✨ Add Keycloak PKCE Client (#458)

Author: MelaineGerard

README.md

@@ -87,6 +87,7 @@ via Composer:
 | [Instagram](https://github.com/thephpleague/oauth2-instagram)         | composer require league/oauth2-instagram           |
 | [Jira](https://github.com/mrjoops/oauth2-jira)                        | composer require mrjoops/oauth2-jira               |
 | [Keycloak](https://github.com/stevenmaguire/oauth2-keycloak)          | composer require stevenmaguire/oauth2-keycloak     |
+| [KeycloakPkce](https://github.com/stevenmaguire/oauth2-keycloak)      | composer require stevenmaguire/oauth2-keycloak     |
 | [LinkedIn](https://github.com/thephpleague/oauth2-linkedin)           | composer require league/oauth2-linkedin            |
 | [MailRu](https://github.com/rakeev/oauth2-mailru)                     | composer require aego/oauth2-mailru                |
 | [Microsoft](https://github.com/stevenmaguire/oauth2-microsoft)        | composer require stevenmaguire/oauth2-microsoft    |
@@ -1212,6 +1213,33 @@ knpu_oauth2_client:
             # whether to check OAuth2 "state": defaults to true
             # use_state: true
 
+        # will create service: "knpu.oauth2.client.keycloak_pkce"
+        # an instance of: KnpU\OAuth2ClientBundle\Client\Provider\Pkce\KeycloakPkceClient
+        # composer require stevenmaguire/oauth2-keycloak
+        keycloak_pkce:
+            # must be "keycloak_pkce" - it activates that type!
+            type: keycloak_pkce
+            # add and set these environment variables in your .env files
+            client_id: '%env(OAUTH_KEYCLOAK_PKCE_CLIENT_ID)%'
+            client_secret: '%env(OAUTH_KEYCLOAK_PKCE_CLIENT_SECRET)%'
+            # a route name you'll create
+            redirect_route: connect_keycloak_pkce_check
+            redirect_params: {}
+            # Keycloak server URL
+            auth_server_url: null
+            # Keycloak realm
+            realm: null
+            # Optional: Encryption algorithm, i.e. RS256
+            # encryption_algorithm: null
+            # Optional: Encryption key path, i.e. ../key.pem
+            # encryption_key_path: null
+            # Optional: Encryption key, i.e. contents of key or certificate
+            # encryption_key: null
+            # Optional: The keycloak version to run against
+            # version: '20.0.1'
+            # whether to check OAuth2 "state": defaults to true
+            # use_state: true
+
         # will create service: "knpu.oauth2.client.linkedin"
         # an instance of: KnpU\OAuth2ClientBundle\Client\Provider\LinkedInClient
         # composer require league/oauth2-linkedin

phpstan.neon.dist

@@ -7,6 +7,12 @@ parameters:
 		- */cache/*
 	ignoreErrors:
 		# False positive: clients are not dependencies of this project.
+		-
+			message: '#Method KnpU\\OAuth2ClientBundle\\Client\\Provider\\Pkce\\\w+::fetchUserFromToken\(\) has invalid return type .+#'
+			path: ./src/Client/Provider/Pkce/
+		-
+			message: '#Method KnpU\\OAuth2ClientBundle\\Client\\Provider\\Pkce\\\w+::fetchUser\(\) has invalid return type .+#'
+			path: ./src/Client/Provider/Pkce/
 		-
 			message: '#Method KnpU\\OAuth2ClientBundle\\Client\\Provider\\\w+::fetchUserFromToken\(\) has invalid return type .+#'
 			path: ./src/Client/Provider/

src/Client/Provider/Pkce/KeycloakPkceClient.php

@@ -0,0 +1,34 @@
+<?php
+
+/*
+ * OAuth2 Client Bundle
+ * Copyright (c) KnpUniversity <http://knpuniversity.com/>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace KnpU\OAuth2ClientBundle\Client\Provider\Pkce;
+
+use KnpU\OAuth2ClientBundle\Client\OAuth2PKCEClient;
+use League\OAuth2\Client\Token\AccessToken;
+use Stevenmaguire\OAuth2\Client\Provider\KeycloakResourceOwner;
+
+class KeycloakPkceClient extends OAuth2PKCEClient
+{
+    /**
+     * @return KeycloakResourceOwner|\League\OAuth2\Client\Provider\ResourceOwnerInterface
+     */
+    public function fetchUserFromToken(AccessToken $accessToken)
+    {
+        return parent::fetchUserFromToken($accessToken);
+    }
+
+    /**
+     * @return KeycloakResourceOwner|\League\OAuth2\Client\Provider\ResourceOwnerInterface
+     */
+    public function fetchUser()
+    {
+        return parent::fetchUser();
+    }
+}

src/DependencyInjection/KnpUOAuth2ClientExtension.php

@@ -44,6 +44,7 @@
 use KnpU\OAuth2ClientBundle\DependencyInjection\Providers\HerokuProviderConfigurator;
 use KnpU\OAuth2ClientBundle\DependencyInjection\Providers\InstagramProviderConfigurator;
 use KnpU\OAuth2ClientBundle\DependencyInjection\Providers\JiraProviderConfigurator;
+use KnpU\OAuth2ClientBundle\DependencyInjection\Providers\KeycloakPkceProviderConfigurator;
 use KnpU\OAuth2ClientBundle\DependencyInjection\Providers\KeycloakProviderConfigurator;
 use KnpU\OAuth2ClientBundle\DependencyInjection\Providers\LinkedInProviderConfigurator;
 use KnpU\OAuth2ClientBundle\DependencyInjection\Providers\MailRuProviderConfigurator;
@@ -128,6 +129,7 @@ class KnpUOAuth2ClientExtension extends Extension
         'instagram' => InstagramProviderConfigurator::class,
         'jira' => JiraProviderConfigurator::class,
         'keycloak' => KeycloakProviderConfigurator::class,
+        'keycloak_pkce' => KeycloakPkceProviderConfigurator::class,
         'linkedin' => LinkedInProviderConfigurator::class,
         'mail_ru' => MailRuProviderConfigurator::class,
         'microsoft' => MicrosoftProviderConfigurator::class,

src/DependencyInjection/Providers/KeycloakPkceProviderConfigurator.php

@@ -0,0 +1,87 @@
+<?php
+
+/*
+ * OAuth2 Client Bundle
+ * Copyright (c) KnpUniversity <http://knpuniversity.com/>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace KnpU\OAuth2ClientBundle\DependencyInjection\Providers;
+
+use KnpU\OAuth2ClientBundle\Client\Provider\Pkce\KeycloakPkceClient;
+use Symfony\Component\Config\Definition\Builder\NodeBuilder;
+
+class KeycloakPkceProviderConfigurator implements ProviderConfiguratorInterface
+{
+    public function buildConfiguration(NodeBuilder $node)
+    {
+        $node
+            ->scalarNode('auth_server_url')
+                ->isRequired()
+                ->info('Keycloak server URL')
+            ->end()
+            ->scalarNode('realm')
+                ->isRequired()
+                ->info('Keycloak realm')
+            ->end()
+            ->scalarNode('encryption_algorithm')
+                ->defaultNull()
+                ->info('Optional: Encryption algorithm, i.e. RS256')
+            ->end()
+            ->scalarNode('encryption_key_path')
+                ->defaultNull()
+                ->info('Optional: Encryption key path, i.e. ../key.pem')
+            ->end()
+            ->scalarNode('encryption_key')
+                ->defaultNull()
+                ->info('Optional: Encryption key, i.e. contents of key or certificate')
+            ->end()
+            ->scalarNode('version')
+                ->defaultNull()
+                ->info('Optional: The keycloak version to run against')
+                ->example("version: '20.0.1'")
+            ->end()
+        ;
+    }
+
+    public function getProviderClass(array $config)
+    {
+        return 'Stevenmaguire\OAuth2\Client\Provider\Keycloak';
+    }
+
+    public function getProviderOptions(array $config)
+    {
+        return [
+            'clientId' => $config['client_id'],
+            'clientSecret' => $config['client_secret'],
+            'authServerUrl' => $config['auth_server_url'],
+            'realm' => $config['realm'],
+            'version' => $config['version'],
+            'encryptionAlgorithm' => $config['encryption_algorithm'],
+            'encryptionKeyPath' => $config['encryption_key_path'],
+            'encryptionKey' => $config['encryption_key'],
+        ];
+    }
+
+    public function getPackagistName()
+    {
+        return 'stevenmaguire/oauth2-keycloak';
+    }
+
+    public function getLibraryHomepage()
+    {
+        return 'https://github.com/stevenmaguire/oauth2-keycloak';
+    }
+
+    public function getProviderDisplayName()
+    {
+        return 'KeycloakPkce';
+    }
+
+    public function getClientClass(array $config)
+    {
+        return KeycloakPkceClient::class;
+    }
+}

tests/Client/Provider/BatchPkceProviderTest.php

@@ -0,0 +1,74 @@
+<?php
+
+/*
+ * OAuth2 Client Bundle
+ * Copyright (c) KnpUniversity <http://knpuniversity.com/>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace KnpU\OAuth2ClientBundle\Tests\Client\Provider;
+
+use KnpU\OAuth2ClientBundle\Client\OAuth2PKCEClient;
+use League\OAuth2\Client\Provider\AbstractProvider;
+use League\OAuth2\Client\Provider\ResourceOwnerInterface;
+use League\OAuth2\Client\Token\AccessToken;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Session\SessionInterface;
+
+class BatchPkceProviderTest extends TestCase
+{
+    public function testProviders()
+    {
+        // This is basically just validating that the clients are sane/implementing OAuth2PkceClient
+
+        $mockAccessToken = $this->getMockBuilder(AccessToken::class)->disableOriginalConstructor()->getMock();
+        $mockProvider = $this->getMockProvider($mockAccessToken);
+        $mockRequestStack = $this->getMockRequestStack($this->getMockRequest());
+
+        $clients = scandir(__DIR__ . "/../../../src/Client/Provider/Pkce");
+        foreach($clients as $client) {
+            if(substr($client, -4, 4) !== ".php") { continue; }
+
+            $client = sprintf("KnpU\OAuth2ClientBundle\Client\Provider\Pkce\%s", explode(".", $client)[0]);
+            $testClient = new $client($mockProvider, $mockRequestStack);
+            $testClient->setAsStateless();
+            $this->assertTrue(is_subclass_of($testClient, OAuth2PKCEClient::class));
+
+            $this->assertInstanceOf(ResourceOwnerInterface::class, $testClient->fetchUserFromToken($mockAccessToken));
+            $this->assertInstanceOf(ResourceOwnerInterface::class, $testClient->fetchUser());
+        }
+    }
+
+    private function getMockProvider($mockAccessToken)
+    {
+        $mockProvider = $this->getMockBuilder(AbstractProvider::class)->getMock();
+        $mockProvider->method("getResourceOwner")->willReturn($this->getMockBuilder(ResourceOwnerInterface::class)->getMock());
+        $mockProvider->method("getAccessToken")->willReturn($mockAccessToken);
+        return $mockProvider;
+    }
+
+    private function getMockRequest()
+    {
+        $mockRequest = $this->getMockBuilder(Request::class)->getMock();
+
+        $session = $this->getMockBuilder(SessionInterface::class)->getMock();
+        $session->method("has")->with(OAuth2PKCEClient::VERIFIER_KEY)->willReturn(true);
+        $session->method("get")->with(OAuth2PKCEClient::VERIFIER_KEY)->willReturn('test_code_verifier');
+
+        $mockRequest->method("getSession")->willReturn($session);
+
+        $mockRequest->method("get")->willReturn(true);
+        return $mockRequest;
+    }
+
+    private function getMockRequestStack($mockRequest)
+    {
+        $mockRequestStack = $this->getMockBuilder(RequestStack::class)->getMock();
+        $mockRequestStack->method("getCurrentRequest")->willReturn($mockRequest);
+        return $mockRequestStack;
+    }
+}