keycloak jwt processing

2025-07-19 13:19:43 +02:00 · 2017-03-17 08:46:33 +00:00 · 2017-03-17 08:46:33 +00:00 · b5f85637a7
commit b5f85637a7
parent a585a55033
9 changed files with 334 additions and 121 deletions
--- a/core/api/endpoint/keycloak.go
+++ b/core/api/endpoint/keycloak.go
@ -0,0 +1,169 @@
+// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
+//
+// This software (Documize Community Edition) is licensed under
+// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
+//
+// You can operate outside the AGPL restrictions by purchasing
+// Documize Enterprise Edition and obtaining a commercial license
+// by contacting <sales@documize.com>.
+//
+// https://documize.com
+
+package endpoint
+
+import (
+	"database/sql"
+	"encoding/json"
+	"io/ioutil"
+	"net/http"
+	"strings"
+
+	"github.com/documize/community/core/api/endpoint/models"
+	"github.com/documize/community/core/api/request"
+	"github.com/documize/community/core/log"
+	// "github.com/documize/community/core/section/provider"
+	"github.com/documize/community/core/utility"
+)
+
+// AuthenticateKeycloak checks Keycloak authentication credentials.
+//
+// TODO:
+// 1. validate keycloak token
+// 2. implement new user additions: user & account with RefID
+//
+func AuthenticateKeycloak(w http.ResponseWriter, r *http.Request) {
+	method := "AuthenticateKeycloak"
+	p := request.GetPersister(r)
+
+	defer utility.Close(r.Body)
+	body, err := ioutil.ReadAll(r.Body)
+	if err != nil {
+		writeBadRequestError(w, method, "Bad payload")
+		return
+	}
+
+	a := keycloakAuthRequest{}
+	err = json.Unmarshal(body, &a)
+	if err != nil {
+		writePayloadError(w, method, err)
+		return
+	}
+
+	// Clean data.
+	a.Domain = strings.TrimSpace(strings.ToLower(a.Domain))
+	a.Domain = request.CheckDomain(a.Domain) // TODO optimize by removing this once js allows empty domains
+	a.Email = strings.TrimSpace(strings.ToLower(a.Email))
+
+	// Check for required fields.
+	if len(a.Email) == 0 {
+		writeUnauthorizedError(w)
+		return
+	}
+
+	// Validate Keycloak credentials
+	pks := "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1NSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTAwRzI3KzZYNzJFWllIY3NyY1pHekYwZzFsL1gzeVdLS20vZ3NnMCtjMWdXQ2R4ZmI4QmtkbFdCcXhXZVRoSEZCVUVETnorakFyTjBlL0dFMXorMmxnQzJlMkQwemFlcjdlSHZ6bzlBK1hkb0h4KzRNS3RUbkxZZS9aYUFpc3ExSHVURkRKZElKZFRJVUpTWUFXZlNrSmJtdGhIOUVPMmF3SVhEQzlMMWpDa2IwNHZmZ0xERFA3bVo1YzV6NHJPcGluTU45V3RkSm8xeC90VG0xVDlwRHQ3NDRIUHBoMENSbW5OcTRCdWo2SGpaQ3hCcFF1aUp5am0yT0lIdm4vWUJxVUlSUitMcFlJREV1d2FQRU04QkF1eWYvU3BBTGNNaG9oZndzR255QnFMV3QwVFBua3plZjl6ZWN3WEdsQXlYbUZCWlVkR1k3Z0hOdDRpVmdvMXp5d0lEQVFBQi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ=="
+	pkb, err := utility.DecodeBase64([]byte(pks))
+	if err != nil {
+		log.Error("", err)
+		writeBadRequestError(w, method, "Unable to decode authentication token")
+		return
+	}
+	pk := string(pkb)
+	pk = `
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00G27+6X72EZYHcsrcZGzF0g1l/X3yWKKm/gsg0+c1gWCdxfb8BkdlWBqxWeThHFBUEDNz+jArN0e/GE1z+2lgC2e2D0zaer7eHvzo9A+XdoHx+4MKtTnLYe/ZaAisq1HuTFDJdIJdTIUJSYAWfSkJbmthH9EO2awIXDC9L1jCkb04vfgLDDP7mZ5c5z4rOpinMN9WtdJo1x/tTm1T9pDt744HPph0CRmnNq4Buj6HjZCxBpQuiJyjm2OIHvn/YBqUIRR+LpYIDEuwaPEM8BAuyf/SpALcMhohfwsGnyBqLWt0TPnkzef9zecwXGlAyXmFBZUdGY7gHNt4iVgo1zywIDAQAB
+-----END PUBLIC KEY-----
+	`
+
+	err = decodeKeycloakJWT(a.Token, pk)
+	if err != nil {
+		writeServerError(w, method, err)
+		return
+	}
+
+	log.Info("keycloak logon attempt " + a.Email + " @ " + a.Domain)
+
+	user, err := p.GetUserByDomain(a.Domain, a.Email)
+	if err != nil && err != sql.ErrNoRows {
+		writeServerError(w, method, err)
+		return
+	}
+
+	// Create user account if not found
+	if err == sql.ErrNoRows {
+		log.Info("keycloak add user " + a.Email + " @ " + a.Domain)
+
+		p.Context.Transaction, err = request.Db.Beginx()
+		if err != nil {
+			writeTransactionError(w, method, err)
+			return
+		}
+
+	}
+
+	// Password correct and active user
+	if a.Email != strings.TrimSpace(strings.ToLower(user.Email)) {
+		writeUnauthorizedError(w)
+		return
+	}
+
+	org, err := p.GetOrganizationByDomain(a.Domain)
+	if err != nil {
+		writeUnauthorizedError(w)
+		return
+	}
+
+	// Attach user accounts and work out permissions.
+	attachUserAccounts(p, org.RefID, &user)
+
+	// No accounts signals data integrity problem
+	// so we reject login request.
+	if len(user.Accounts) == 0 {
+		writeUnauthorizedError(w)
+		return
+	}
+
+	// Abort login request if account is disabled.
+	for _, ac := range user.Accounts {
+		if ac.OrgID == org.RefID {
+			if ac.Active == false {
+				writeUnauthorizedError(w)
+				return
+			}
+			break
+		}
+	}
+
+	// Generate JWT token
+	authModel := models.AuthenticationModel{}
+	authModel.Token = generateJWT(user.RefID, org.RefID, a.Domain)
+	authModel.User = user
+
+	json, err := json.Marshal(authModel)
+	if err != nil {
+		writeJSONMarshalError(w, method, "user", err)
+		return
+	}
+
+	writeSuccessBytes(w, json)
+}
+
+// Data received via Keycloak client library
+type keycloakAuthRequest struct {
+	Domain    string `json:"domain"`
+	Token     string `json:"token"`
+	RemoteID  string `json:"remoteId"`
+	Email     string `json:"email"`
+	Username  string `json:"username"`
+	Firstname string `json:"firstname"`
+	Lastname  string `json:"lastname"`
+	Enabled   bool   `json:"enabled"`
+}
+
+// Keycloak server configuration
+type keycloakConfig struct {
+	URL       string `json:"url"`
+	Realm     string `json:"realm"`
+	ClientID  string `json:"clientId"`
+	PublicKey string `json:"publicKey"`
+}