feat: support encryption for IDP userinfo mapper

bcgov · Jul 6, 2024 · 045770c · 045770c
1 parent cd426e2
commit 045770c
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/.github/workflows/publish-image-rhbk-dev.yml b/.github/workflows/publish-image-rhbk-dev.yml
@@ -51,7 +51,7 @@ jobs:
  with:
  context: docker/keycloak
  push: true
- tags: ${{ env.GITHUB_REGISTRY }}/${{env.IMAGE_NAME}}:dev-rhbk-24
+ tags: ${{ env.GITHUB_REGISTRY }}/${{env.IMAGE_NAME}}:dev-rhbk-nk-24
  file: docker/keycloak/Dockerfile-24
  cache-from: type=local,src=/tmp/.buildx-cache
  cache-to: type=local,dest=/tmp/.buildx-cache-new

diff --git a/...ices/src/main/java/com/github/bcgov/keycloak/protocol/oidc/mappers/IDPUserinfoMapper.java b/...ices/src/main/java/com/github/bcgov/keycloak/protocol/oidc/mappers/IDPUserinfoMapper.java
@@ -11,10 +11,13 @@
 import org.jboss.logging.Logger;
 import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
 import org.keycloak.broker.provider.IdentityBrokerException;
+import org.keycloak.crypto.KeyUse;
 import org.keycloak.crypto.KeyWrapper;
 import org.keycloak.crypto.SignatureProvider;
 import org.keycloak.jose.JOSE;
 import org.keycloak.jose.JOSEParser;
+import org.keycloak.jose.jwe.JWE;
+import org.keycloak.jose.jwe.JWEException;
 import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.keys.loader.PublicKeyStorageManager;
 import org.keycloak.models.*;
@@ -138,6 +141,37 @@ protected void setClaim(
  throw new IdentityBrokerException("Failed to call userinfo endpoint");
  }
 
+ Boolean encryptionExpected = Boolean.parseBoolean(mappingModel.getConfig().get(ENCRYPTION_EXPECTED));
+
+ if (encryptionExpected) {
+ JOSE joseToken = JOSEParser.parse(userinfoResponse);
+ if (joseToken instanceof JWE) {
+ // encrypted JWE token
+ JWE jwe = (JWE) joseToken;
+ try {
+ KeyWrapper key;
+ if (jwe.getHeader().getKeyId() == null) {
+ key = keycloakSession.keys().getActiveKey(keycloakSession.getContext().getRealm(), KeyUse.ENC,
+ jwe.getHeader().getRawAlgorithm());
+ } else {
+ key = keycloakSession.keys().getKey(keycloakSession.getContext().getRealm(), jwe.getHeader().getKeyId(),
+ KeyUse.ENC,
+ jwe.getHeader().getRawAlgorithm());
+ }
+ if (key == null || key.getPrivateKey() == null) {
+ throw new IdentityBrokerException("Private key not found in the realm to decrypt token algorithm "
+ + jwe.getHeader().getRawAlgorithm());
+ }
+
+ jwe.getKeyStorage().setDecryptionKey(key.getPrivateKey());
+ jwe.verifyAndDecodeJwe();
+ userinfoResponse = new String(jwe.getContent(), StandardCharsets.UTF_8);
+ } catch (JWEException e) {
+ throw new IdentityBrokerException("Failed to decrypt userinfo JWT", e);
+ }
+ }
+ }
+
  Boolean signatureExpected = Boolean.parseBoolean(mappingModel.getConfig().get(SIGNATURE_EXPECTED));
 
  if (signatureExpected) {