Skip to content

Added Keycloak OAuth2 Provider #4660

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Mabenan wants to merge 4 commits into from
Closed

Added Keycloak OAuth2 Provider #4660

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
961a562
Added Keycloak OAuth2 Provider
DanielAlbertSwan Nov 10, 2022
e53defb
Added Keycloak OAuth2 Provider
Mabenan Nov 10, 2022
5459a12
Added Keycloak OAuth2 Provider
DanielAlbertSwan Nov 15, 2022
e8aafbf
feat-4653-keycloak-oauth
DanielAlbertSwan Nov 24, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions CHANGES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
# Version 1.1.0

## Features
- Added Keycloak OAuth2 provider [#4653](https://github.com/appwrite/appwrite/issues/4653)

## Bugs
- Fix license detection for Flutter and Dart SDKs [#4435](https://github.com/appwrite/appwrite/pull/4435)
- Fix missing realtime event for create function deployment [#4574](https://github.com/appwrite/appwrite/pull/4574)
Expand Down
10 changes: 10 additions & 0 deletions app/config/providers.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,16 @@
'beta' => false,
'mock' => false,
],
'keycloak' => [
'name' => 'Keycloak',
'developers' => 'https://www.keycloak.org/documentation',
'icon' => 'icon-keycloak',
'enabled' => true,
'sandbox' => false,
'form' => 'keycloak.phtml',
'beta' => false,
'mock' => false,
],
'linkedin' => [
'name' => 'LinkedIn',
'developers' => 'https://developer.linkedin.com/',
Expand Down
237 changes: 237 additions & 0 deletions src/Appwrite/Auth/OAuth2/Keycloak.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,237 @@
<?php

namespace Appwrite\Auth\OAuth2;

use Appwrite\Auth\OAuth2;

// Reference Material
// https://www.keycloak.org/docs/latest/securing_apps/index.html#other-openid-connect-libraries

class Keycloak extends OAuth2
{
/**
* @var array
*/
protected array $scopes = [
'openid',
'profile',
'email',
'offline_access'
];

/**
* @var array
*/
protected array $user = [];

/**
* @var array
*/
protected array $tokens = [];

/**
* @return string
*/
public function getName(): string
{
return 'keycloak';
}

/**
* @return string
*/
public function getLoginURL(): string
{
return $this->getKeycloakEndpoint() . '/realms/' . $this->getKeycloakRealm() . '/protocol/openid-connect/auth?' . \http_build_query([
'client_id' => $this->appID,
'redirect_uri' => $this->callback,
'state' => \json_encode($this->state),
'scope' => \implode(' ', $this->getScopes()),
'response_type' => 'code'
]);
}

/**
* @param string $code
*
* @return array
*/
protected function getTokens(string $code): array
{
if (empty($this->tokens)) {
$headers = ['Content-Type: application/x-www-form-urlencoded'];
$this->tokens = \json_decode($this->request(
Copy link
Contributor

@stnguyen90 stnguyen90 Apr 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm trying to test this, but I'm just getting false back for the response from Keycloak. Any ideas what I configured incorrectly?

Copy link
Author

@Mabenan Mabenan Aug 15, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would withdraw this because of the new generell oicd provoder

'POST',
$this->getKeycloakEndpoint() . '/realms/' . $this->getKeycloakRealm() . '/protocol/openid-connect/token',
$headers,
\http_build_query([
'code' => $code,
'client_id' => $this->appID,
'client_secret' => $this->getClientSecret(),
'redirect_uri' => $this->callback,
'scope' => \implode(' ', $this->getScopes()),
'grant_type' => 'authorization_code'
])
), true);
}
return $this->tokens;
}


/**
* @param string $refreshToken
*
* @return array
*/
public function refreshTokens(string $refreshToken): array
{
$headers = ['Content-Type: application/x-www-form-urlencoded'];
$this->tokens = \json_decode($this->request(
'POST',
$this->getKeycloakEndpoint() . '/realms/' . $this->getKeycloakRealm() . '/protocol/openid-connect/token',
$headers,
\http_build_query([
'refresh_token' => $refreshToken,
'client_id' => $this->appID,
'client_secret' => $this->getClientSecret(),
'grant_type' => 'refresh_token'
])
), true);

if (empty($this->tokens['refresh_token'])) {
$this->tokens['refresh_token'] = $refreshToken;
}

return $this->tokens;
}

/**
* @param string $accessToken
*
* @return string
*/
public function getUserID(string $accessToken): string
{
$user = $this->getUser($accessToken);

if (isset($user['sub'])) {
return $user['sub'];
}

return '';
}

/**
* @param string $accessToken
*
* @return string
*/
public function getUserEmail(string $accessToken): string
{
$user = $this->getUser($accessToken);

if (isset($user['email'])) {
return $user['email'];
}

return '';
}

/**
* Check if the User email is verified
*
* @param string $accessToken
*
* @return bool
*/
public function isEmailVerified(string $accessToken): bool
{
$user = $this->getUser($accessToken);

if ($user['email_verified'] ?? false) {
return true;
}

return false;
}

/**
* @param string $accessToken
*
* @return string
*/
public function getUserName(string $accessToken): string
{
$user = $this->getUser($accessToken);

if (isset($user['name'])) {
return $user['name'];
}

return '';
}

/**
* @param string $accessToken
*
* @return array
*/
protected function getUser(string $accessToken): array
{
if (empty($this->user)) {
$headers = ['Authorization: Bearer ' . \urlencode($accessToken)];
$user = $this->request('GET', $this->getKeycloakEndpoint() . '/realms/' . $this->getKeycloakRealm() . '/protocol/openid-connect/userinfo', $headers);
$this->user = \json_decode($user, true);
}

return $this->user;
}

/**
* Extracts the Client Secret from the JSON stored in appSecret
*
* @return string
*/
protected function getClientSecret(): string
{
$secret = $this->getAppSecret();

return $secret['clientSecret'] ?? '';
}

/**
* Extracts the keycloak Domain from the JSON stored in appSecret
*
* @return string
*/
protected function getKeycloakEndpoint(): string
{
$secret = $this->getAppSecret();
return $secret['keycloakEndpoint'] ?? '';
}

/**
* Extracts the keycloak Realm from the JSON stored in appSecret
*
* @return string
*/
protected function getKeycloakRealm(): string
{
$secret = $this->getAppSecret();
return $secret['keycloakRealm'] ?? '';
}
/**
* Decode the JSON stored in appSecret
*
* @return array
*/
protected function getAppSecret(): array
{
try {
$secret = \json_decode($this->appSecret, true, 512, JSON_THROW_ON_ERROR);
} catch (\Throwable $th) {
throw new \Exception('Invalid secret');
}
return $secret;
}
}