Merge pull request #2 from keycloak/master

Latest pull from Upstream Merged by Vikram

.gitignore

@@ -1,3 +1,7 @@
+# OS stuff
+###################
+.DS_Store
+
 # Intellij
 ###################
 .idea
@@ -8,9 +12,9 @@
 .project
 .settings
 .classpath
-# reverting this as e.g. /distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/ 
+# reverting this as e.g. /distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/
 # should not be ignored
-#bin/ 
+#bin/
 .factorypath
 
 

ADOPTERS.md

@@ -25,6 +25,7 @@ List of organization names below is based on information collected using Keycloa
 * DukeCon
 * European Synchrotron Radiation Facility
 * Fluance AG
+* Genchi Genbutsu SRL
 * Hewlett-Packard Enterprise
 * Hitachi
 * INEAT

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java

@@ -118,15 +118,14 @@ protected boolean corsRequest() {
  if (securityContext != null && origin != null && !origin.equals(requestOrigin)) {
  AccessToken token = securityContext.getToken();
  Set<String> allowedOrigins = token.getAllowedOrigins();
- if (log.isDebugEnabled()) {
-  for (String a : allowedOrigins) log.debug(" " + a);
- }
+
+ log.debugf("Allowed origins in token: %s", allowedOrigins);
+
  if (allowedOrigins == null || (!allowedOrigins.contains("*") && !allowedOrigins.contains(origin))) {
  if (allowedOrigins == null) {
  log.debugv("allowedOrigins was null in token");
  } else {
  log.debugv("allowedOrigins did not contain origin");
-
  }
  facade.getResponse().sendError(403);
  facade.getResponse().end();

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PathCache.java

@@ -143,6 +143,10 @@ private boolean parkForReadAndCheckInterrupt() {
  return false;
  }
 
+ public int size() {
+ return cache.size();
+ }
+
  private static final class CacheEntry {
 
  final String key;

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java

@@ -143,7 +143,7 @@ private void loadClaimInformationPointProviders(ServiceLoader<ClaimInformationPo
  }
 
  private Map<String, PathConfig> configurePaths(ProtectedResource protectedResource, PolicyEnforcerConfig enforcerConfig) {
- boolean loadPathsFromServer = true;
+ boolean loadPathsFromServer = !enforcerConfig.getLazyLoadPaths();
 
  for (PathConfig pathConfig : enforcerConfig.getPaths()) {
  if (!PolicyEnforcerConfig.EnforcementMode.DISABLED.equals(pathConfig.getEnforcementMode())) {
@@ -306,6 +306,10 @@ protected Collection<PathConfig> getPaths() {
  return paths.values();
  }
 
+ public PathCache getPathCache() {
+ return pathCache;
+ }
+
  @Override
  protected PathConfig resolvePathConfig(PathConfig originalConfig, String path) {
  if (originalConfig.hasPattern()) {

adapters/oidc/fuse7/pom.xml

@@ -32,7 +32,6 @@
 
  <properties>
  <fuse7.version>7.0.1-SNAPSHOT</fuse7.version>
- <tomcat.version>${tomcat8.version}</tomcat.version>
  <jetty9.version>9.4.2.v20170220</jetty9.version>
  </properties>
 

adapters/oidc/fuse7/tomcat8/pom.xml

@@ -63,7 +63,7 @@
  <dependency>
  <groupId>org.apache.tomcat</groupId>
  <artifactId>tomcat-catalina</artifactId>
- <version>${tomcat.version}</version>
+ <version>${tomcat8.version}</version>
  <scope>provided</scope>
  </dependency>
  </dependencies>

adapters/oidc/js/src/main/resources/keycloak.d.ts

@@ -26,15 +26,16 @@ export = Keycloak;
  * Creates a new Keycloak client instance.
  * @param config Path to a JSON config file or a plain config object.
  */
-declare function Keycloak(config?: string|{}): Keycloak.KeycloakInstance;
+declare function Keycloak<TPromise extends Keycloak.PromiseType = undefined>(config?: string|{}): Keycloak.KeycloakInstance<TPromise>;
 
 declare namespace Keycloak {
  type KeycloakAdapterName = 'cordova' | 'cordova-native' |'default' | any;
  type KeycloakOnLoad = 'login-required'|'check-sso';
  type KeycloakResponseMode = 'query'|'fragment';
  type KeycloakResponseType = 'code'|'id_token token'|'code id_token token';
  type KeycloakFlow = 'standard'|'implicit'|'hybrid';
- type KeycloakPromiseType = 'native'
+ type KeycloakPromiseType = 'native';
+ type KeycloakPkceMethod = 'S256';
 
  interface KeycloakInitOptions {
  /**
@@ -117,6 +118,13 @@ declare namespace Keycloak {
  * Keycloak specific promise objects.
  */
  promiseType?: KeycloakPromiseType;
+
+ /**
+ * Configures the Proof Key for Code Exchange (PKCE) method to use.
+ * The currently allowed method is 'S256'.
+ * If not configured, PKCE will not be used.
+ */
+ pkceMethod?: KeycloakPkceMethod;
  }
 
  interface KeycloakLoginOptions {
@@ -244,11 +252,19 @@ declare namespace Keycloak {
 
  // export interface KeycloakUserInfo {}
 
+ /**
+ * Conditional CompatPromise type in order to support
+ * both legacy promises and native promises as return types.
+ */
+ type PromiseType = KeycloakPromiseType | undefined;
+ type CompatPromise<TPromiseType extends PromiseType, TSuccess, TError> = 
+ TPromiseType extends KeycloakPromiseType ? Promise<TSuccess> : KeycloakPromise<TSuccess, TError>;
+
  /**
  * A client for the Keycloak authentication server.
  * @see {@link https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/javascript-adapter.html|Keycloak JS adapter documentation}
  */
- interface KeycloakInstance {
+ interface KeycloakInstance<TPromise extends PromiseType = undefined> {
  /**
  * Is true if the user is authenticated, false otherwise.
  */
@@ -413,32 +429,32 @@ declare namespace Keycloak {
  * @param initOptions Initialization options.
  * @returns A promise to set functions to be invoked on success or error.
  */
- init(initOptions: KeycloakInitOptions): KeycloakPromise<boolean, KeycloakError>;
+ init(initOptions: KeycloakInitOptions): CompatPromise<TPromise, boolean, KeycloakError>;
 
  /**
  * Redirects to login form.
  * @param options Login options.
  */
- login(options?: KeycloakLoginOptions): KeycloakPromise<void, void>;
+ login(options?: KeycloakLoginOptions): CompatPromise<TPromise, void, void>;
 
  /**
  * Redirects to logout.
  * @param options Logout options.
  * @param options.redirectUri Specifies the uri to redirect to after logout.
  */
- logout(options?: any): KeycloakPromise<void, void>;
+ logout(options?: any): CompatPromise<TPromise, void, void>;
 
  /**
  * Redirects to registration form.
  * @param options Supports same options as Keycloak#login but `action` is
  * set to `'register'`.
  */
- register(options?: any): KeycloakPromise<void, void>;
+ register(options?: any): CompatPromise<TPromise, void, void>;
 
  /**
  * Redirects to the Account Management Console.
  */
- accountManagement(): KeycloakPromise<void, void>;
+ accountManagement(): CompatPromise<TPromise, void, void>;
 
  /**
  * Returns the URL to login form.
@@ -490,7 +506,7 @@ declare namespace Keycloak {
  * alert('Failed to refresh the token, or the session has expired');
  * });
  */
- updateToken(minValidity: number): KeycloakPromise<boolean, boolean>;
+ updateToken(minValidity: number): CompatPromise<TPromise, boolean, boolean>;
 
  /**
  * Clears authentication state, including tokens. This can be useful if
@@ -517,11 +533,11 @@ declare namespace Keycloak {
  * Loads the user's profile.
  * @returns A promise to set functions to be invoked on success or error.
  */
- loadUserProfile(): KeycloakPromise<KeycloakProfile, void>;
+ loadUserProfile(): CompatPromise<TPromise, KeycloakProfile, void>;
 
  /**
  * @private Undocumented.
  */
- loadUserInfo(): KeycloakPromise<{}, void>;
+ loadUserInfo(): CompatPromise<TPromise, {}, void>;
  }
 }