[ELY-2584] Add the ability to specify that the OIDC Authentication Request should include request and request_uri parameters

[PrarthonaPaul]

https://issues.redhat.com/browse/ELY-2584
Analysis doc: wildfly/wildfly-proposals#532
Relevant discussion page:

• Signing JWTs with symmetrical secret key keycloak/keycloak#24514
• Sending Request Object by reference keycloak/keycloak#23150
• Hows does a client communicate public Key to Keycloak that will be used to verify signed and encrypted JWTs? keycloak/keycloak#22729

[Skyllarr]

@PrarthonaPaul Looks good! I've just had a quick look at it and added some minor comments, I'll look at it more and its affiliated wildfly PR later this week

[Skyllarr]

@PrarthonaPaul Just a minor, please put a version as a property to the properties tag in the parent pom

[PrarthonaPaul]

Hi @Skyllarr
I am not sure how to do this. Do you have an example of this being done for another dependency?
Thanks!

[Skyllarr]

@PrarthonaPaul In the parent pom.xml we have properties tag where you can find versions of libraries, see here. Place your keycloak-services dependency there. Then, as with other libraries in that parent pom.xml, place your dependency to the dependencyManagement tag the same way as other deps are. Then you can just use this dependency in child modules without having to specify a version. So in http/oidc/pom.xml you will then be able to place it without a version tag

[PrarthonaPaul]

Thank you!
I have updated the pom files to reflect this.

[Skyllarr]

@PrarthonaPaul Just a minor, can this method be protected instead of public?

[PrarthonaPaul]

Yes, I have changed it to protected.

[Skyllarr]

@PrarthonaPaul Just a minor, should the "client-keystore" stay here as possible configuration property because of backwards compatibility? Users could have been using it before?

[PrarthonaPaul]

oh! Thanks for noticing it! I have fixed it! Also changed the class to add a new variable called clientKeyStoreFile that's different from clientKeystore along with a getter and setter for that.

[Skyllarr]

@PrarthonaPaul Just a minor, please put this exception into the ElytronMessages class

[PrarthonaPaul]

Added! Thanks

[Skyllarr]

Just a minor, let's not forget to change this from JKS to PKCS12

[PrarthonaPaul]

Fixed!
Thanks for going though the code!

[PrarthonaPaul]

Currently if request or request_uri is not supported, then the authentication is sent as usual.
However, we can change it so that if it is not supported, then we throw a runtime error.
Another thing we can do, is keep it as is, but add a log message saying "Request/request_uri is not supported by the OpenID provider. Request is sent using the Oauth2 format"

[Skyllarr]

@PrarthonaPaul Thinking.. this should be discussed in the proposal, I see you asked me this there as well. If the authentication is sent as oauth despite a different configuration it has to be logged as a minimum.

I think we should log this and then document that the request and the request_uri methods are used only if available with the OpenID provider, if not available a warning message will be logged. I will write this on the proposal as well

[PrarthonaPaul]

I have fixed the elytron code and the docs to reflect it.
Will change it in the proposal as well. Thanks!

[PrarthonaPaul]

Hi @Skyllarr
I am not sure how to do this. Do you have an example of this being done for another dependency?
Thanks!

[PrarthonaPaul]

Yes, I have changed it to protected.

[PrarthonaPaul]

oh! Thanks for noticing it! I have fixed it! Also changed the class to add a new variable called clientKeyStoreFile that's different from clientKeystore along with a getter and setter for that.

[PrarthonaPaul]

Added! Thanks

[PrarthonaPaul]

Fixed!
Thanks for going though the code!

[PrarthonaPaul]

For now, when the user wants to sign using symmetric keys, we are signing using the client secret. However, I am not sure what to do when they use JWT as client credentials instead of client secret.

[Skyllarr]

@PrarthonaPaul Can they use JWT as a client credential? Can you please describe the background for the situation you are asking about?

in the proposal you mentioned:

In order to sign the jwt using an algorithm other than none, the user must specify the KeyPair used.

So I thought the keypair can be used in all situations for signing but you might be asking about something else

[PrarthonaPaul]

Yes, sorry.
According to this doc: https://www.keycloak.org/docs/latest/securing_apps/#_client_authentication_adapter
we can either set up the client credentials to be just the client secret, which is a just a hash/SHA (like 19666a4f-32dd-4049-b082-684c74115f28).
But you can also configure it using a JWT. But it is not related to the request RFE.
This is what the options are for specifying the client credentials:

Now the reason I am using the client secret to sign a JWT for my RFE is because as we found out HS keys are symmetric. And from what I have seen instead of creating a certificate, we create a secret that is shared between the client. For Keycloak, the client secret is something that is shared between the client and the server.

But what I am wondering is what happens when the user configures the client credentials as a JWT or X509 certificate?

[fjuma]

Since this is a generic helper method that will also be used in OidcRequestAuthenticator, it would be better to move this method to either an existing utility class or introduce a new utility class and include this method there.

[PrarthonaPaul]

Sounds good.
Does this class: https://github.com/wildfly-security/wildfly-elytron/blob/2.x/http/oidc/src/main/java/org/wildfly/security/http/oidc/ClientCredentialsProviderUtils.java look like a good one to move this function to?
If not, then we can create another utility class called JWTClientCredentialsProviderUtils.java or something.

[fjuma]

Since the method will also be used for signing the authentication request in addition to being used for client credentials handling, I think we could create another utility class but try to give it a more generic name (e.g., JWTSigningUtils or something along those lines).

[PrarthonaPaul]

Okay! Sounds good! Thanks :)

[PrarthonaPaul]

This is done!

[fjuma]

Is this something that's used for tests? It shouldn't be added to the constants class.

[PrarthonaPaul]

moved relevant constants to KeycloakConfiguration class.

[fjuma]

Same here, this looks like something that's only needed for tests, it shouldn't be in the Oidc constants class.

[PrarthonaPaul]

moved to keycloakConfiguration class

[fjuma]

Please check all the new constants introduced in this class, it looks like these were meant for tests purposes.

[PrarthonaPaul]

removed

[fjuma]

Note that this class already contains some constants with similar names and also makes use of the AlgorithmIdentifiers class.

These newly added constants appear to be specific to the Keycloak OpenID provider.

Are these really needed?

Can we get the allowed values from discovery?

[PrarthonaPaul]

Fixed!
I am using AlgorithmIdentifiers class and throwing an exception if the algorithm is not supported.

[fjuma]

Same comment as above here.

[PrarthonaPaul]

removed

[fjuma]

Same here, can we get these accepted values through discovery instead?

[PrarthonaPaul]

It seems like most of these, I use for testing, and some of them I don't use at all.
So, I can remove/move those to a test Class, like KeycloakConfiguration. For some of the others, I am using them in the actual implementation. So, I can replace them using AlgorithmIdentifiers.
I can get them using Discovery and I think I do get them. But I don't think I use them yet.

[fjuma]

Which endpoint is this?

[fjuma]

I don't see something that corresponds to this added in OidcProviderMetadata, is this necessary? Or is it just the pushedAuthorizationRequestEndpoint that's needed?

[fjuma]

Actually I do see authorization_endpoint already referenced in the existing OidcProviderMetadata code. But just to understand better, is the authorizationEndpoint variable that's being introduced here used anywhere?

[PrarthonaPaul]

It has this endpoint: http://localhost:8080/realms/myrealm/protocol/openid-connect/auth/device
I don't think I use it tho. So I can get rid of it.

[PrarthonaPaul]

removed

[fjuma]

I don't think we need to create the realm key set here. It would be better to do this when we know we actually need to make use of it (similar to JWKPublicKeyLocator where we use the jwks url when we know we need to).

[PrarthonaPaul]

moved to OidcPublicKeyExtractor

[fjuma]

"realm" is terminology specific to Keycloak so I don't think we should use it in the method name here.

This method is meant to obtain the encryption keys from the OpenID provider, right? We should rename this method to reflect that.

[PrarthonaPaul]

removed the function from this class and moved it to a utility class. New function is called extractPublicKeySet

[fjuma]

Can we make use of the Oidc.sendJsonHttpRequest method here to simplify the logic below?

[PrarthonaPaul]

I tried doing this and kept getting a class mismatch for the JsonSerialization.readValue() function.
I tried this for the JsonWebKeySet, String, and StringBuilder classes.
When I was initially writing this function, I was also trying to use JsonSerialization.readValue() and did not succeed. Which is why I had to do this workaround.

[fjuma]

There should be an example in JWKPublicKeyLocator where we call sendJsonHttpRequest and store the result in a JsonWebKeySet. Did you take a look there to see how that differs from what you were trying to do?

[PrarthonaPaul]

I see what the difference is.
The JWKPublicKeyLocator class uses org.wildfly.security.jose.jwk.JsonWebKeySet and I am using the Jose4j one, which is why the parsing failed before.
I have switched it to the wildfly.security one now and it works.
Thank you!

[fjuma]

s/requestObjectType/authenticationRequestFormat ?

[PrarthonaPaul]

fixed!

[fjuma]

s/algorithm/requestSignatureAlgorithm

[PrarthonaPaul]

fixed

[fjuma]

s/algorithm/requestEncryptionAlgorithm

[PrarthonaPaul]

fixed!

[fjuma]

extra white space before bracket

[PrarthonaPaul]

Fixed!

[fjuma]

We should be consistent with the naming pattern for the signing case, there we used getRequestObjectSigningAlgValuesSupported so we should follow a similar pattern here and below.

[PrarthonaPaul]

fixed!

[fjuma]

We shouldn't use "realm" here. We should rename this to better explain what this returns.

[PrarthonaPaul]

I wasn't using these functions, so I removed anything related to realmKey that I added.

[fjuma]

Note that method names should use camel case, i.e., style wise, getrealm should be getRealm.

However, we should rename this to not mention realm as described in comments above.

[PrarthonaPaul]

moved to utility class and renamed.

[fjuma]

This should make use of ElytronMessages.

[PrarthonaPaul]

Fixed!

[darranl]

2024?

[PrarthonaPaul]

Thanks, @fjuma and @darranl for your review.
I have addressed your comments on this PR.

[fjuma]

Thanks very much for the updates @PrarthonaPaul! I've added some comments.

[fjuma]

Just wondering if we could rename this so the difference between this one and the existing JWKPublicKeyLocator class is more obvious. Maybe JWKEncPublicKeyLocator? WDYT?

We should also update the javadoc accordingly to indicate that this locator dynamically obtains the public key to use for encryption.

[fjuma]

This could be removed (since it's just the default no-arg constructor).

[fjuma]

Should add a trace log message at the beginning like the one here:

wildfly-elytron/http/oidc/src/main/java/org/wildfly/security/http/oidc/JWKPublicKeyLocator.java

Line 90 in 0dba5eb

if (log.isTraceEnabled()) {

[fjuma]

Looks like the kid that will end up being passed in is "enc" but am wondering if that's something that we can rely on. Shouldn't we be filtering for encryption keys using something like JsonWebKeySetUtil.getKeysForUse(jwks, JWK.Use.ENC)? The kid can be any value right?

[PrarthonaPaul]

Since this function is only called within the elytron Oidc code, and it is not dependent on any user input, could there be cases where kid would not be JWK.Use.ENC?

[fjuma]

Just realized I misread this a bit. The kid stands for key identifier and this is something that would be specified by the OpenID provider in their JWKS, we don't have control over this. So when I saw the kid being set to enc in the other file, I assumed that we were going to search for a key identifier with value enc. But here, I see that the enc value is actually being used to check the getPublicKeyUse() value which is what the method I suggested to use makes use of. Because this public key locator class is going to be used specifically for locating the encryption key, it doesn't need to be a parameter that's passed in. Take a look at the existing locator implementation to see how we make use of the JsonWebKeySetUtil.getKeysForUse method there, we can do something similar here. The main difference is just the JWK.Use value that is used. Here we'll use JWK.Use.ENC.

[fjuma]

Does this need to be public?

[fjuma]

Very minor, extra space before the closing bracket.

[fjuma]

s/Encrypt/Encryption here and below?

[fjuma]

Can we make this log message more specific? e.g., it would be good to indicate there was an issue with sending the request to the OpenID provider's pushed authorization request endpoint.

[fjuma]

s/pass/requestObjectSigningKeyStorePass

[fjuma]

s/pass/requestObjectSigningKeyPassword

s/requestObjectSigningKeyPass/requestObjectSigningKeyPassword

[fjuma]

s/type/requestObjectSigningKeyStoreType

[fjuma]

s/alias/requestObjectSigningKeyAlias

[fjuma]

s/url/pushedAuthorizationRequestEndpoint

[fjuma]

It's good to be consistent with the JSON config option that will be used to configure this. It looks like we use signing there as opposed to signature, right? If so, we should update this.

[fjuma]

Should this be getRequestObjectEncryptionAlgorithm?

[fjuma]

Signing?

[fjuma]

Signing?

[fjuma]

Signing?

[fjuma]

Encryption?

[fjuma]

s/requestObjectContentEncryptionMethod/requestObjectContentEncryptionAlgorithm?

It's good for the variable name to be consistent with the configuration option.

[fjuma]

Just looking closer in the OIDC spec and I don't see references to "request object content encryption methods". Am just wondering if from a usability perspective, it will be confusing to determine what values should be specified for request-object-encryption-algorithm vs. request-object-content-encryption-algorithm. Do you recall the rationale for these names?

[fjuma]

Was just reviewing the analysis doc and see that we picked these names to match the Keycloak options in their console. However, it doesn't look like the OIDC spec uses the same terminology.

[fjuma]

Maybe we could use something like request-object-encryption-enc-value and request-object-encryption-alg-value to more closely align with the spec? WDYT?

[fjuma]

s/type/requestObjectSigningKeyStoreType

[fjuma]

Same here.

[fjuma]

Encryption?

[fjuma]

Should this be getRequestObjectContentEncryptionAlgorithm?

[fjuma]

Same here.

[fjuma]

Is this needed here?

[fjuma]

What happens if additional scopes have been configured?

[fjuma]

From the spec, "the aud value SHOULD be or include the OP's Issuer Identifier URL". So getIssuerUrl should be used here.

[fjuma]

Looks like the iss and aud claims should be included if the request object will be signed.

[fjuma]

From the spec, "the iss value SHOULD be the Client ID of the RP, unless it was signed by a different party than the RP". So here, we can use getResourceName.

[fjuma]

Can it be the empty string? Is that a valid value?