diff --git a/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java b/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java index dd08b5b876a62d05cfc37b30b6910815e7029f4f..a1afb9d2d87cf8759bf3c1d63d3056db5b5ce7d3 100644 --- a/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java +++ b/src/main/java/org/keycloak/protocol/cas/CASLoginProtocol.java @@ -85,7 +85,8 @@ public class CASLoginProtocol implements LoginProtocol { } @Override - public Response authenticated(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) { + public Response authenticated(UserSessionModel userSession, ClientSessionContext clientSessionCtx) { + AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession(); ClientSessionCode accessCode = new ClientSessionCode<>(session, realm, clientSession); String service = clientSession.getRedirectUri(); diff --git a/src/main/java/org/keycloak/protocol/cas/CASLoginProtocolFactory.java b/src/main/java/org/keycloak/protocol/cas/CASLoginProtocolFactory.java index 57745b83594397e6bdec9a88d512d61441bc35b9..270246670e529248afbd988f2d4bd2e074e2c7af 100644 --- a/src/main/java/org/keycloak/protocol/cas/CASLoginProtocolFactory.java +++ b/src/main/java/org/keycloak/protocol/cas/CASLoginProtocolFactory.java @@ -2,24 +2,22 @@ package org.keycloak.protocol.cas; import org.jboss.logging.Logger; import org.keycloak.events.EventBuilder; -import org.keycloak.models.*; +import org.keycloak.models.ClientModel; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.ProtocolMapperModel; +import org.keycloak.models.RealmModel; import org.keycloak.protocol.AbstractLoginProtocolFactory; import org.keycloak.protocol.LoginProtocol; -import org.keycloak.protocol.ProtocolMapperUtils; import org.keycloak.protocol.cas.mappers.FullNameMapper; import org.keycloak.protocol.cas.mappers.UserAttributeMapper; import org.keycloak.protocol.cas.mappers.UserPropertyMapper; import org.keycloak.representations.idm.ClientRepresentation; -import org.keycloak.representations.idm.ClientTemplateRepresentation; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; -import static org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.JSON_TYPE; -import static org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME; - public class CASLoginProtocolFactory extends AbstractLoginProtocolFactory { private static final Logger logger = Logger.getLogger(CASLoginProtocolFactory.class); @@ -43,51 +41,45 @@ public class CASLoginProtocolFactory extends AbstractLoginProtocolFactory { } @Override - public List getBuiltinMappers() { + public Map getBuiltinMappers() { return builtins; } - @Override - public List getDefaultBuiltinMappers() { - return defaultBuiltins; - } - - static List builtins = new ArrayList<>(); + static Map builtins = new HashMap<>(); static List defaultBuiltins = new ArrayList<>(); static { ProtocolMapperModel model; - model = UserPropertyMapper.create(EMAIL, "email", "mail", "String", - true, EMAIL_CONSENT_TEXT); - builtins.add(model); + model = UserPropertyMapper.create(EMAIL, "email", "mail", "String"); + builtins.put(EMAIL, model); defaultBuiltins.add(model); - model = UserPropertyMapper.create(GIVEN_NAME, "firstName", "givenName", "String", - true, GIVEN_NAME_CONSENT_TEXT); - builtins.add(model); + model = UserPropertyMapper.create(GIVEN_NAME, "firstName", "givenName", "String"); + builtins.put(GIVEN_NAME, model); defaultBuiltins.add(model); - model = UserPropertyMapper.create(FAMILY_NAME, "lastName", "sn", "String", - true, FAMILY_NAME_CONSENT_TEXT); - builtins.add(model); + model = UserPropertyMapper.create(FAMILY_NAME, "lastName", "sn", "String"); + builtins.put(FAMILY_NAME, model); defaultBuiltins.add(model); model = UserPropertyMapper.create(EMAIL_VERIFIED, "emailVerified", - "emailVerified", "boolean", - false, EMAIL_VERIFIED_CONSENT_TEXT); - builtins.add(model); + "emailVerified", "boolean"); + builtins.put(EMAIL_VERIFIED, model); model = UserAttributeMapper.create(LOCALE, "locale", "locale", "String", - false, LOCALE_CONSENT_TEXT, false); - builtins.add(model); + builtins.put(LOCALE, model); - model = FullNameMapper.create(FULL_NAME, "cn", - true, FULL_NAME_CONSENT_TEXT); - builtins.add(model); + model = FullNameMapper.create(FULL_NAME, "cn"); + builtins.put(FULL_NAME, model); defaultBuiltins.add(model); } + @Override + protected void createDefaultClientScopesImpl(RealmModel newRealm) { + // no-op + } + @Override protected void addDefaults(ClientModel client) { for (ProtocolMapperModel model : defaultBuiltins) client.addProtocolMapper(model); @@ -116,9 +108,4 @@ public class CASLoginProtocolFactory extends AbstractLoginProtocolFactory { newClient.setManagementUrl(rep.getRootUrl()); } } - - @Override - public void setupTemplateDefaults(ClientTemplateRepresentation clientRep, ClientTemplateModel newClient) { - - } } diff --git a/src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java b/src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java index 900bb12b7e1dca45815cc30c40e57d31c72233cb..792c5259a4f2ef7f7d8c8a1a5a4e6d775e355b82 100644 --- a/src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java +++ b/src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java @@ -1,10 +1,7 @@ package org.keycloak.protocol.cas.endpoints; import org.keycloak.events.EventBuilder; -import org.keycloak.models.KeycloakSessionFactory; -import org.keycloak.models.ProtocolMapperModel; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserSessionModel; +import org.keycloak.models.*; import org.keycloak.protocol.ProtocolMapper; import org.keycloak.protocol.cas.mappers.CASAttributeMapper; import org.keycloak.protocol.cas.representations.CASServiceResponse; @@ -12,6 +9,7 @@ import org.keycloak.protocol.cas.utils.CASValidationException; import org.keycloak.protocol.cas.utils.ContentTypeHelper; import org.keycloak.protocol.cas.utils.ServiceResponseHelper; import org.keycloak.services.managers.ClientSessionCode; +import org.keycloak.services.util.DefaultClientSessionContext; import javax.ws.rs.core.*; import java.util.HashMap; @@ -29,8 +27,10 @@ public class ServiceValidateEndpoint extends ValidateEndpoint { @Override protected Response successResponse() { UserSessionModel userSession = clientSession.getUserSession(); + // CAS protocol does not support scopes, so pass null scopeParam + ClientSessionContext clientSessionCtx = DefaultClientSessionContext.fromClientSessionAndScopeParameter(clientSession, null); - Set mappings = new ClientSessionCode<>(session, realm, clientSession).getRequestedProtocolMappers(); + Set mappings = clientSessionCtx.getProtocolMappers(); KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); Map attributes = new HashMap<>(); for (ProtocolMapperModel mapping : mappings) { diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/CASAttributeMapperHelper.java b/src/main/java/org/keycloak/protocol/cas/mappers/CASAttributeMapperHelper.java index 53ba5d23add6190be50db6248cef61cf9c1982a2..9e243afe790c7cfb8855b83e95412b8d3326768f 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/CASAttributeMapperHelper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/CASAttributeMapperHelper.java @@ -10,14 +10,11 @@ import java.util.Map; public class CASAttributeMapperHelper { public static ProtocolMapperModel createClaimMapper(String name, String tokenClaimName, String claimType, - boolean consentRequired, String consentText, String mapperId) { ProtocolMapperModel mapper = new ProtocolMapperModel(); mapper.setName(name); mapper.setProtocolMapper(mapperId); mapper.setProtocol(CASLoginProtocol.LOGIN_PROTOCOL); - mapper.setConsentRequired(consentRequired); - mapper.setConsentText(consentText); Map config = new HashMap(); config.put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, tokenClaimName); config.put(OIDCAttributeMapperHelper.JSON_TYPE, claimType); diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/FullNameMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/FullNameMapper.java index aef4b51d4c9d9f611575f58e8523ce6f25fafa2f..3d889be4725b227ec7968a68b88a57026d8353be 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/FullNameMapper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/FullNameMapper.java @@ -48,9 +48,8 @@ public class FullNameMapper extends AbstractCASProtocolMapper { setMappedAttribute(attributes, mappingModel, first + last); } - public static ProtocolMapperModel create(String name, String tokenClaimName, - boolean consentRequired, String consentText) { + public static ProtocolMapperModel create(String name, String tokenClaimName) { return CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName, - "String", consentRequired, consentText, PROVIDER_ID); + "String", PROVIDER_ID); } } diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/GroupMembershipMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/GroupMembershipMapper.java index a6db9740c533e5c5ac667ace91ee30d611679b67..bee3b9e7497723b7edc9dcee4b4a425d279d07ee 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/GroupMembershipMapper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/GroupMembershipMapper.java @@ -69,10 +69,9 @@ public class GroupMembershipMapper extends AbstractCASProtocolMapper { return "true".equals(mappingModel.getConfig().get(FULL_PATH)); } - public static ProtocolMapperModel create(String name, String tokenClaimName, - boolean consentRequired, String consentText, boolean fullPath) { + public static ProtocolMapperModel create(String name, String tokenClaimName, boolean fullPath) { ProtocolMapperModel mapper = CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName, - "String", consentRequired, consentText, PROVIDER_ID); + "String", PROVIDER_ID); mapper.getConfig().put(FULL_PATH, Boolean.toString(fullPath)); return mapper; } diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/UserAttributeMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/UserAttributeMapper.java index 19173c2abd4c1e3a232a7b356aaca77d4da30d3d..a75bd279873dbe769c1dcfdcfdd66077ef279189 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/UserAttributeMapper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/UserAttributeMapper.java @@ -68,9 +68,9 @@ public class UserAttributeMapper extends AbstractCASProtocolMapper { public static ProtocolMapperModel create(String name, String userAttribute, String tokenClaimName, String claimType, - boolean consentRequired, String consentText, boolean multivalued) { + boolean multivalued) { ProtocolMapperModel mapper = CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName, - claimType, consentRequired, consentText, PROVIDER_ID); + claimType, PROVIDER_ID); mapper.getConfig().put(ProtocolMapperUtils.USER_ATTRIBUTE, userAttribute); if (multivalued) { mapper.getConfig().put(ProtocolMapperUtils.MULTIVALUED, "true"); diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java index 15ff8ac09607bb3cf4b0143c3f9c6be77d698078..ff872d39944d08106601f13bf192251a3683759e 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/UserClientRoleMappingMapper.java @@ -2,6 +2,7 @@ package org.keycloak.protocol.cas.mappers; import org.keycloak.models.*; import org.keycloak.protocol.ProtocolMapperUtils; +import org.keycloak.protocol.oidc.TokenManager; import org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper; import org.keycloak.provider.ProviderConfigProperty; @@ -78,10 +79,7 @@ public class UserClientRoleMappingMapper extends AbstractUserRoleMappingMapper { return RoleModel::isClientRole; } - ClientTemplateModel template = client.getClientTemplate(); - boolean useTemplateScope = template != null && client.useTemplateScope(); - boolean fullScopeAllowed = (useTemplateScope && template.isFullScopeAllowed()) || client.isFullScopeAllowed(); - + boolean fullScopeAllowed = client.isFullScopeAllowed(); Set clientRoleMappings = client.getRoles(); if (fullScopeAllowed) { return clientRoleMappings::contains; @@ -89,16 +87,10 @@ public class UserClientRoleMappingMapper extends AbstractUserRoleMappingMapper { Set scopeMappings = new HashSet<>(); - if (useTemplateScope) { - Set templateScopeMappings = template.getScopeMappings(); - if (templateScopeMappings != null) { - scopeMappings.addAll(templateScopeMappings); - } - } - - Set clientScopeMappings = client.getScopeMappings(); - if (clientScopeMappings != null) { - scopeMappings.addAll(clientScopeMappings); + // CAS protocol does not support scopes, so pass null scopeParam + Set clientScopes = TokenManager.getRequestedClientScopes(null, client); + for (ClientScopeModel clientScope : clientScopes) { + scopeMappings.addAll(clientScope.getScopeMappings()); } return role -> clientRoleMappings.contains(role) && scopeMappings.contains(role); @@ -107,7 +99,7 @@ public class UserClientRoleMappingMapper extends AbstractUserRoleMappingMapper { public static ProtocolMapperModel create(String clientId, String clientRolePrefix, String name, String tokenClaimName) { ProtocolMapperModel mapper = CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName, - "String", true, name, PROVIDER_ID); + "String", PROVIDER_ID); mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID, clientId); mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX, clientRolePrefix); return mapper; diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/UserPropertyMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/UserPropertyMapper.java index b299b27a19ad2f91fee6ec9fb034fb790427f50e..66f09be414e16cef9d30cf15fcad7e71289e51d6 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/UserPropertyMapper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/UserPropertyMapper.java @@ -58,10 +58,9 @@ public class UserPropertyMapper extends AbstractCASProtocolMapper { } public static ProtocolMapperModel create(String name, String userAttribute, - String tokenClaimName, String claimType, - boolean consentRequired, String consentText) { + String tokenClaimName, String claimType) { ProtocolMapperModel mapper = CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName, - claimType, consentRequired, consentText, PROVIDER_ID); + claimType, PROVIDER_ID); mapper.getConfig().put(ProtocolMapperUtils.USER_ATTRIBUTE, userAttribute); return mapper; } diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/UserRealmRoleMappingMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/UserRealmRoleMappingMapper.java index 117264aa7abe5e6d294742e753d4d0e8bb5d2ca2..41a6a78d4513848ba782ec93723aaf12d3ac0075 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/UserRealmRoleMappingMapper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/UserRealmRoleMappingMapper.java @@ -60,7 +60,7 @@ public class UserRealmRoleMappingMapper extends AbstractUserRoleMappingMapper { public static ProtocolMapperModel create(String realmRolePrefix, String name, String tokenClaimName) { ProtocolMapperModel mapper = CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName, - "String", true, name, PROVIDER_ID); + "String", PROVIDER_ID); mapper.getConfig().put(ProtocolMapperUtils.USER_MODEL_REALM_ROLE_MAPPING_ROLE_PREFIX, realmRolePrefix); return mapper; } diff --git a/src/main/java/org/keycloak/protocol/cas/mappers/UserSessionNoteMapper.java b/src/main/java/org/keycloak/protocol/cas/mappers/UserSessionNoteMapper.java index 5c2881abbc87f11dd429e6ea170c2593dd63e980..f718aab57d2b4b61fc881f9a2505d7b7cf262c36 100644 --- a/src/main/java/org/keycloak/protocol/cas/mappers/UserSessionNoteMapper.java +++ b/src/main/java/org/keycloak/protocol/cas/mappers/UserSessionNoteMapper.java @@ -63,10 +63,9 @@ public class UserSessionNoteMapper extends AbstractCASProtocolMapper { public static ProtocolMapperModel create(String name, String userSessionNote, - String tokenClaimName, String jsonType, - boolean consentRequired, String consentText) { + String tokenClaimName, String jsonType) { ProtocolMapperModel mapper = CASAttributeMapperHelper.createClaimMapper(name, tokenClaimName, - jsonType, consentRequired, consentText, PROVIDER_ID); + jsonType, PROVIDER_ID); mapper.getConfig().put(ProtocolMapperUtils.USER_SESSION_NOTE, userSessionNote); return mapper; }