Fix Keycloak exception for Secret Key if using public access type

Farid Ahamat · FaridAhamat · martincostello · commit 9eea47550f83 · 2021-10-09T14:07:25.000+01:00
Co-authored-by: FaridAhamat &lt;farid.ahamat@gmail.com&gt;
diff --git a/src/AspNet.Security.OAuth.Keycloak/KeycloakAuthenticationAccessType.cs b/src/AspNet.Security.OAuth.Keycloak/KeycloakAuthenticationAccessType.cs
@@ -0,0 +1,13 @@
+﻿// Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+// See https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers
+// for more information concerning the license and the contributors participating to this project.
+
+namespace AspNet.Security.OAuth.Keycloak
+{
+    public enum KeycloakAuthenticationAccessType
+    {
+        Confidential,
+        Public,
+        BearerOnly,
+    }
+}
diff --git a/src/AspNet.Security.OAuth.Keycloak/KeycloakAuthenticationOptions.cs b/src/AspNet.Security.OAuth.Keycloak/KeycloakAuthenticationOptions.cs
@@ -37,6 +37,11 @@ public KeycloakAuthenticationOptions()
             ClaimActions.MapJsonKey(ClaimTypes.Role, "roles");
         }
 
+        /// <summary>
+        /// Gets or sets the value for Keycloak client's access type.
+        /// </summary>
+        public KeycloakAuthenticationAccessType AccessType { get; set; }
+
         /// <summary>
         /// Gets or sets the base address of the Keycloak server.
         /// </summary>
@@ -51,5 +56,42 @@ public KeycloakAuthenticationOptions()
         /// Gets or sets the Keycloak realm to use for authentication.
         /// </summary>
         public string? Realm { get; set; }
+
+        /// <inheritdoc />
+        public override void Validate()
+        {
+            try
+            {
+                // HACK
+                // We want all of the base validation except for ClientSecret,
+                // so rather than re-implement it all, catch the exception thrown
+                // for that being null and only throw if we aren't using public access type.
+                // This does mean that three checks have to be re-implemented
+                // because the won't be validated if the ClientSecret validation fails.
+                base.Validate();
+            }
+            catch (ArgumentException ex) when (ex.ParamName == nameof(ClientSecret))
+            {
+                if (AccessType != KeycloakAuthenticationAccessType.Public)
+                {
+                    throw;
+                }
+            }
+
+            if (string.IsNullOrEmpty(AuthorizationEndpoint))
+            {
+                throw new ArgumentException($"The '{nameof(AuthorizationEndpoint)}' option must be provided.", nameof(AuthorizationEndpoint));
+            }
+
+            if (string.IsNullOrEmpty(TokenEndpoint))
+            {
+                throw new ArgumentException($"The '{nameof(TokenEndpoint)}' option must be provided.", nameof(TokenEndpoint));
+            }
+
+            if (!CallbackPath.HasValue)
+            {
+                throw new ArgumentException($"The '{nameof(CallbackPath)}' option must be provided.", nameof(CallbackPath));
+            }
+        }
     }
 }
