fix: Keycloak OAuth Provider (supabase#371)

* Keycloak OAuth Provider

* Update README.md

* Removed the usage of chooseHost to keep things clear

* Allow to use the Keyloak provider in an ID Token grant flow

* fix tests

Co-authored-by: Kang Ming <kang.ming1996@gmail.com>

Author: 2 people

README.md

@@ -197,7 +197,7 @@ The default group to assign all new users to.
 
 ### External Authentication Providers
 
-We support `apple`, `azure`, `bitbucket`, `discord`, `facebook`, `github`, `gitlab`, `google`, `linkedin`, `notion`, `spotify`, `slack`, `twitch`, `twitter` and `workos` for external authentication.
+We support `apple`, `azure`, `bitbucket`, `discord`, `facebook`, `github`, `gitlab`, `google`, `keycloak`, `linkedin`, `notion`, `spotify`, `slack`, `twitch`, `twitter` and `workos` for external authentication.
 
 Use the names as the keys underneath `external` to configure each separately.
 
@@ -228,7 +228,7 @@ The URI a OAuth2 provider will redirect to with the `code` and `state` values.
 
 `EXTERNAL_X_URL` - `string`
 
-The base URL used for constructing the URLs to request authorization and access tokens. Used by `gitlab` only. Defaults to `https://gitlab.com`.
+The base URL used for constructing the URLs to request authorization and access tokens. Used by `gitlab` and `keycloak`. For `gitlab` it defaults to `https://gitlab.com`. For `keycloak` you need to set this to your instance, for example: `https://keycloak.example.com/auth/realms/myrealm`
 
 #### Apple OAuth
 
@@ -513,6 +513,7 @@ Returns the publicly available settings for this gotrue instance.
     "github": true,
     "gitlab": true,
     "google": true,
+    "keycloak": true,
     "linkedin": true,
     "notion": true,
     "slack": true,
@@ -927,7 +928,8 @@ Get access_token from external oauth provider
 query params:
 
 ```
-provider=apple | azure | bitbucket | discord | facebook | github | gitlab | google | linkedin | notion | slack | spotify | twitch | twitter | workos
+provider=apple | azure | bitbucket | discord | facebook | github | gitlab | google | keycloak | linkedin | notion | slack | spotify | twitch | twitter | workos
+
 scopes=<optional additional scopes depending on the provider (email and name are requested by default)>
 ```
 

api/external.go

@@ -403,6 +403,8 @@ func (a *API) Provider(ctx context.Context, name string, scopes string, query *u
 		return provider.NewGitlabProvider(config.External.Gitlab, scopes)
 	case "google":
 		return provider.NewGoogleProvider(config.External.Google, scopes)
+	case "keycloak":
+		return provider.NewKeycloakProvider(config.External.Keycloak, scopes)
 	case "linkedin":
 		return provider.NewLinkedinProvider(config.External.Linkedin, scopes)
 	case "facebook":

api/external_keycloak_test.go

@@ -0,0 +1,182 @@
+package api
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+
+	jwt "github.com/golang-jwt/jwt"
+)
+
+const (
+	keycloakUser        string = `{"sub": "keycloaktestid", "name": "Keycloak Test", "email": "keycloak@example.com", "preferred_username": "keycloak", "email_verified": true}`
+	keycloakUserNoEmail string = `{"sub": "keycloaktestid", "name": "Keycloak Test", "preferred_username": "keycloak", "email_verified": false}`
+)
+
+func (ts *ExternalTestSuite) TestSignupExternalKeycloak() {
+	req := httptest.NewRequest(http.MethodGet, "http://localhost/authorize?provider=keycloak", nil)
+	w := httptest.NewRecorder()
+	ts.API.handler.ServeHTTP(w, req)
+	ts.Require().Equal(http.StatusFound, w.Code)
+	u, err := url.Parse(w.Header().Get("Location"))
+	ts.Require().NoError(err, "redirect url parse failed")
+	q := u.Query()
+	ts.Equal(ts.Config.External.Keycloak.RedirectURI, q.Get("redirect_uri"))
+	ts.Equal(ts.Config.External.Keycloak.ClientID, q.Get("client_id"))
+	ts.Equal("code", q.Get("response_type"))
+	ts.Equal("profile email", q.Get("scope"))
+
+	claims := ExternalProviderClaims{}
+	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}
+	_, err = p.ParseWithClaims(q.Get("state"), &claims, func(token *jwt.Token) (interface{}, error) {
+		return []byte(ts.Config.JWT.Secret), nil
+	})
+	ts.Require().NoError(err)
+
+	ts.Equal("keycloak", claims.Provider)
+	ts.Equal(ts.Config.SiteURL, claims.SiteURL)
+}
+
+func KeycloakTestSignupSetup(ts *ExternalTestSuite, tokenCount *int, userCount *int, code string, user string) *httptest.Server {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/protocol/openid-connect/token":
+			*tokenCount++
+			ts.Equal(code, r.FormValue("code"))
+			ts.Equal("authorization_code", r.FormValue("grant_type"))
+			ts.Equal(ts.Config.External.Keycloak.RedirectURI, r.FormValue("redirect_uri"))
+
+			w.Header().Add("Content-Type", "application/json")
+			fmt.Fprint(w, `{"access_token":"keycloak_token","expires_in":100000}`)
+		case "/protocol/openid-connect/userinfo":
+			*userCount++
+			w.Header().Add("Content-Type", "application/json")
+			fmt.Fprint(w, user)
+		default:
+			w.WriteHeader(500)
+			ts.Fail("unknown keycloak oauth call %s", r.URL.Path)
+		}
+	}))
+
+	ts.Config.External.Keycloak.URL = server.URL
+
+	return server
+}
+
+func (ts *ExternalTestSuite) TestSignupExternalKeycloakWithoutURLSetup() {
+	ts.createUser("keycloaktestid", "keycloak@example.com", "Keycloak Test", "", "")
+	tokenCount, userCount := 0, 0
+	code := "authcode"
+	server := KeycloakTestSignupSetup(ts, &tokenCount, &userCount, code, keycloakUser)
+	ts.Config.External.Keycloak.URL = ""
+	defer server.Close()
+
+	w := performAuthorizationRequest(ts, "keycloak", code)
+	ts.Equal(w.Code, http.StatusBadRequest)
+}
+
+func (ts *ExternalTestSuite) TestSignupExternalKeycloak_AuthorizationCode() {
+	ts.Config.DisableSignup = false
+	ts.createUser("keycloaktestid", "keycloak@example.com", "Keycloak Test", "http://example.com/avatar", "")
+	tokenCount, userCount := 0, 0
+	code := "authcode"
+	server := KeycloakTestSignupSetup(ts, &tokenCount, &userCount, code, keycloakUser)
+	defer server.Close()
+
+	u := performAuthorization(ts, "keycloak", code, "")
+
+	assertAuthorizationSuccess(ts, u, tokenCount, userCount, "keycloak@example.com", "Keycloak Test", "keycloaktestid", "http://example.com/avatar")
+}
+
+func (ts *ExternalTestSuite) TestSignupExternalKeycloakDisableSignupErrorWhenNoUser() {
+	ts.Config.DisableSignup = true
+	tokenCount, userCount := 0, 0
+	code := "authcode"
+	server := KeycloakTestSignupSetup(ts, &tokenCount, &userCount, code, keycloakUser)
+	defer server.Close()
+
+	u := performAuthorization(ts, "keycloak", code, "")
+
+	assertAuthorizationFailure(ts, u, "Signups not allowed for this instance", "access_denied", "keycloak@example.com")
+}
+
+func (ts *ExternalTestSuite) TestSignupExternalKeycloakDisableSignupErrorWhenNoEmail() {
+	ts.Config.DisableSignup = true
+	tokenCount, userCount := 0, 0
+	code := "authcode"
+	server := KeycloakTestSignupSetup(ts, &tokenCount, &userCount, code, keycloakUserNoEmail)
+	defer server.Close()
+
+	u := performAuthorization(ts, "keycloak", code, "")
+
+	assertAuthorizationFailure(ts, u, "Error getting user email from external provider", "server_error", "keycloak@example.com")
+
+}
+
+func (ts *ExternalTestSuite) TestSignupExternalKeycloakDisableSignupSuccessWithPrimaryEmail() {
+	ts.Config.DisableSignup = true
+
+	ts.createUser("keycloaktestid", "keycloak@example.com", "Keycloak Test", "http://example.com/avatar", "")
+
+	tokenCount, userCount := 0, 0
+	code := "authcode"
+	server := KeycloakTestSignupSetup(ts, &tokenCount, &userCount, code, keycloakUser)
+	defer server.Close()
+
+	u := performAuthorization(ts, "keycloak", code, "")
+
+	assertAuthorizationSuccess(ts, u, tokenCount, userCount, "keycloak@example.com", "Keycloak Test", "keycloaktestid", "http://example.com/avatar")
+}
+
+func (ts *ExternalTestSuite) TestInviteTokenExternalKeycloakSuccessWhenMatchingToken() {
+	// name and avatar should be populated from Keycloak API
+	ts.createUser("keycloaktestid", "keycloak@example.com", "", "http://example.com/avatar", "invite_token")
+
+	tokenCount, userCount := 0, 0
+	code := "authcode"
+	server := KeycloakTestSignupSetup(ts, &tokenCount, &userCount, code, keycloakUser)
+	defer server.Close()
+
+	u := performAuthorization(ts, "keycloak", code, "invite_token")
+
+	assertAuthorizationSuccess(ts, u, tokenCount, userCount, "keycloak@example.com", "Keycloak Test", "keycloaktestid", "http://example.com/avatar")
+}
+
+func (ts *ExternalTestSuite) TestInviteTokenExternalKeycloakErrorWhenNoMatchingToken() {
+	tokenCount, userCount := 0, 0
+	code := "authcode"
+	keycloakUser := `{"name":"Keycloak Test","avatar":{"href":"http://example.com/avatar"}}`
+	server := KeycloakTestSignupSetup(ts, &tokenCount, &userCount, code, keycloakUser)
+	defer server.Close()
+
+	w := performAuthorizationRequest(ts, "keycloak", "invite_token")
+	ts.Require().Equal(http.StatusNotFound, w.Code)
+}
+
+func (ts *ExternalTestSuite) TestInviteTokenExternalKeycloakErrorWhenWrongToken() {
+	ts.createUser("keycloaktestid", "keycloak@example.com", "", "", "invite_token")
+
+	tokenCount, userCount := 0, 0
+	code := "authcode"
+	keycloakUser := `{"name":"Keycloak Test","avatar":{"href":"http://example.com/avatar"}}`
+	server := KeycloakTestSignupSetup(ts, &tokenCount, &userCount, code, keycloakUser)
+	defer server.Close()
+
+	w := performAuthorizationRequest(ts, "keycloak", "wrong_token")
+	ts.Require().Equal(http.StatusNotFound, w.Code)
+}
+
+func (ts *ExternalTestSuite) TestInviteTokenExternalKeycloakErrorWhenEmailDoesntMatch() {
+	ts.createUser("keycloaktestid", "keycloak@example.com", "", "", "invite_token")
+
+	tokenCount, userCount := 0, 0
+	code := "authcode"
+	keycloakUser := `{"name":"Keycloak Test", "email":"other@example.com", "avatar":{"href":"http://example.com/avatar"}}`
+	server := KeycloakTestSignupSetup(ts, &tokenCount, &userCount, code, keycloakUser)
+	defer server.Close()
+
+	u := performAuthorization(ts, "keycloak", code, "invite_token")
+
+	assertAuthorizationFailure(ts, u, "Invited email does not match emails from external provider", "invalid_request", "")
+}

api/provider/keycloak.go

@@ -0,0 +1,98 @@
+package provider
+
+import (
+	"context"
+	"errors"
+	"strings"
+
+	"github.com/netlify/gotrue/conf"
+	"golang.org/x/oauth2"
+)
+
+// Keycloak
+type keycloakProvider struct {
+	*oauth2.Config
+	Host string
+}
+
+type keycloakUser struct {
+	Name          string `json:"name"`
+	Sub           string `json:"sub"`
+	Email         string `json:"email"`
+	EmailVerified bool   `json:"email_verified"`
+}
+
+// NewKeycloakProvider creates a Keycloak account provider.
+func NewKeycloakProvider(ext conf.OAuthProviderConfiguration, scopes string) (OAuthProvider, error) {
+	if err := ext.Validate(); err != nil {
+		return nil, err
+	}
+
+	oauthScopes := []string{
+		"profile",
+		"email",
+	}
+
+	if scopes != "" {
+		oauthScopes = append(oauthScopes, strings.Split(scopes, ",")...)
+	}
+
+	if ext.URL == "" {
+		return nil, errors.New("Unable to find URL for the Keycloak provider")
+	}
+
+	extURLlen := len(ext.URL)
+	if ext.URL[extURLlen-1] == '/' {
+		ext.URL = ext.URL[:extURLlen-1]
+	}
+
+	return &keycloakProvider{
+		Config: &oauth2.Config{
+			ClientID:     ext.ClientID,
+			ClientSecret: ext.Secret,
+			Endpoint: oauth2.Endpoint{
+				AuthURL:  ext.URL + "/protocol/openid-connect/auth",
+				TokenURL: ext.URL + "/protocol/openid-connect/token",
+			},
+			RedirectURL: ext.RedirectURI,
+			Scopes:      oauthScopes,
+		},
+		Host: ext.URL,
+	}, nil
+}
+
+func (g keycloakProvider) GetOAuthToken(code string) (*oauth2.Token, error) {
+	return g.Exchange(oauth2.NoContext, code)
+}
+
+func (g keycloakProvider) GetUserData(ctx context.Context, tok *oauth2.Token) (*UserProvidedData, error) {
+	var u keycloakUser
+
+	if err := makeRequest(ctx, tok, g.Config, g.Host+"/protocol/openid-connect/userinfo", &u); err != nil {
+		return nil, err
+	}
+
+	if u.Email == "" {
+		return nil, errors.New("Unable to find email with Keycloak provider")
+	}
+
+	return &UserProvidedData{
+		Metadata: &Claims{
+			Issuer:        g.Host,
+			Subject:       u.Sub,
+			Name:          u.Name,
+			Email:         u.Email,
+			EmailVerified: u.EmailVerified,
+
+			// To be deprecated
+			FullName:   u.Name,
+			ProviderId: u.Sub,
+		},
+		Emails: []Email{{
+			Email:    u.Email,
+			Verified: u.EmailVerified,
+			Primary:  true,
+		}},
+	}, nil
+
+}

api/settings.go

@@ -9,6 +9,7 @@ type ProviderSettings struct {
 	Discord   bool `json:"discord"`
 	GitHub    bool `json:"github"`
 	GitLab    bool `json:"gitlab"`
+	Keycloak  bool `json:"keycloak"`
 	Google    bool `json:"google"`
 	Linkedin  bool `json:"linkedin"`
 	Facebook  bool `json:"facebook"`
@@ -49,6 +50,7 @@ func (a *API) Settings(w http.ResponseWriter, r *http.Request) error {
 			GitHub:    config.External.Github.Enabled,
 			GitLab:    config.External.Gitlab.Enabled,
 			Google:    config.External.Google.Enabled,
+			Keycloak:  config.External.Keycloak.Enabled,
 			Linkedin:  config.External.Linkedin.Enabled,
 			Facebook:  config.External.Facebook.Enabled,
 			Notion:    config.External.Notion.Enabled,

api/settings_test.go

@@ -36,6 +36,7 @@ func TestSettings_DefaultProviders(t *testing.T) {
 	require.True(t, p.Spotify)
 	require.True(t, p.Slack)
 	require.True(t, p.Google)
+	require.True(t, p.Keycloak)
 	require.True(t, p.Linkedin)
 	require.True(t, p.GitHub)
 	require.True(t, p.GitLab)

api/token.go

@@ -90,6 +90,10 @@ func (p *IdTokenGrantParams) getVerifier(ctx context.Context) (*oidc.IDTokenVeri
 		oAuthProvider = config.External.Google
 		oAuthProviderClientId = oAuthProvider.ClientID
 		provider, err = oidc.NewProvider(ctx, "https://accounts.google.com")
+	case "keycloak":
+		oAuthProvider = config.External.Keycloak
+		oAuthProviderClientId = oAuthProvider.ClientID
+		provider, err = oidc.NewProvider(ctx, oAuthProvider.URL)
 	default:
 		return nil, fmt.Errorf("Provider %s doesn't support the id_token grant flow", p.Provider)
 	}

conf/configuration.go

@@ -95,6 +95,7 @@ type ProviderConfiguration struct {
 	Gitlab      OAuthProviderConfiguration `json:"gitlab"`
 	Google      OAuthProviderConfiguration `json:"google"`
 	Notion      OAuthProviderConfiguration `json:"notion"`
+	Keycloak    OAuthProviderConfiguration `json:"keycloak"`
 	Linkedin    OAuthProviderConfiguration `json:"linkedin"`
 	Spotify     OAuthProviderConfiguration `json:"spotify"`
 	Slack       OAuthProviderConfiguration `json:"slack"`

example.env

@@ -126,6 +126,13 @@ GOTRUE_EXTERNAL_SPOTIFY_CLIENT_ID=""
 GOTRUE_EXTERNAL_SPOTIFY_SECRET=""
 GOTRUE_EXTERNAL_SPOTIFY_REDIRECT_URI="http://localhost:9999/callback"
 
+# Keycloak OAuth config
+GOTRUE_EXTERNAL_KEYCLOAK_ENABLED="false"
+GOTRUE_EXTERNAL_KEYCLOAK_CLIENT_ID=""
+GOTRUE_EXTERNAL_KEYCLOAK_SECRET=""
+GOTRUE_EXTERNAL_KEYCLOAK_REDIRECT_URI="http://localhost:9999/callback"
+GOTRUE_EXTERNAL_KEYCLOAK_URL="https://keycloak.example.com/auth/realms/myrealm"
+
 # Linkedin OAuth config
 GOTRUE_EXTERNAL_LINKEDIN_ENABLED="true"
 GOTRUE_EXTERNAL_LINKEDIN_CLIENT_ID=""

hack/test.env

@@ -37,6 +37,11 @@ GOTRUE_EXTERNAL_GITHUB_ENABLED=true
 GOTRUE_EXTERNAL_GITHUB_CLIENT_ID=testclientid
 GOTRUE_EXTERNAL_GITHUB_SECRET=testsecret
 GOTRUE_EXTERNAL_GITHUB_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_KEYCLOAK_ENABLED=true
+GOTRUE_EXTERNAL_KEYCLOAK_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_KEYCLOAK_SECRET=testsecret
+GOTRUE_EXTERNAL_KEYCLOAK_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_KEYCLOAK_URL=https://keycloak.example.com/auth/realms/myrealm
 GOTRUE_EXTERNAL_LINKEDIN_ENABLED=true
 GOTRUE_EXTERNAL_LINKEDIN_CLIENT_ID=testclientid
 GOTRUE_EXTERNAL_LINKEDIN_SECRET=testsecret