workaround for token exchange

Author: ikethecoder

src/package-lock.json

@@ -63,7 +63,7 @@
     "@chakra-ui/react": "^1.6.0",
     "@emotion/react": "^11.4.1",
     "@emotion/styled": "^11.3.0",
-    "@keycloak/keycloak-admin-client": "^17.0.0-dev.26",
+    "@keycloak/keycloak-admin-client": "^17.0.1",
     "@keystone-next/admin-ui": "^7.0.0",
     "@keystonejs/access-control": "^7.1.1",
     "@keystonejs/adapter-mongoose": "^11.2.2",

src/package.json

@@ -33,6 +33,7 @@ export interface ClientRegistration {
   clientId: string;
   clientSecret?: string;
   enabled?: boolean;
+  attributes?: { [key: string]: string };
 }
 
 export enum ClientAuthenticator {

src/services/keycloak/client-registration-service.ts

@@ -1,65 +1,65 @@
 
 export const clientTemplateClientCertificate = JSON.stringify({
-  clientId: '',
-  name: '',
-  description: '',
-  surrogateAuthRequired: false,
-  enabled: false,
+  access: { view: true, configure: true, manage: true },
   alwaysDisplayInConsole: false,
-  clientAuthenticatorType: 'client-x509',
-  redirectUris: ['http://*', 'https://*'],
-  webOrigins: ['*'],
-  notBefore: 0,
-  bearerOnly: false,
-  consentRequired: false,
-  standardFlowEnabled: true,
-  implicitFlowEnabled: false,
-  directAccessGrantsEnabled: false,
-  serviceAccountsEnabled: true,
-  publicClient: false,
-  frontchannelLogout: false,
-  protocol: 'openid-connect',
+  authenticationFlowBindingOverrides: {},
   attributes: {
-    "request.object.signature.alg": "any",
-    "saml.multivalued.roles": "false",
-    "saml.force.post.binding": "false",
-    "oauth2.device.authorization.grant.enabled": "false",
-    "backchannel.logout.revoke.offline.tokens": "false",
-    "saml.server.signature.keyinfo.ext": "false",
-    "use.refresh.tokens": "true",
-    "realm_client": "false",
-    "oidc.ciba.grant.enabled": "false",
-    "backchannel.logout.session.required": "true",
-    "client_credentials.use_refresh_token": "false",
-    "saml.client.signature": "false",
-    "require.pushed.authorization.requests": "false",
-    "request.object.encryption.enc": "any",
-    "dpop.bound.access.tokens": "false",
-    "saml.assertion.signature": "false",
-    "x509.subjectdn": "",
+    "acr.loa.map": "{}",
+    "access.token.header.type.rfc9068": false,
+    "backchannel.logout.revoke.offline.tokens": false,
+    "backchannel.logout.session.required": true,
+    "client.introspection.response.allow.jwt.claim.enabled": false,
+    "client.use.lightweight.access.token.enabled": false,
+    "client_credentials.use_refresh_token": false,
+    "display.on.consent.screen": false,
+    "dpop.bound.access.tokens": false,
+    "exclude.session.state.from.auth.response": false,
+    "oauth2.device.authorization.grant.enabled": false,
+    "oidc.ciba.grant.enabled": false,
+    "realm_client": false,
     "request.object.encryption.alg": "any",
-    "client.introspection.response.allow.jwt.claim.enabled": "false",
-    "saml.encrypt": "false",
-    "standard.token.exchange.enabled": "true",
-    "saml.server.signature": "false",
-    "exclude.session.state.from.auth.response": "false",
-    "client.use.lightweight.access.token.enabled": "false",
+    "request.object.encryption.enc": "any",
     "request.object.required": "not required",
-    "saml_force_name_id_format": "false",
-    "access.token.header.type.rfc9068": "false",
-    "acr.loa.map": "{}",
-    "tls.client.certificate.bound.access.tokens": "true",
-    "saml.authnstatement": "false",
-    "display.on.consent.screen": "false",
-    "x509.allow.regex.pattern.comparison": "false",
-    "token.response.type.bearer.lower-case": "false",
-    "saml.onetimeuse.condition": "false"
+    "request.object.signature.alg": "any",
+    "require.pushed.authorization.requests": false,
+    "saml.client.signature": false,
+    "saml.encrypt": false,
+    "saml.assertion.signature": false,
+    "saml.authnstatement": false,
+    "saml.force.post.binding": false,
+    "saml.multivalued.roles": false,
+    "saml.onetimeuse.condition": false,
+    "saml.server.signature": false,
+    "saml.server.signature.keyinfo.ext": false,
+    "saml_force_name_id_format": false,
+    "standard.token.exchange.enabled": true,
+    "tls.client.certificate.bound.access.tokens": true,
+    "token.response.type.bearer.lower-case": false,
+    "use.refresh.tokens": true,
+    "x509.allow.regex.pattern.comparison": false,
+    "x509.subjectdn": ""
   },
-  authenticationFlowBindingOverrides: {},
+  bearerOnly: false,
+  clientAuthenticatorType: 'client-x509',
+  clientId: '',
+  consentRequired: false,
+  defaultClientScopes: [] as string[],
+  description: '',
+  directAccessGrantsEnabled: false,
+  enabled: false,
+  frontchannelLogout: false,
   fullScopeAllowed: false,
+  implicitFlowEnabled: false,
+  name: '',
   nodeReRegistrationTimeout: -1,
-  protocolMappers: [] as any[],
-  defaultClientScopes: [] as string[],
+  notBefore: 0,
   optionalClientScopes: [] as string[],
-  access: { view: true, configure: true, manage: true },
+  protocol: 'openid-connect',
+  protocolMappers: [] as any[],
+  publicClient: false,
+  redirectUris: ['http://*', 'https://*'],
+  serviceAccountsEnabled: false,
+  standardFlowEnabled: true,
+  surrogateAuthRequired: false,
+  webOrigins: ['*'],
 });

src/services/keycloak/templates/client-template-client-certificate.ts

@@ -90,6 +90,7 @@ export async function getAccessRequest(context: any, id: string): Promise<Access
           name
           appId
           product {
+            namespace
             openapiSpecs
             name
           }

src/services/keystone/access-request.ts

@@ -346,7 +346,7 @@ async function setupAuthorizationAndEnable(
         : issuerEnvConfig.initialAccessToken;
 
     const controls: RequestControls = {
-      ...{ defaultClientScopes: [] },
+      ...{ defaultClientScopes: [], optionalClientScopes: [] },
       ...setup.controls,
     };
 
@@ -362,11 +362,14 @@ async function setupAuthorizationAndEnable(
       issuerEnvConfig.clientId,
       issuerEnvConfig.clientSecret
     );
-    const clientScopes = controls.defaultClientScopes;
+
+      const optionalClientScopes = controls.optionalClientScopes;
+
+    const defaultClientScopes = controls.defaultClientScopes;
     if (controls.roles) {
-      clientScopes.push('roles');
+      defaultClientScopes.push('roles');
     }
-    await kcClientService.syncAndApply(clientId, clientScopes, []);
+    await kcClientService.syncAndApply(clientId, defaultClientScopes, optionalClientScopes);
 
     if (controls.roles) {
       const clientRolesService = new KeycloakClientRolesService(

src/services/workflow/apply.ts

@@ -19,6 +19,9 @@ import {
 } from './types';
 import { ClientAuthenticator } from '../keycloak/client-registration-service';
 import { genClientId } from './client-shared-idp';
+import { Logger } from '../../logger';
+
+const logger = Logger('wf.ClientCreds');
 
 /**
  * Steps:
@@ -77,15 +80,17 @@ export async function registerClient(
 
   // Find the Client ID for the ProductEnvironment - that will be used to associated the clientRoles
 
-  // lookup Application and use the ID to make sure a corresponding Consumer exists (1 -- 1)
-  const client = await new KeycloakClientRegistrationService(
+  const regService = new KeycloakClientRegistrationService(
     issuerEnvConfig.issuerUrl,
     openid.registration_endpoint,
     token
-  ).clientRegistration(
+  );
+
+  // lookup Application and use the ID to make sure a corresponding Consumer exists (1 -- 1)
+  const client = await regService.clientRegistration(
     <ClientAuthenticator>issuer.clientAuthenticator,
     newClientId,
-    '',
+    controls.clientName || "", // if no client name provided, use the clientId
     uuidv4(),
     controls.clientCertificate,
     controls.subjectDn,
@@ -95,6 +100,18 @@ export async function registerClient(
   );
   assert.strictEqual(client.clientId, newClientId);
 
+  if (issuer.clientAuthenticator === "client-certificate") {
+    logger.warn("Workaround to set standard.token.exchange.enabled for client-certificate - not setting on creation");
+    regService.updateClientRegistration(newClientId, {
+      clientId: newClientId,
+      attributes: {
+        "standard.token.exchange.enabled": 'true',
+        "tls.client.certificate.bound.access.tokens": 'true',
+        //"dpop.bound.access.tokens": 'true',
+      }
+    })
+  }
+
   return {
     openid,
     client,

src/services/workflow/client-credentials.ts

@@ -45,8 +45,9 @@ export interface SubjectIdentity {
   email?: string;
 }
 export interface RequestControls {
+  clientName?: string;
   defaultClientScopes?: string[];
-  defaultOptionalScopes?: string[];
+  optionalClientScopes?: string[];
   roles?: string[];
   aclGroups?: string[];
   plugins?: ConsumerPlugin[];

src/services/workflow/types.ts

@@ -24,6 +24,7 @@ kubectl port-forward -n 1d4461-prod service/bcgov-aps-portal-feeder-generic-api
 
 export FEEDER_URL=http://localhost:6767
 
+
 // userId is needed for Legal
 // namespace has to match requesting product if not published
 
@@ -66,26 +67,28 @@ import {
   });
 
   // o(await getOrganizations(ctx));
+  const app = await createApplication(ctx, {
+    name: 'App ' + new Date().toISOString(),
+    description: 'App Desc',
+    ownerId: userId,
+  });
+
+  const controls = {
+    clientName: app.name,
+    subjectDn: 'CN=my-site',
+    //defaultClientScopes: [],
+    optionalClientScopes: ['user/Test1'],
+  };
 
   const accessRequestData = {
     acceptLegal: false,
     additionalDetails: 'here is some additional details',
-    //applicationId: '5', // App2
-    //controls: '{"clientGenCertificate":false,"jwksUrl":"","clientCertificate":""}',
-    controls: JSON.stringify({ jwksUrl: '', subjectDn: 'CN=my-site' }),
+    controls: JSON.stringify(controls),
     name: 'Sample API FOR Cope, Aidan CITZ:EX',
     productEnvironmentId: '13',
     requestor: userId,
   } as any;
 
-  // userId is needed for Legal
-
-  const app = await createApplication(ctx, {
-    name: 'App ' + new Date().toISOString(),
-    description: 'App Desc',
-    ownerId: userId,
-  });
-
   accessRequestData.applicationId = app.id;
 
   const result = await addAccessRequest(ctx, accessRequestData);
@@ -95,27 +98,15 @@ import {
   const credDetails = JSON.parse(creds.credential);
   o(credDetails);
 
-  //   query
-  // :
-  // "\n  mutation SaveConsumerLabels($consumerId: ID!, $labels: [JSON]) {\n    saveConsumerLabels(consumerId: $consumerId, labels: $labels)\n  }\n"
-  // variables
-  // :
-  // {consumerId: "27",…}
-  // consumerId
-  // :
-  // "27"
-  // labels
-  // :
-  // [{labelGroup: "Priority", values: ["Mister"]}, {labelGroup: "", values: []}]
+  const request = await getAccessRequest(ctx, result.id);
+  o(request);
 
   const labels = [
     { labelGroup: 'sdx-member', values: ['/MIN/CITZ'] },
     { labelGroup: 'sdx-res-locator', values: ['/LAB/MIN/CITZ/MYSVC-API'] },
+    { labelGroup: "application", values: [app.name] }
   ];
 
-  const request = await getAccessRequest(ctx, result.id);
-  o(request);
-
   await saveConsumerLabels(ctx, ns, request.serviceAccess.consumer.id, labels);
 
   // const revoke = await revokeAllConsumerAccess(ctx, ns, request.serviceAccess.id);
@@ -124,15 +115,6 @@ import {
   // const revoke = await deleteServiceAccess(ctx, request.serviceAccess.id);
   // o(revoke);
 
-  // flow: client-credentials
-  // clientId: 50C1D755-945C1E80ABB
-  // clientSecret: null
-  // issuer: null
-  // tokenEndpoint: >-
-  //   https://sdx-authz-apps-gov-bc-ca-lab.apps.gov.bc.ca/auth/realms/sdx/protocol/openid-connect/token
-  // clientPublicKey: null
-  // clientPrivateKey: null
-
   // const serviceAccess = await getOpenAccessRequestsByConsumer(
   //   ctx,
   //   ns,