add keykloak support(2)

zvonand · zvonand · commit 7be0c3c3102b · 2025-09-23T16:06:03.000+02:00
diff --git a/src/Access/AccessTokenProcessor.cpp b/src/Access/AccessTokenProcessor.cpp
@@ -1,5 +1,6 @@
 #include <Access/AccessTokenProcessor.h>
 #include <Common/logger_useful.h>
+#include <Poco/StreamCopier.h>
 #include <picojson/picojson.h>
 #include <jwt-cpp/jwt.h>
 
@@ -128,7 +129,7 @@ std::unique_ptr<IAccessTokenProcessor> IAccessTokenProcessor::parseTokenProcesso
 
             if (is_auto && !is_manual)
             {
-                return std::make_unique<OpenIDAccessTokenProcessor>(name, cache_lifetime, email_regex_str, config.getString(prefix + ".configuration_endpoint"));
+                return std::make_unique<OpenIDAccessTokenProcessor>(name, cache_lifetime, email_regex_str, config.getString(prefix + ".configuration_endpoint"), config.getString(prefix + ".groups_claim_name", ""));
             }
             else if (!is_auto && is_manual)
             {
@@ -335,57 +336,120 @@ String AzureAccessTokenProcessor::validateTokenAndGetUsername(const String & tok
     return getValueByKey(user_info_json, "sub");
 }
 
+
+OpenIDAccessTokenProcessor::OpenIDAccessTokenProcessor(const String & name_,
+                           const UInt64 cache_invalidation_interval_,
+                           const String & email_regex_str,
+                           const String & userinfo_endpoint_,
+                           const String & token_introspection_endpoint_,
+                           const String & jwks_uri_,
+                           const String & groups_claim_name_)
+    : IAccessTokenProcessor(name_, cache_invalidation_interval_, email_regex_str),
+    userinfo_endpoint(userinfo_endpoint_), token_introspection_endpoint(token_introspection_endpoint_), groups_claim_name(groups_claim_name_)
+{
+    if (!jwks_uri_.empty())
+    {
+        jwt_validator.emplace(name_ + "jwks_val", jwks_uri_, cache_invalidation_interval_);
+    }
+}
+
 OpenIDAccessTokenProcessor::OpenIDAccessTokenProcessor(const String & name_,
                            const UInt64 cache_invalidation_interval_,
                            const String & email_regex_str,
-                           const String & openid_config_endpoint_)
+                           const String & openid_config_endpoint_,
+                           const String & groups_claim_name_)
     : IAccessTokenProcessor(name_, cache_invalidation_interval_, email_regex_str)
 {
     const picojson::object openid_config = getObjectFromURI(Poco::URI(openid_config_endpoint_));
 
     if (!openid_config.contains("userinfo_endpoint") || !openid_config.contains("introspection_endpoint"))
         throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "{}: Cannot extract userinfo_endpoint or introspection_endpoint from OIDC configuration, consider manual configuration.", name);
+
+    OpenIDAccessTokenProcessor(name_,
+                               cache_invalidation_interval_,
+                               email_regex_str,
+                               getValueByKey(openid_config, "userinfo_endpoint"),
+                               getValueByKey(openid_config, "introspection_endpoint"),
+                               openid_config.contains("jwks_uri") ? getValueByKey(openid_config, "jwks_uri") : "",
+                               groups_claim_name_);
 }
 
 bool OpenIDAccessTokenProcessor::resolveAndValidate(const TokenCredentials & credentials)
 {
     const String & token = credentials.getToken();
+    String username;
+    picojson::object user_info_json;
 
-    try
+    if (jwt_validator.has_value() && jwt_validator.value().validate("", token, username))
     {
-        String username = validateTokenAndGetUsername(token);
-        if (!username.empty())
+
+        try
         {
-            /// Credentials are passed as const everywhere up the flow, so we have to comply,
-            /// in this case const_cast looks acceptable.
-            const_cast<TokenCredentials &>(credentials).setUserName(username);
+            auto decoded_token = jwt::decode(token);
+            user_info_json = decoded_token.get_payload_json();
+
+            /// TODO: Now we work only with Keycloak -- and it provides expires_at in token itself. Need to add actual token introspection logic for other OIDC providers.
+            if (decoded_token.has_expires_at())
+                const_cast<TokenCredentials &>(credentials).setExpiresAt(decoded_token.get_expires_at());
         }
-        else
-            LOG_TRACE(getLogger("AccessTokenProcessor"), "{}: Failed to get username with token", name);
+        catch (const std::exception & ex)
+        {
+            LOG_TRACE(getLogger("AccessTokenProcessor"), "{}: Failed to process token as JWT: {}", name, ex.what());
+        }
+    }
+
+    /// If username or user info is empty -- local validation failed, trying introspection via provider
+    if (username.empty() || user_info_json.empty())
+    {
+        try
+        {
+            user_info_json = getObjectFromURI(userinfo_endpoint, token);
+            username = getValueByKey(user_info_json, "sub");
+        }
+        catch (...)
+        {
+            return false;
+        }
+    }
 
+    if (user_info_json.empty())
+    {
+        LOG_TRACE(getLogger("AccessTokenProcessor"), "{}: Failed to obtain user info", name);
+        return false;
     }
-    catch (...)
+    else if (username.empty())
     {
+        LOG_TRACE(getLogger("AccessTokenProcessor"), "{}: Failed to get username", name);
         return false;
     }
 
-    return true;
+    /// Credentials are passed as const everywhere up the flow, so we have to comply,
+    /// in this case const_cast is acceptable.
+    const_cast<TokenCredentials &>(credentials).setUserName(username);
 
-    /// TODO: add proper groups functionality
-//    try
-//    {
-//        const_cast<TokenCredentials &>(credentials).setExpiresAt(jwt::decode(token).get_expires_at());
-//    }
-//    catch (...) {
-//        LOG_TRACE(getLogger("AccessTokenProcessor"),
-//                  "{}: No expiration data found in a valid token, will use default cache lifetime", name);
-//    }
-}
+    /// For now, list of groups is expected in a claim with specified name either in token itself or in userinfo response (Keycloak works this way)
+    /// TODO: add support for custom endpoints for retrieving groups. Keycloak lists groups in /userinfo and token itself, which is not always the case.
+    if (!groups_claim_name.empty() && user_info_json.contains(groups_claim_name))
+    {
+        if (!user_info_json[groups_claim_name].is<picojson::array>())
+        {
+            LOG_TRACE(getLogger("AccessTokenProcessor"),
+                      "{}: Failed to extract groups: invalid content in user data", name);
+            return true;
+        }
 
-String OpenIDAccessTokenProcessor::validateTokenAndGetUsername(const String & token) const
-{
-    picojson::object user_info_json = getObjectFromURI(userinfo_endpoint, token);
-    return getValueByKey(user_info_json, "sub");
+        std::set<String> external_groups_names;
+
+        picojson::array groups_array = user_info_json[groups_claim_name].get<picojson::array>();
+        for (const auto & group: groups_array)
+        {
+            if (group.is<std::string>())
+                external_groups_names.insert(group.get<std::string>());
+        }
+        const_cast<TokenCredentials &>(credentials).setGroups(external_groups_names);
+    }
+
+    return true;
 }
 
 }
diff --git a/src/Access/AccessTokenProcessor.h b/src/Access/AccessTokenProcessor.h
@@ -106,24 +106,28 @@ class OpenIDAccessTokenProcessor : public IAccessTokenProcessor
     OpenIDAccessTokenProcessor(const String & name_,
                               const UInt64 cache_invalidation_interval_,
                               const String & email_regex_str,
-                              const String & openid_config_endpoint_);
+                              const String & openid_config_endpoint_,
+                              const String & groups_claim_name_);
 
     /// Specify endpoints manually
     OpenIDAccessTokenProcessor(const String & name_,
                                const UInt64 cache_invalidation_interval_,
                                const String & email_regex_str,
                                const String & userinfo_endpoint_,
-                               const String & token_introspection_endpoint_)
-        : IAccessTokenProcessor(name_, cache_invalidation_interval_, email_regex_str),
-        userinfo_endpoint(userinfo_endpoint_), token_introspection_endpoint(token_introspection_endpoint_) {}
+                               const String & token_introspection_endpoint_,
+                               const String & jwks_uri_,
+                               const String & groups_claim_name_);
 
     bool resolveAndValidate(const TokenCredentials & credentials) override;
 private:
-    const Poco::URI userinfo_endpoint;
-    const Poco::URI token_introspection_endpoint;
+    Poco::URI userinfo_endpoint;
+    Poco::URI token_introspection_endpoint;
 
+    /// Access token is often a valid JWT, so we can validate it locally to avoid unnecesary network requests.
+    std::optional<JWKSValidator> jwt_validator = std::nullopt;
 
-    String validateTokenAndGetUsername(const String & token) const;
+    /// groups are expected under /userinfo endpoint under specified name
+    const String groups_claim_name;
 };
 
 }
diff --git a/src/Access/JWTValidator.h b/src/Access/JWTValidator.h
@@ -61,6 +61,9 @@ class JWKSValidator : public IJWTValidator
 public:
     explicit JWKSValidator(const String & name_, std::shared_ptr<IJWKSProvider> provider_)
         : IJWTValidator(name_), provider(provider_) {}
+
+    explicit JWKSValidator(const String & name_, const String & uri, const size_t refresh_ms_)
+        : JWKSValidator(name_, std::make_shared<JWKSClient>(uri, refresh_ms_)) {}
 private:
     void validateImpl(const jwt::decoded_jwt<jwt::traits::kazuho_picojson> & token) const override;
 
diff --git a/src/Access/TokenAccessStorage.cpp b/src/Access/TokenAccessStorage.cpp
@@ -341,8 +341,9 @@ void TokenAccessStorage::updateAssignedRolesNoLock(const UUID & id, const String
 std::optional<AuthResult> TokenAccessStorage::authenticateImpl(
         const Credentials & credentials,
         const Poco::Net::IPAddress & address,
-        [[maybe_unused]] const ExternalAuthenticators & external_authenticators,
-        [[maybe_unused]] bool throw_if_user_not_exists,
+        const ExternalAuthenticators & external_authenticators,
+        const ClientInfo & /* client_info */,
+        bool throw_if_user_not_exists,
         bool /* allow_no_password */,
         bool /* allow_plaintext_password */) const
 {
@@ -356,7 +357,7 @@ std::optional<AuthResult> TokenAccessStorage::authenticateImpl(
     {
         // Even though token itself may be valid (especially in case of a jwt token), authentication has just failed.
         if (throw_if_user_not_exists)
-            throwNotFound(AccessEntityType::USER, credentials.getUserName());
+            throwNotFound(AccessEntityType::USER, credentials.getUserName(), getStorageName());
         else
             return {};
     }
diff --git a/src/Access/TokenAccessStorage.h b/src/Access/TokenAccessStorage.h
@@ -62,18 +62,21 @@ class TokenAccessStorage : public IAccessStorage
 
     bool areTokenCredentialsValidNoLock(const User & user, const Credentials & credentials, const ExternalAuthenticators & external_authenticators) const;
 
+    void applyRoleChangeNoLock(bool grant, const UUID & role_id, const String & role_name);
+    void assignRolesNoLock(User & user, const std::set<String> & external_roles, std::size_t external_roles_hash) const;
+    void updateAssignedRolesNoLock(const UUID & id, const String & user_name, const std::set<String> & external_roles) const;
+
+protected:
     std::optional<UUID> findImpl(AccessEntityType type, const String & name) const override;
     std::vector<UUID> findAllImpl(AccessEntityType type) const override;
     AccessEntityPtr readImpl(const UUID & id, bool throw_if_not_exists) const override;
     std::optional<std::pair<String, AccessEntityType>> readNameWithTypeImpl(const UUID & id, bool throw_if_not_exists) const override;
-    std::optional<AuthResult> authenticateImpl(const Credentials & credentials, const Poco::Net::IPAddress & address,
-                                               [[maybe_unused]] const ExternalAuthenticators & external_authenticators,
-                                               [[maybe_unused]] bool throw_if_user_not_exists,
-                                               bool allow_no_password, bool allow_plaintext_password) const override;
-
-
-    void applyRoleChangeNoLock(bool grant, const UUID & role_id, const String & role_name);
-    void assignRolesNoLock(User & user, const std::set<String> & external_roles, std::size_t external_roles_hash) const;
-    void updateAssignedRolesNoLock(const UUID & id, const String & user_name, const std::set<String> & external_roles) const;
+    std::optional<AuthResult> authenticateImpl(const Credentials & credentials,
+                                               const Poco::Net::IPAddress & address,
+                                               const ExternalAuthenticators & external_authenticators,
+                                               const ClientInfo & client_info,
+                                               bool throw_if_user_not_exists,
+                                               bool allow_no_password,
+                                               bool allow_plaintext_password) const override;
 };
 }
