KEYCLOAK-45 Full authentication if no ACR is requested

.github/workflows/ci-docker.yml

@@ -0,0 +1,34 @@
+name: Docker CI
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  build:
+    name: Build and push docker image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out keycloak/keycloak-containers
+        uses: actions/checkout@v2
+        with:
+          repository: keycloak/keycloak-containers
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: primesign-services
+          password: ${{ secrets.CR_TOKEN }}
+      - name: Build docker image
+        uses: docker/build-push-action@v2
+        with:
+          context: server
+          file: server/Dockerfile
+          push: true
+          build-args: GIT_REPO=primesign/keycloak
+          cache-from: type=registry,ref=primesign/keycloak:latest
+          cache-to: type=inline
+          tags: ghcr.io/primesign/keycloak:latest

adapters/oidc/adapter-core/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>11.0.0-SNAPSHOT</version>
+        <version>11.0.3</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java

@@ -89,7 +89,8 @@ protected boolean abortTokenResponse() {
              return true;
         }
         // Don't allow a CORS request if we're not validating CORS requests.
-        if (!deployment.isCors() && facade.getRequest().getHeader(CorsHeaders.ORIGIN) != null) {
+        String origin = facade.getRequest().getHeader(CorsHeaders.ORIGIN);
+        if (!deployment.isCors() && origin != null && !origin.equals("null")) {
             facade.getResponse().setStatus(200);
             facade.getResponse().end();
             return true;
@@ -101,6 +102,7 @@ protected boolean corsRequest()  {
         if (!deployment.isCors()) return false;
         KeycloakSecurityContext securityContext = facade.getSecurityContext();
         String origin = facade.getRequest().getHeader(CorsHeaders.ORIGIN);
+        origin = "null".equals(origin) ? null : origin;
         String exposeHeaders = deployment.getCorsExposedHeaders();
 
         if (deployment.getPolicyEnforcer() != null) {

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/PreAuthActionsHandler.java

@@ -103,13 +103,13 @@ public boolean preflightCors() {
         if (!facade.getRequest().getMethod().equalsIgnoreCase("OPTIONS")) {
             return false;
         }
-        if (facade.getRequest().getHeader(CorsHeaders.ORIGIN) == null) {
+        String origin = facade.getRequest().getHeader(CorsHeaders.ORIGIN);
+        if (origin == null || origin.equals("null")) {
             log.debug("checkCorsPreflight: no origin header");
             return false;
         }
         log.debug("Preflight request returning");
         facade.getResponse().setStatus(200);
-        String origin = facade.getRequest().getHeader(CorsHeaders.ORIGIN);
         facade.getResponse().setHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
         facade.getResponse().setHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
         String requestMethods = facade.getRequest().getHeader(CorsHeaders.ACCESS_CONTROL_REQUEST_METHOD);

adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/RefreshableKeycloakSecurityContextTest.java

@@ -1,8 +1,21 @@
 package org.keycloak.adapters;
 
+import org.junit.Assert;
 import org.junit.Test;
+import org.keycloak.KeycloakPrincipal;
+import org.keycloak.KeycloakSecurityContext;
+import org.keycloak.jose.jws.JWSBuilder;
+import org.keycloak.representations.AccessToken;
+import org.keycloak.representations.IDToken;
 import org.keycloak.representations.oidc.TokenMetadataRepresentation;
 
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
@@ -39,4 +52,63 @@ public void sameIssuedAtAsNotBeforeIsActiveKEYCLOAK10013() {
 		token.issuedAt(5000);
 		assertTrue(sut.isActive());
 	}
+
+	private AccessToken createSimpleToken() {
+		AccessToken token = new AccessToken();
+		token.id("111");
+		token.issuer("http://localhost:8080/auth/acme");
+		token.addAccess("foo").addRole("admin");
+		token.addAccess("bar").addRole("user");
+		return token;
+	}
+
+	@Test
+	public void testSerialization() throws Exception {
+		AccessToken token = createSimpleToken();
+		IDToken idToken = new IDToken();
+
+		idToken.setEmail("joe@email.cz");
+
+		KeyPair keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
+
+		String encoded = new JWSBuilder()
+				.jsonContent(token)
+				.rsa256(keyPair.getPrivate());
+		String encodedIdToken = new JWSBuilder()
+				.jsonContent(idToken)
+				.rsa256(keyPair.getPrivate());
+
+		KeycloakDeployment keycloakDeployment = new KeycloakDeployment();
+		keycloakDeployment.setNotBefore(5000);
+
+		KeycloakSecurityContext ctx = new RefreshableKeycloakSecurityContext(keycloakDeployment,null, encoded, token,encodedIdToken, null, null);
+		KeycloakPrincipal principal = new KeycloakPrincipal("joe", ctx);
+
+		// Serialize
+		ByteArrayOutputStream bso = new ByteArrayOutputStream();
+		ObjectOutputStream oos = new ObjectOutputStream(bso);
+		oos.writeObject(principal);
+		oos.close();
+
+		// Deserialize
+		byte[] bytes = bso.toByteArray();
+		ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
+		ObjectInputStream ois = new ObjectInputStream(bis);
+		principal = (KeycloakPrincipal)ois.readObject();
+		ctx = principal.getKeycloakSecurityContext();
+		token = ctx.getToken();
+		idToken = ctx.getIdToken();
+
+		System.out.println("Size of serialized principal: " + bytes.length);
+
+		Assert.assertEquals(encoded, ctx.getTokenString());
+		Assert.assertEquals(encodedIdToken, ctx.getIdTokenString());
+		Assert.assertEquals("111", token.getId());
+		Assert.assertEquals("111", token.getId());
+		Assert.assertTrue(token.getResourceAccess("foo").isUserInRole("admin"));
+		Assert.assertTrue(token.getResourceAccess("bar").isUserInRole("user"));
+		Assert.assertEquals("joe@email.cz", idToken.getEmail());
+		Assert.assertEquals("acme", ctx.getRealm());
+		ois.close();
+	}
 }

adapters/oidc/as7-eap6/as7-adapter-spi/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-as7-integration-pom</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>11.0.0-SNAPSHOT</version>
+        <version>11.0.3</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/as7-eap6/as7-adapter/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-as7-integration-pom</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>11.0.0-SNAPSHOT</version>
+        <version>11.0.3</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/as7-eap6/as7-subsystem/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>org.keycloak</groupId>
         <artifactId>keycloak-as7-integration-pom</artifactId>
-        <version>11.0.0-SNAPSHOT</version>
+        <version>11.0.3</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

adapters/oidc/as7-eap6/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>11.0.0-SNAPSHOT</version>
+        <version>11.0.3</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <name>Keycloak AS7 / JBoss EAP 6 Integration</name>

adapters/oidc/fuse7/camel-undertow/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-fuse7-integration-pom</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>11.0.0-SNAPSHOT</version>
+        <version>11.0.3</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/fuse7/jetty94/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-fuse7-integration-pom</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>11.0.0-SNAPSHOT</version>
+        <version>11.0.3</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/fuse7/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>11.0.0-SNAPSHOT</version>
+        <version>11.0.3</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/fuse7/tomcat8/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-fuse7-integration-pom</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>11.0.0-SNAPSHOT</version>
+        <version>11.0.3</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/fuse7/undertow/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-fuse7-integration-pom</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>11.0.0-SNAPSHOT</version>
+        <version>11.0.3</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/installed/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>11.0.0-SNAPSHOT</version>
+        <version>11.0.3</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/jaxrs-oauth-client/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>11.0.0-SNAPSHOT</version>
+        <version>11.0.3</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/jetty/jetty-core/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>11.0.0-SNAPSHOT</version>
+        <version>11.0.3</version>
         <relativePath>../../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/jetty/jetty9.2/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>11.0.0-SNAPSHOT</version>
+        <version>11.0.3</version>
         <relativePath>../../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/jetty/jetty9.3/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>11.0.0-SNAPSHOT</version>
+        <version>11.0.3</version>
         <relativePath>../../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/jetty/jetty9.4/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>11.0.0-SNAPSHOT</version>
+        <version>11.0.3</version>
         <relativePath>../../../../pom.xml</relativePath>
     </parent>
     <modelVersion>4.0.0</modelVersion>

adapters/oidc/jetty/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>keycloak-parent</artifactId>
         <groupId>org.keycloak</groupId>
-        <version>11.0.0-SNAPSHOT</version>
+        <version>11.0.3</version>
         <relativePath>../../../pom.xml</relativePath>
     </parent>
     <name>Keycloak Jetty Integration</name>

adapters/oidc/js/pom.xml

@@ -21,7 +21,7 @@
 	<parent>
 		<artifactId>keycloak-parent</artifactId>
 		<groupId>org.keycloak</groupId>
-		<version>11.0.0-SNAPSHOT</version>
+		<version>11.0.3</version>
         <relativePath>../../../pom.xml</relativePath>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>