empty, authentication fails with HTTP Status
// Code 401 "Unauthorized"
throw new CustomUserMessageAuthenticationException('Token is not present in the request headers');
}
return new SelfValidatingPassport(new UserBadge($this->formatToken($token)));
}
public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
{
return null;
}
public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
{
$data = [
// you may want to customize or obfuscate the message first
'message' => strtr($exception->getMessageKey(), $exception->getMessageData())
// or to translate this message
// $this->translator->trans($exception->getMessageKey(), $exception->getMessageData())
];
return new JsonResponse($data, Response::HTTP_UNAUTHORIZED);
}
}

12
Security/User/KeycloakBearerUser.php
View File

@@ -202,7 +202,7 @@ class KeycloakBearerUser implements UserInterface, \Serializable
*
* @return array (Role|string)[] The user roles
*/
public function getRoles(): array
public function getRoles()
{
return $this->roles;
}
@@ -245,14 +245,6 @@ class KeycloakBearerUser implements UserInterface, \Serializable
return $this->preferred_username;
}
/**
* @return string
*/
public function getUserIdentifier(): string
{
return $this->preferred_username;
}
/**
* Removes sensitive data from the user.
*
@@ -306,4 +298,4 @@ class KeycloakBearerUser implements UserInterface, \Serializable
$this->accessToken
) = unserialize($serialized, ['allowed_classes' => false]);
}
}
}

96
Security/User/KeycloakBearerUserProvider.php
View File

@@ -5,15 +5,13 @@ namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\User;
use GuzzleHttp\Client;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
use Symfony\Component\Security\Core\Exception\UserNotFoundException;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
class KeycloakBearerUserProvider implements UserProviderInterface{
class KeycloakBearerUserProvider implements UserProviderInterface
{
/**
* @var string
*/
@@ -52,49 +50,18 @@ class KeycloakBearerUserProvider implements UserProviderInterface{
}
/**
* Refreshes the user after being reloaded from the session.
* Loads the user for the given username.
*
* When a user is logged in, at the beginning of each request, the
* User object is loaded from the session and then this method is
* called. Your job is to make sure the user's data is still fresh by,
* for example, re-querying for fresh User data.
* This method must throw UsernameNotFoundException if the user is not
* found.
*
* If your firewall is "stateless: true" (for a pure API, which is our case), this
* method is not called. But it is implement it anyway.
* @param string $accessToken The username
*
* @return UserInterface
*
* @throws UsernameNotFoundException if the user is not found
*/
public function refreshUser(UserInterface $user): UserInterface
{
if (!$user instanceof KeycloakBearerUser) {
throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
}
$user = $this->loadUserByIdentifier($user->getAccessToken());
if (!$user) {
throw new UserNotFoundException();
}
return $user;
}
/**
* @param string $class
* @return bool
*/
public function supportsClass(string $class)
{
return KeycloakBearerUser::class === $class || is_subclass_of($class, KeycloakBearerUser::class);
}
/**
* @param string $accessToken
* @return UserInterface
*/
public function loadUserByIdentifier(string $accessToken): UserInterface
public function loadUserByUsername($accessToken)
{
$client = new Client([
'base_uri' => $this->issuer,
@@ -116,11 +83,11 @@ class KeycloakBearerUserProvider implements UserProviderInterface{
$jwt = json_decode($response->getBody(), true);
if (!$jwt['active']) {
throw new CustomUserMessageAuthenticationException('The token does not exist or is not valid anymore');
throw new \UnexpectedValueException('The token does not exist or is not valid anymore');
}
if (!isset($jwt['resource_access'][$this->client_id])) {
throw new CustomUserMessageAuthenticationException('The token does not have the necessary permissions!');
throw new \UnexpectedValueException('The token does not have the necessary permissions!');
}
return new KeycloakBearerUser(
@@ -136,11 +103,42 @@ class KeycloakBearerUserProvider implements UserProviderInterface{
}
/**
* @param string $username
* Refreshes the user.
*
* It is up to the implementation to decide if the user data should be
* totally reloaded (e.g. from the database), or if the UserInterface
* object can just be merged into some internal array of users / identity
* map.
*
* @return UserInterface
*
* @throws UnsupportedUserException if the user is not supported
* @throws UsernameNotFoundException if the user is not found
*/
public function loadUserByUsername(string $username): UserInterface
public function refreshUser(UserInterface $user)
{
return $this->loadUserByIdentifier($username);
if (!$user instanceof KeycloakBearerUser) {
throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
}
$user = $this->loadUserByUsername($user->getAccessToken());
if (!$user) {
throw new UsernameNotFoundException();
}
return $user;
}
}
/**
* Whether this provider supports the given user class.
*
* @param string $class
*
* @return bool
*/
public function supportsClass($class)
{
return KeycloakBearerUser::class === $class;
}
}

10
composer.json
View File

@@ -11,11 +11,11 @@
],
"minimum-stability": "stable",
"require": {
"php": ">=7.2.5",
"symfony/config": "^6.0",
"symfony/dependency-injection": "^6.0",
"symfony/http-kernel": "^6.0",
"symfony/security-bundle": "^6.0",
"php": "^7.2.5|^8.0",
"symfony/config": "^5.0",
"symfony/dependency-injection": "^5.0",
"symfony/http-kernel": "^5.0",
"symfony/security-bundle": "^5.0",
"guzzlehttp/guzzle": "^6.3",
"ext-json": "*"
},