Merge branch 'use-oauth2-keycloak'

Author: colq2

.env.example

@@ -1,10 +1,7 @@
-KEYCLOAK_USER_MODEL=colq2\Tests\Keycloak\Stubs\KeycloakUser
-KEYCLOAK_BASE_URL=https://dev.auth.fhac.hacking4.de/auth
-KEYCLOAK_REALM=test
-KEYCLOAK_CLIENT_ID=test
-KEYCLOAK_CLIENT_SECRET=5f98c5a4-cfe5-499c-82f0-77c1010c2767
+KEYCLOAK_USER_MODEL=colq2\Keycloak\KeycloakUser
+KEYCLOAK_BASE_URL=
+KEYCLOAK_REALM=
+KEYCLOAK_CLIENT_ID=
+KEYCLOAK_CLIENT_SECRET=
 KEYCLOAK_REDIRECT=/callback
-KEYCLOAK_USE_NONCE=false
-KEYCLOAK_NONCE_LIFETIME=600
-
-TEST_INTEGRATION=true
+KEYCLOAK_PUBLIC_KEY=

README.md

@@ -8,12 +8,9 @@ Feel free to contribute to this.
 # To do
 [ ] Allow different user storage's like Cache, Session, Eloquent, Database etc.
 
-[ ] Implement nonce
-
 [ ] Write Readme
 
-[ ] Middleware for roles and scopes
-
+[ ] Upload to packagist
 
 # Installation
 `composer require colq2/laravel-keycloak`
@@ -29,7 +26,8 @@ This project redefines the user model and migrations. There is no need for passw
 * name
 * email
 * picture
-
+* roles
+ 
 You can delete all migrations in your laravel project if you want to use keycloak as the only auth possibility.
 
 
@@ -42,9 +40,6 @@ KEYCLOAK_REALM=
 KEYCLOAK_CLIENT_ID=
 KEYCLOAK_CLIENT_SECRET=
 KEYCLOAK_REDIRECT=/callback
-KEYCLOAK_USE_NONCE=false
-KEYCLOAK_NONCE_LIFETIME=600
-KEYCLOAK_MAX_AGE=86400
 ```
 
 ## Usage
@@ -89,6 +84,33 @@ Route::get('callback', 'LoginController@handleCallback');
 ```
 
 
+## Middleware
+This package comes with `CheckRealmAccess` and `CheckResourceAccess` middleware. You can add them in the `app/Http/Kernel.php` file.
+
+```
+protected $routeMiddleware = [
+    // ...
+    'realm_access' => \colq2\Keycloak\Http\Middleware\CheckRealmAccess::class,
+    'resource_access' => \colq2\Keycloak\Http\Middleware\CheckResourceAccess::class,
+];
+```
+
+Then you can use the middleware:
+
+### Realm Access Middleware
+
+```
+Route::get('post/{post}', function(Post $post) {
+    // The current user has role1 and role2 in the realm
+})->middleware('realm_access:role1,role2');
+```
+
+### Resource Access Middleware
+```
+Route::get('post/{post}', function(Post $post) {
+    // The current user has role1 and role2 in client1 in the realm
+})->middleware('resource_access:client1,role1,role2');
+```
 
 ## Custom User
 
@@ -115,6 +137,7 @@ By default you can use all claims that are defined in the openid-connect specs.
             $table->string('email')->nullable();
             $table->string('name')->nullable();
             $table->string('picture')->nullable();
+            $table->json('roles')->nullable();
             $table->rememberToken();
             $table->timestamps();
         });
@@ -128,40 +151,31 @@ After you defined which properties you need. You have to define the same in the
 ```
 <?php
 
-namespace App;
+namespace colq2\Keycloak;
 
-use Illuminate\Notifications\Notifiable;
-use colq2\Keycloak\KeycloakUser as Authenticatable;
+use colq2\Keycloak\Contracts\Roles\HasRoles;
+use Illuminate\Auth\Authenticatable;
+use Illuminate\Contracts\Auth\Authenticatable as AuthenticatableContract;
+use Illuminate\Contracts\Auth\Access\Authorizable as AuthorizableContract;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Foundation\Auth\Access\Authorizable;
 
-class User extends Authenticatable
+class KeycloakUser extends Model implements AuthenticatableContract, AuthorizableContract, HasRoles
 {
-    use Notifiable;
+    use Authenticatable, Authorizable;
 
- 	/**
-     * @var string 
-     */
     protected $table = 'users';
 
-    /**
-     *
-     * The attributes that are mass assignable.
-     *
-     * @var array
-     */
-    protected $fillable = [
-        // TODO: Update the fillable 
-        'sub, 'username', 'name', 'email', 'picture'
-    ];
+    protected $fillable = [ 'sub', 'username', 'name', 'email', 'picture', 'roles' ];
 
-    /**
-     * The attributes that should be hidden for arrays.
-     *
-     * @var array
-     */
-    protected $hidden = [
-        'remember_token',
-    ];
+    protected $casts = [ 'roles' => 'array' ];
 
+    protected $hidden = [ 'remember_token' ];
+
+    public function getAllRoles(): array
+    {
+        return $this->roles;
+    }
 }
 
 ```
@@ -174,22 +188,26 @@ Then update the app binding to your user service.
 In CustomUserService:
 
 ```
+<?php
+
+namespace colq2\Keycloak\Examples;
+
 use colq2\Keycloak\KeycloakUserService;
-use colq2\Keycloak\SocialiteOIDCUser;
 
 class CustomUserService extends KeycloakUserService
 {
 
-    public function mapSocialiteUserToKeycloakUser(SocialiteOIDCUser $user)
+    /**
+     * @param array $user
+     * @return array|\colq2\Keycloak\KeycloakUser
+     */
+    public function mapUser(array $user): array
     {
-        $keycloakUser = (array) $user;
-
-        // DO whatever you need
-
-        // For example
-        $keycloakUser['username'] = $keycloakUser['preferred_username'];
+        // Do whatever you need
+        $user['username'] = $user['preferred_username'];
 
-        return $keycloakUser;
+        // And return it
+        return $user;
     }
 }
 ```

composer.json

@@ -10,15 +10,22 @@
             "email": "development@o-wycisk.de"
         }
     ],
+  "repositories": [
+    {
+      "type": "vcs",
+      "url": "https://github.com/colq2/oauth2-keycloak"
+    }
+  ],
     "require": {
         "php": "^7.1",
-        "laravel/socialite": "^4.1",
-        "lcobucci/jwt": "^3.2",
         "illuminate/auth": "^5.7",
         "illuminate/cache": "^5.7",
         "illuminate/contracts": "5.7.*",
         "illuminate/session": "^5.7",
-        "illuminate/support": "^5.7"
+      "illuminate/support": "^5.7",
+      "stevenmaguire/oauth2-keycloak": "dev-master",
+      "lcobucci/jwt": "^3.2",
+      "ext-json": "*"
     },
     "require-dev": {
         "orchestra/testbench": "~3.7",
@@ -28,8 +35,7 @@
     "autoload": {
         "psr-4": {
             "colq2\\Keycloak\\": "src/"
-        },
-        "files": ["src/helpers.php"]
+        }
     },
     "autoload-dev": {
         "psr-4": {

config/keycloak.php

@@ -7,4 +7,5 @@
     'redirect' => env('KEYCLOAK_REDIRECT'),
     'realm' => env('KEYCLOAK_REALM'),
     'base_url' => env('KEYCLOAK_BASE_URL'),
+    'public_key' => env('KEYCLOAK_PUBLIC_KEY')
 ];

database/migrations/2019_02_28_000000_create_Keycloak_users_table.php

@@ -1,8 +1,8 @@
 <?php
 
-use Illuminate\Support\Facades\Schema;
-use Illuminate\Database\Schema\Blueprint;
 use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
 
 class CreateKeycloakUsersTable extends Migration
 {
@@ -20,6 +20,7 @@ public function up()
             $table->string('email')->nullable();
             $table->string('name')->nullable();
             $table->string('picture')->nullable();
+            $table->json('roles')->nullable();
             $table->rememberToken();
             $table->timestamps();
         });

examples/CustomUserService.php

@@ -3,20 +3,20 @@
 namespace colq2\Keycloak\Examples;
 
 use colq2\Keycloak\KeycloakUserService;
-use colq2\Keycloak\SocialiteOIDCUser;
 
 class CustomUserService extends KeycloakUserService
 {
 
-    public function mapSocialiteUserToKeycloakUser(SocialiteOIDCUser $user)
+    /**
+     * @param array $user
+     * @return array|\colq2\Keycloak\KeycloakUser
+     */
+    public function mapUser(array $user): array
     {
-        $keycloakUser = (array) $user;
+        // Do whatever you need
+        $user['username'] = $user['preferred_username'];
 
-        // DO whatever you need
-
-        // For example
-        $keycloakUser['username'] = $keycloakUser['preferred_username'];
-
-        return $keycloakUser;
+        // And return it
+        return $user;
     }
 }

src/ConfigKeyFetcher.php

@@ -0,0 +1,42 @@
+<?php
+
+namespace colq2\Keycloak;
+
+
+use colq2\Keycloak\Contracts\KeyFetcher;
+
+class ConfigKeyFetcher implements KeyFetcher
+{
+
+    /**
+     * Fetch and return key
+     *
+     * @return string
+     */
+    public function fetchKey(): string
+    {
+        $publicKey = config('keycloak.public_key', "");
+
+        if (empty($publicKey)) {
+            return $publicKey;
+        }
+
+        return $this->generatePublicKey($publicKey);
+    }
+
+
+    /**
+     * Add begin and end to public key
+     *
+     * @param string $publicKey
+     * @return string
+     */
+    protected function generatePublicKey(string $publicKey)
+    {
+        if (strpos($publicKey, "-----BEGIN") === false) {
+            return "-----BEGIN PUBLIC KEY-----" . PHP_EOL . $publicKey . PHP_EOL . '-----END PUBLIC KEY-----' . PHP_EOL;
+        }
+        return $publicKey;
+    }
+
+}

src/Contracts/KeyFetcher.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace colq2\Keycloak\Contracts;
+
+
+interface KeyFetcher
+{
+
+    /**
+     * Fetch and return key
+     *
+     * @return string
+     */
+    public function fetchKey(): string;
+
+}

src/Contracts/Roles/HasRoles.php

@@ -0,0 +1,21 @@
+<?php
+
+namespace colq2\Keycloak\Contracts\Roles;
+
+
+interface HasRoles
+{
+    /**
+     * Returns all roles in an assoc array in form of
+     * [
+     *  realm_access => [roles => [ ... ] ]
+     *
+     *  resource_access => [
+     *      client => [ roles [ ... ] ]
+     *  ]
+     * ]
+     *
+     * @return array
+     */
+    public function getAllRoles(): array;
+}