inseefr / keycloak-franceconnect Goto Github PK

View Code? Open in Web Editor NEW

83.0 17.0 31.0 808 KB

Extension Keycloak facilitant l'utilisation de FranceConnect

License: MIT License

Java 91.70% CSS 8.30%

keycloak keycloak-franceconnect keycloak-extension franceconnect extension

keycloak-franceconnect's Introduction

keycloak-franceconnect

English Version

keycloak-franceconnect

Cette extension pour Keycloak ajoute un fournisseur d'identité permettant d'utiliser les services proposés par France Connect.

Pour toutes questions sur l'utilisation de cette extension, n'hésitez pas à ouvrir une discussion.

Fonctionnalités

Vérification de signature (basée sur le client-secret)
Gestion du niveau d'authentification (eIDAS) dans la demande d'autorisation (cf communication FranceConnect)
Thèmes de connexion permettant l'affichage des boutons France Connect (fc-theme et iron-theme)
Meilleure gestion du logout (contourne https://issues.jboss.org/browse/KEYCLOAK-7209)
Provider pour AgentConnect
Gestion de FranceConnect+ (niveau EIDAS2 et EIDAS3)

Compatibilité

La version 6.2.0 est compatible avec Keycloak 24.0.0 et supérieur. L'ihm d'administration est fonctionnelle.
La version 6.1.0 est compatible avec Keycloak 22.0.0 et supérieur. (non configurable par ihm)
La version 5.0.0 est compatible avec Keycloak 21.x.y. (non configurable par ihm)
La version 4.0.0 est compatible avec Keycloak 15.0.0 jusqu'à 20.0.0. (non configurable par ihm à partir de keycloak 19)
La version 2.1 jusqu'à 3.0.0 est compatible avec Keycloak 9.0.2 jusqu'à 15.0.0.
La version 2.0 est compatible avec Keycloak 8.0.1 jusqu'à 9.0.0.

Migration

Si vous utilisez déjà une ancienne version de l'extension, il est préférable de supprimer votre configuration afin d'éviter tout conflit possible.

2.x/3.x -> 4.x : Supprimer votre configuration de fournisseur d'identité afin que le plugin puisse générer automatiquement les mappers lors de la sauvegarde de la configuration et qu'il n'y ait aucun conflit.
1.x -> 2.x : Vérifiez que votre fournisseur d'identité existe et que l'environnement France Connect sélectionné est celui désiré.
1.x -> 1.4 : Vous devez ajouter le niveau eIDAS dans la configuration du fournisseur d'identité.

Installation

L'installation de l'extension est simple et peut-être réalisée sans redémarrage de Keycloak.

Téléchargez la dernière version de l'extension à partir de la page de release
Copiez le fichier JAR dans le dossier standalone/deployments de votre serveur Keycloak
Redémarrez Keycloak (optionnel, le déploiement à chaud devrait fonctionner)

Vous pouvez également cloner le repository Github et effectuer une installation locale avec la commande :

$ mvn clean install wildfly:deploy

Utilisation

France Connect

Prérequis

Vous devez créer un compte France Connect afin de récupérer les informations nécessaires à la configuration de cette extension (clientId, clientSecret, configuration de l'url de redirection autorisée, ...).

Il existe 2 environnements de connexion, Integration et Production. La demande d'un compte permettant l'accès à l'environnement d'Intégration s'effectue par email au service support de France Connect.

Le compte partenaire France Connect est configurable via https://partenaires.franceconnect.gouv.fr

Configuration

Suite à l'installation de l'extension, le fournisseur d'identité France Connect Particulier est apparu. Une fois ce dernier selectionné, vous arrivez sur la page de configuration suivante :

Sélectionnez l'environnement désiré, entrez votre clientId, clientSecret, les scopes que vous souhaitez demander, le niveau d'authentification eIDAS. L'alias configuré par défaut (france-connect-particulier) est utilisé par les thèmes fc-theme et iron-theme. Vous pouvez donc modifier le nom de l'alias si vous n'utilisez pas un de ces thèmes.

Vous trouverez également l'url de redirection qu'il faudra enregistrer sur le portail Partenaire de France Connect :

endpoint : https://<keycloak-url>/auth/realms/<realm>/broker/franceconnect-particulier/endpoint
logout : https://<keycloak-url>/auth/realms/<realm>/broker/franceconnect-particulier/endpoint/logout_response

Mappers

Une fois la configuration validée, vous pouvez ajouter des mappers afin de récupérer les attributs à partir des claims fournis par France Connect. Les principaux mappers sont ajoutés automatiquement lors de la création du fournisseur d'identité.

Exemples de mappers :

Name : lastName, Mapper Type : Attribute Importer, Claim : family_name, User Attribute Name : lastName
Name : firstName, Mapper Type : Attribute Importer, Claim : given_name, User Attribute Name : firstName
Name : email, Mapper Type : Attribute Importer, Claim : email, User Attribute Name : email

Particularités de FranceConnect+

France Connect est une évolution de service pour le support des niveaux EIDAS2 et EIDAS3. Cette évolution implique un renforcement sur le niveau de confidentialité requis, ce qui se traduit par un chiffrement des jetons échangés. Pour permettre ce chiffrement, un nouveau provider de clés à été ajouté rsa-generated-fc+ qui permettra de générer une clé RSA et publier cette clé avec le bon algorithm sur l'url jwks de keycloak.

⚠️ Lors de la création de cette clé, il faut bien préciser enc pour l'usage de la clé.

Les informations à fournir à France Connect+ seront les suivantes :


URL de redirection de connexion	https://<KEYCLOAK_SERVER>/auth/realms/<KEYCLOAK_REALM>/broker/franceconnect-particulier/endpoint
URL de redirection de déconnexion	https://<KEYCLOAK_SERVER>/auth/realms/<KEYCLOAK_REALM>/broker/franceconnect-particulier/endpoint?logout_response
Client keys url (jwks)	https://<KEYCLOAK_SERVER>/auth/realms/<KEYCLOAK_REALM>/protocol/openid-connect/certs
Chiffrement de l'userinfo (A256GCM / -)	A256GCM
Algo de chiffrement de l'userinfo (ECDH-ES / RSA-OAEP)	RSA-OAEP
Algo de signature de l'userinfo (ES256 obligatoire)	ES256
Algo de signature de l'id_token (ES256 obligatoire)	ES256
Algo de chiffrement de l'id_token (ECDH-ES / RSA-OAEP)	RSA-OAEP
Chiffrement de l'id_token (A256GCM / -)	A256GCM
Adresse de la clé de chiffrement (pour ouverture des flux)	https://<KEYCLOAK_SERVER>/auth/realms/<KEYCLOAK_REALM>/protocol/openid-connect/certs

L'implémentation permettant de déchiffrer les jetons échangés s'appuie sur le travail de l'équipe keycloak autour de FAPI, cela implique que cette extension supporte uniquement Keycloak en verison supérieure à 15.

Agent Connect

La version 3.0 de cette extension ajoute le support pour AgentConnect pour l'authentification des agents de la fonction publique d'Etat : https://github.com/france-connect/Documentation-AgentConnect.

Prérequis

De la même façon que pour France Connect il vous faudra demander la création d'un compte sur agent connect.

Configuration

Suite à l'installation de l'extension, le fournisseur d'identité Agent Connect est apparu. Une fois ce dernier selectionné, vous arrivez sur la page de configuration suivante :

Sélectionnez l'environnement désiré, entrez votre clientId, clientSecret, les scopes que vous souhaitez demander, le niveau d'authentification eIDAS. L'alias configuré par défaut (agentconnect) est utilisé par le thèmes ac-theme. Vous pouvez donc modifier le nom de l'alias si vous n'utilisez pas un de ces thèmes.

Vous trouverez également l'url de redirection qu'il faudra enregistrer sur le portail Partenaire de France Connect :

endpoint : https://<keycloak-url>/auth/realms/<realm>/broker/agentconnect/endpoint
logout : https://<keycloak-url>/auth/realms/<realm>/broker/agentconnect/endpoint/logout_response

Mappers

Exemples de mappers :

Name : lastName, Mapper Type : Attribute Importer, Claim : family_name, User Attribute Name : lastName
Name : firstName, Mapper Type : Attribute Importer, Claim : given_name, User Attribute Name : firstName
Name : email, Mapper Type : Attribute Importer, Claim : email, User Attribute Name : email

Thème

Cette extension fournit 1 thème :

fc-ac-theme

Utilisez le thème de votre choix (selon le service que vous utilisez), et rendez-vous à l'adresse suivante : https://<keycloak-url>/auth/realms/<realm>/account

FAQ

Voir la FAQ

Comment contribuer

Voir ici

keycloak-franceconnect's People

Contributors

Stargazers

Watchers

keycloak-franceconnect's Issues

Log France Connect Response in case of error

When keycloak fails to get the access_token from France Connect, we don't know the reason, only something like :

ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-6) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.

[BUG] Admin fc-ac-theme pollutes logs

Describe the bug
When saving themes of a realm, the logs are polluted with warn and error messages due to the misconfiguration of fc-ac-theme. As this theme extends keycloak theme, it triggers the error because keycloak theme has no admin theme anymore. Maybe it would be better to remove the fc-ac-theme admin theme until there is a way to "extend" from the keycloak.v2 admin theme (I am not even sure this will happen)

To Reproduce
Steps to reproduce the behavior:

Go to 'Realm Settings' > 'Themes'
Click on 'Save' button
See logs:

[exec] 2023-09-29 17:59:04,880 WARN  [executor-thread] org.keycloak.theme.DefaultThemeManager             : Not found parent theme 'keycloak' of theme 'fc-ac-theme'. Unable to load ADMIN theme 'fc-ac-theme' due to this.
[exec] 2023-09-29 17:59:04,880 ERROR [executor-thread] org.keycloak.theme.DefaultThemeManager             : Failed to find ADMIN theme fc-ac-theme, using built-in themes

Expected behavior
No logs should appear

Additional context

Keycloak Version : 22.0.3

Validate signature activated by default

When creating a new Identity Provider, Signature validation must be setted

[BUG] Keycloak 21.0.1 can't build with Keycloak-FranceConnect provider

Describe the bug
Keycloak 21.0.1 can't build with Keycloak-FranceConnect provider.

To Reproduce
Steps to reproduce the behavior:

Add keycloak-franceconnect-4.2.0.jar to providers folder
Launch kc.sh build
Build fails with error :

ERROR: Failed to run 'build' command.
ERROR: io.quarkus.builder.BuildException: Build failure: Build failed due to errors
	[error]: Build step org.keycloak.quarkus.deployment.KeycloakProcessor#configureKeycloakSessionFactory threw an exception: java.util.ServiceConfigurationError: org.keycloak.keys.KeyProviderFactory: Provider fr.insee.keycloak.keys.GeneratedRsaKeyFCProviderFactory could not be instantiated
	at java.base/java.util.ServiceLoader.fail(ServiceLoader.java:586)
	at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:813)
	at java.base/java.util.ServiceLoader$ProviderImpl.get(ServiceLoader.java:729)
	at java.base/java.util.ServiceLoader$3.next(ServiceLoader.java:1403)
	at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:60)
	at org.keycloak.provider.ProviderManager.load(ProviderManager.java:94)
	at org.keycloak.quarkus.deployment.KeycloakProcessor.loadFactories(KeycloakProcessor.java:657)
	at org.keycloak.quarkus.deployment.KeycloakProcessor.configureKeycloakSessionFactory(KeycloakProcessor.java:362)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at io.quarkus.deployment.ExtensionLoader$3.execute(ExtensionLoader.java:909)
	at io.quarkus.builder.BuildContext.run(BuildContext.java:281)
	at org.jboss.threads.ContextHandler$1.runWith(ContextHandler.java:18)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
	at java.base/java.lang.Thread.run(Thread.java:833)
	at org.jboss.threads.JBossThread.run(JBossThread.java:501)
Caused by: java.lang.NoSuchFieldError: KEY_SIZE_PROPERTY
	at fr.insee.keycloak.keys.GeneratedRsaKeyFCProviderFactory.<clinit>(GeneratedRsaKeyFCProviderFactory.java:20)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
	at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:789)
	... 17 more

Expected behavior
Successfull build.

Additional context

Keycloak Version 21.0.1
Keycloak-FranceConnect 4.2.0

[HELP/FEAT] France connect V2 : nonce's lenght constraint ?

Hello,

As indicated into #52
we would like to use your KC extension with FranceConnect V2 but we are facing issues with target URL.

Meanwhile, we tried to configure and use a default KC OIDC provider.
But we are facing some HTTP error code from France Connect V2 because the acr is missing and also because the nonce does not have the expected length.

According to :
https://github.com/InseeFr/Keycloak-FranceConnect/blob/master/src/main/java/fr/insee/keycloak/provider/FranceConnectIdentityProvider.java
we see that indeed you added the acr
but what about the nonce ?
Have you also faced issues with the nonce's lenght and customized something into your extension ?

Regards

[FEAT] Add AgentsConnect as a new IdentityProvider

Agents Connect is the solution provided by DINUM to authenticate public agents. The documentation is here : https://github.com/france-connect/Documentation-AgentConnect/blob/main/doc-fs.md.

The extension should provide another idp with the name AgentsConnect to act as an FS for this new service.

Remove unused dependencies

At least one dependency declared inside pom.xml is not used : org.jboss.resteasy.resteasy-jaxrs.
We should remove it to keep the pom.xml as clean as possible.

[BUG] Unable to select the FranceConnect environment with the new Keycloak admin console

Describe the bug
With the new default Keycloak admin console available since version 19 (Admin console theme keycloak.v2), it's not possible to select the FranceConnect environment when adding a new Identity provider of type "Franceconnect-particulier". It seems the extension is missing ressources for the new theme.
It's possible to switch to the old theme (Admin console theme keycloak) then the FranceConnect environment field is available when adding a new Identity provider of type "Franceconnect-particulier"

To Reproduce
Steps to reproduce the behavior:

install Keycloak 19 and the FranceConnect extension version 4.1.0
go to Keycloak admin console
create a new realm
go to that realm
go to "Configure > Identity providers"
select "Social > France Connect Particulier"
the FranceConnect environment field is not available

Expected behavior

The FranceConnect environment field is displayed in the identity provider settings page.

Screenshots

Additional context

Keycloak Version 19.0.3
Browser Firefox/Chrome
Version 4.1.0

Error when logging out

There was a change in how FranceConnect redirect the user on the logout endpoint. It stopped sending the state parameter which contradicts the specs :

https://openid.net/specs/openid-connect-session-1_0.html#RPLogout

state :
OPTIONAL. Opaque value used by the RP to maintain state between the logout request and the callback to the endpoint specified by the post_logout_redirect_uri query parameter. If included in the logout request, the OP passes this value back to the RP using the state query parameter when redirecting the User Agent back to the RP.

This cause keycloak to throw an unhandled exception (here : https://github.com/keycloak/keycloak/blob/01255da0f07640f63a346123179cf485aa9058e0/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java#L105).

An issue was open with France Connect Support.

[BUG] Provided theme doesn't work with keycloak > 12.0.0

Describe the bug

Accessing the login page on a realm configured with fc-theme display en error with the following stack trace in server.log 👍

2021-01-29 15:31:57,411 ERROR [org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider] (default task-80) Failed to process template: org.keycloak.theme.FreeMarkerException: Failed to process template login.ftl
        at org.keycloak.theme.FreeMarkerUtil.processTemplate(FreeMarkerUtil.java:71)
        at org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.processTemplate(FreeMarkerLoginFormsProvider.java:469)
        at org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:238)
        at org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createLoginUsernamePassword(FreeMarkerLoginFormsProvider.java:484)
        at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.challenge(UsernamePasswordForm.java:87)
        at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.authenticate(UsernamePasswordForm.java:73)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:446)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:253)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:389)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:276)
        at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:977)
        at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:839)
        at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:151)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:481)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:177)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:116)
        at sun.reflect.GeneratedMethodAccessor894.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
        at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:543)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:432)
        at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:393)
        at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:395)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:364)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:150)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:110)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:141)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:104)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
        at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
        at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
        at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
        at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:245)        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:61)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
        at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
        at org.keycloak.provider.wildfly.WildFlyRequestFilter.lambda$doFilter$0(WildFlyRequestFilter.java:41)
        at org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractRequestFilter.java:43)
        at org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilter(WildFlyRequestFilter.java:39)
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
        at io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHandler.java:64)
        at io.undertow.servlet.core.MetricsChainHandler.handleRequest(MetricsChainHandler.java:59)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
        at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841)
        at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
        at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
        at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
        at java.lang.Thread.run(Thread.java:748)
Caused by: freemarker.core._MiscTemplateException: Macro "registrationLayout" has no parameter with name "displayWide".

----
FTL stack trace ("~" means nesting-related):
        - Failed at: #macro registrationLayout bodyClass="...  [in template "template.ftl" in macro "registrationLayout" at line 1, column 1]
        - Reached through: @layout.registrationLayout displayInf...  [in template "login.ftl" at line 3, column 1]
----
        at freemarker.core.Environment.setMacroContextLocalsFromArguments(Environment.java:921)
        at freemarker.core.Environment.invokeMacroOrFunctionCommonPart(Environment.java:854)
        at freemarker.core.Environment.invokeMacro(Environment.java:809)
        at freemarker.core.UnifiedCall.accept(UnifiedCall.java:83)
        at freemarker.core.Environment.visit(Environment.java:331)
        at freemarker.core.Environment.visit(Environment.java:337)
        at freemarker.core.Environment.process(Environment.java:310)
        at freemarker.template.Template.process(Template.java:383)
        at org.keycloak.theme.FreeMarkerUtil.processTemplate(FreeMarkerUtil.java:68)
        ... 92 more

Screenshots

Additional context

Keycloak Version 12.0.2
Firefox
Keycloak-FranceConnect 2.2

Add contributing guidelines

Should be compatible with https://github.com/DISIC/politique-de-contribution-open-source

[BUG] Plugin not compatible with Keycloak 22

Describe the bug
Plugin not compatible with Keycloak 22

To Reproduce

Install plugin last version (5.0.0) (providers folder) within a Keycloak 22
Try to use the plugin (you have class not found error linked to javax -> jakarta)

Expected behavior
A release is needed for keycloak core breaking changes (jdk 17 , jakarta, etc.)

Screenshots
Not applicable

Additional context

Keycloak Version 22
All Browser
Version 22

Setup CI / CD

Hello,

At the moment, there is no CI / CD for this project, releases are done manually.
We may want to setup a CI system that would :

Run tests (no tests yet, see #5 )
Build package
Publish the package to github releases (maybe maven central one day - see #3 -) on tagged versions

I will submit a PR with a travis-ci configuration as it's the CI used in other InseeFr repos

[BUG] Incompatibility with keycloak version greater than 9.0.2

Describe the bug

When using Keycloak > 9.0.2, it is impossible to save the IdentityProviderConfiguration with the message :

 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-2) Uncaught server error: java.lang.AbstractMethodError: Receiver class fr.insee.keycloak.FranceConnectParticulierTestIdentityProviderFactory does not define or inherit an implementation of the resolved method 'abstract org.keycloak.models.IdentityProviderModel createConfig()' of interface org.keycloak.broker.provider.IdentityProviderFactory.

To Reproduce
Steps to reproduce the behavior:

Go to the France Connect Identity Provider configuration page (or add a new FC IdP)
Modify something
Click on save
You get the message :

And in the logs :

ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-2) Uncaught server error: java.lang.AbstractMethodError: Receiver class fr.insee.keycloak.FranceConnectParticulierTestIdentityProviderFactory does not define or inherit an implementation of the resolved method 'abstract org.keycloak.models.IdentityProviderModel createConfig()' of interface org.keycloak.broker.provider.IdentityProviderFactory.

The config is not saved !

Expected behavior

Config is saved without errors.

Additional context

Keycloak Version >= 9.0.2

[FEAT] Provide a theme based on french design system

We should provide a basic theme based on https://www.systeme-de-design.gouv.fr/ .
Either by reimplementing the login theme or using https://github.com/dataesr/react-dsfr and https://github.com/InseeFrLab/keycloakify

[HELP] Ensure FC plugin is compatible with Keycloak 17

Can you check that FC plugin works with Keycloak 17 which uses Quarkus instead of Wildfly?

[FEAT] Add integration tests to detect breaking changes with new keycloak versions

Is your feature request related to a problem? Please describe.
We don't check if the plugin is compatible with new keycloak versions

Describe the solution you'd like

Add some integration tests (plugin is deployed, FC theme works, plugin configuration is ok, ...) using Keycloak TestContainers dependency (it starts a Keycloak container only for testing)
Retrieve Keycloak existing versions (using Docker Hub Api: https://hub.docker.com/v2/repositories/jboss/keycloak/tags/?page_size=100)
Execute tests foreach Keycloak Docker Image (from 9.0.2 to latest)
Trigger Github actions workflow every week

Improve .gitignore file for popular IDEs

Plugin can't be installed on keycloak 20

Describe the bug

I try to install the plugin on keycloak 20 following the official documentation.

To Reproduce

Steps to reproduce the behavior:

Create the following Dockerfile

ARG KEYCLOAK_VERSION=20.0.3

FROM quay.io/keycloak/keycloak:${KEYCLOAK_VERSION} as builder

ARG FRANCE_CONNECT_VERSION=4.2.0
RUN curl -o /opt/keycloak/providers/keycloak-franceconnect-${FRANCE_CONNECT_VERSION}.jar \
    https://github.com/InseeFr/Keycloak-FranceConnect/releases/download/${FRANCE_CONNECT_VERSION}/keycloak-franceconnect-${FRANCE_CONNECT_VERSION}.jar

WORKDIR /opt/keycloak
RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:${KEYCLOAK_VERSION}
COPY --from=builder /opt/keycloak/ /opt/keycloak/

# change these values to point to a running postgres instance
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]

execute docker build .
See error

Expected behavior

The image is installed with the France Connect plugin.

Screenshots

docker build .

Sending build context to Docker daemon   2.56kB
Step 1/9 : ARG KEYCLOAK_VERSION=20.0
Step 2/9 : FROM quay.io/keycloak/keycloak:${KEYCLOAK_VERSION} as builder
 ---> 9c52dcedfde1
Step 3/9 : ARG FRANCE_CONNECT_VERSION=4.2.0
 ---> Running in 19a5ff63124e
Removing intermediate container 19a5ff63124e
 ---> 15fe00289bc7
Step 4/9 : RUN curl -o /opt/keycloak/providers/keycloak-franceconnect-${FRANCE_CONNECT_VERSION}.jar     https://github.com/InseeFr/Keycloak-FranceConnect/releases/download/${FRANCE_CONNECT_VERSION}/keycloak-franceconnect-${FRANCE_CONNECT_VERSION}.jar
 ---> Running in 27383e09c68b
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
Removing intermediate container 27383e09c68b
 ---> 7d7550dedf26
Step 5/9 : WORKDIR /opt/keycloak
 ---> Running in 764a75a70221
Removing intermediate container 764a75a70221
 ---> f0a75a240b7e
Step 6/9 : RUN /opt/keycloak/bin/kc.sh build
 ---> Running in f30434bfce62
Updating the configuration and installing your custom providers, if any. Please wait.
The DelayedHandler was closed before any children handlers were configured. Messages will be written to stderr.
2023-01-13 08:51:22,653 DEBUG [org.jboss.logging] (main) Logging Provider: org.jboss.logging.JBossLogManagerProvider

2023-01-13 08:51:22,734 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[org.keycloak:keycloak-quarkus-server / runtime=true resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

2023-01-13 08:51:22,736 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[io.quarkus:quarkus-vertx-http / runtime=true resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

2023-01-13 08:51:22,736 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[io.quarkus:quarkus-security-runtime-spi / runtime=true resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

[…]

2023-01-13 08:51:22,963 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[io.quarkus:quarkus-logging-gelf-deployment / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

2023-01-13 08:51:22,964 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[io.quarkus:quarkus-credentials-deployment / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

2023-01-13 08:51:22,964 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[io.quarkus:quarkus-smallrye-context-propagation-deployment / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

2023-01-13 08:51:22,964 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[io.quarkus:quarkus-mutiny-deployment / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

2023-01-13 08:51:22,965 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[org.rnorth.duct-tape:duct-tape / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

2023-01-13 08:51:22,966 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[com.github.docker-java:docker-java-transport / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

2023-01-13 08:51:22,966 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[net.java.dev.jna:jna / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

2023-01-13 08:51:22,968 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[com.github.docker-java:docker-java-transport-zerodep / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

2023-01-13 08:51:22,983 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[org.testcontainers:testcontainers / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

2023-01-13 08:51:22,984 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[org.testcontainers:vault / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

2023-01-13 08:51:22,984 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[io.quarkus:quarkus-junit4-mock / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

2023-01-13 08:51:22,986 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[com.github.docker-java:docker-java-api / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

2023-01-13 08:51:22,986 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[io.quarkus:quarkus-devservices-common / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

2023-01-13 08:51:22,987 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[io.quarkiverse.vault:quarkus-vault-deployment / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

2023-01-13 08:51:22,987 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[org.keycloak:keycloak-quarkus-server-deployment / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD

2023-01-13 08:51:24,126 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[/ runtime=true resources=null] to QuarkusClassLoader Deployment Class Loader: PROD

ERROR: Failed to run 'build' command.
ERROR: java.io.IOException: Failed to create a new filesystem for /opt/keycloak/lib/../providers/keycloak-franceconnect-4.2.0.jar
ERROR: Failed to create a new filesystem for /opt/keycloak/lib/../providers/keycloak-franceconnect-4.2.0.jar
ERROR: zip END header not found
For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.
Removing intermediate container f30434bfce62
The command '/bin/sh -c /opt/keycloak/bin/kc.sh build' returned a non-zero code: 1

Additional context

Keycloak Version 20.0.0-1..20.0.3
Browser N/A
Version 4.2.0

[BUG] login.ftl Macro "registrationLayout" has no parameter with name "displayWide"

At keycloak startup:

at freemarker.core.Environment.newUndeclaredParamNameException(Environment.java:1155)
 ----
Reached through: @layout.registrationLayout displayInf... [in template "login.ftl" at line 3, column 1]
Failed at: #macro registrationLayout bodyClass="... [in template "template.ftl" in macro "registrationLayout" at line 1, column 1]
FTL stack trace ("~" means nesting-related):
----
Caused by: freemarker.core._MiscTemplateException: Macro "registrationLayout" has no parameter with name "displayWide". Valid parameter names are: bodyClass, displayInfo, displayMessage, displayRequiredFields

Keycloak 17.0.1 et 18.0.2
InseeFr/Keycloak-FranceConnect 4.1.0

[HELP/FEAT] Support France Connect + (was: France connect compatibility : API v1 vs v2, update URL ? )

Hello,

--- [HELP] ---
As you can see on the diagram below the URL used by the KeyCloak extension seems to be DEPRECATED

Do you plan to release a version with the right URL ?

France Connect official doc : https://github.com/france-connect/Documentation-FranceConnect-Plus/blob/main/fs/docs-fs.md

--- [FEAT] ---
Would it be possible to let admin modify the root URL of the API and thus maybe make you provider compliant with latest version of France Connect API ?

Regards

[BUG] Manage logout for FranceConnect+

At the moment logout is not working for the FranceConnect+ provider. This should be implemented following the spec as explained here :
https://github.com/france-connect/Documentation-FranceConnect-Plus/blob/main/fs/docs-fs.md#cin%C3%A9matique-de-d%C3%A9connexion-par-un-fournisseur-de-service

Target host is not specified

Hello @micedre,

I'm reporting a bug with 4.1.0 for production internet of Agent Connect.
Staging internet works fine but when I switch this is what I get with keycloak 18.0.2:

�[0m�[31m10:58:44,125 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-13) unexpectedErrorHandlingRequestMessage: java.lang.IllegalStateException: org.apache.http.client.ClientProtocolException
	at deployment.keycloak-franceconnect-4.1.0.jar//fr.insee.keycloak.providers.common.Utils.getJsonWebKeySetFrom(Utils.java:73)
	at deployment.keycloak-franceconnect-4.1.0.jar//fr.insee.keycloak.providers.agentconnect.AgentConnectIdentityProvider.<init>(AgentConnectIdentityProvider.java:14)
	at deployment.keycloak-franceconnect-4.1.0.jar//fr.insee.keycloak.providers.agentconnect.AgentConnectIdentityProviderFactory.create(AgentConnectIdentityProviderFactory.java:42)
	at deployment.keycloak-franceconnect-4.1.0.jar//fr.insee.keycloak.providers.agentconnect.AgentConnectIdentityProviderFactory.create(AgentConnectIdentityProviderFactory.java:14)
	at [email protected]//org.keycloak.services.resources.IdentityBrokerService.performLogin(IdentityBrokerService.java:390)
	at jdk.internal.reflect.GeneratedMethodAccessor443.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at [email protected]//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
	at [email protected]//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
	at [email protected]//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
	at [email protected]//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
	at [email protected]//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
	at [email protected]//org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
	at [email protected]//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
	at [email protected]//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
	at [email protected]//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
	at [email protected]//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
	at [email protected]//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
	at [email protected]//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
	at [email protected]//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
	at [email protected]//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
	at [email protected]//org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
	at [email protected]//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
	at [email protected]//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
	at [email protected]//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:249)
	at [email protected]//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:60)
	at [email protected]//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
	at [email protected]//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
	at [email protected]//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
	at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
	at [email protected]//org.keycloak.provider.wildfly.WildFlyRequestFilter.lambda$doFilter$0(WildFlyRequestFilter.java:41)
	at [email protected]//org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractRequestFilter.java:43)
	at [email protected]//org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilter(WildFlyRequestFilter.java:39)
	at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
	at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
	at [email protected]//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
	at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
	at [email protected]//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
	at [email protected]//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
	at [email protected]//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.lambda$handleRequest$1(ElytronRunAsHandler.java:68)
	at [email protected]//org.wildfly.security.auth.server.FlexibleIdentityAssociation.runAsFunctionEx(FlexibleIdentityAssociation.java:103)
	at [email protected]//org.wildfly.security.auth.server.Scoped.runAsFunctionEx(Scoped.java:161)
	at [email protected]//org.wildfly.security.auth.server.Scoped.runAs(Scoped.java:73)
	at [email protected]//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.handleRequest(ElytronRunAsHandler.java:67)
	at [email protected]//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
	at [email protected]//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
	at [email protected]//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
	at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at [email protected]//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
	at [email protected]//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
	at [email protected]//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
	at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
	at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at [email protected]//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at [email protected]//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
	at [email protected]//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
	at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)
	at [email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
	at [email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
	at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
	at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
	at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
	at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100)
	at [email protected]//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
	at [email protected]//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852)
	at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
	at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
	at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
	at [email protected]//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: org.apache.http.client.ClientProtocolException
	at org.apache.httpcomponents.core//org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:187)
	at org.apache.httpcomponents.core//org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.apache.httpcomponents.core//org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
	at [email protected]//org.keycloak.connections.httpclient.DefaultHttpClientFactory$1.get(DefaultHttpClientFactory.java:112)
	at [email protected]//org.keycloak.protocol.oidc.utils.JWKSHttpUtils.sendJwksRequest(JWKSHttpUtils.java:36)
	at deployment.keycloak-franceconnect-4.1.0.jar//fr.insee.keycloak.providers.common.Utils.getJsonWebKeySetFrom(Utils.java:70)
	... 79 more
Caused by: org.apache.http.ProtocolException: Target host is not specified
	at org.apache.httpcomponents.core//org.apache.http.impl.conn.DefaultRoutePlanner.determineRoute(DefaultRoutePlanner.java:71)
	at org.apache.httpcomponents.core//org.apache.http.impl.client.InternalHttpClient.determineRoute(InternalHttpClient.java:125)
	at org.apache.httpcomponents.core//org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
	... 84 more

�[0m�[33m10:58:44,148 WARN  [org.keycloak.events] (default task-13) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=etalab, clientId=sill, userId=null, ipAddress=80.215.156.156, error=unexpectedErrorHandlingRequestMessage, identity_provider=agentconnect, code_id=890a1d63-bd09-424f-b379-b337488e11d2, authSessionParentId=890a1d63-bd09-424f-b379-b337488e11d2, authSessionTabId=INMQWBTJohI

I can setup a reproduction environement for you if you want.
v3.0-alpha2 works.

Best regards,

[BUG] KCK 25.0.2 - new BrokeredIdentityContext

Hello,

I am testing dockerised Keycloack 25.0.2 with extension 6.2.0 (upgrade from an existing keycloak 22.0.7 with extension version 6.0.0 working without issue)

after authenticating using France Connect "Démonstration faible" ans using one of the account in https://github.com/france-connect/identity-provider-example/blob/master/database.csv I have this error in the Keycloak logs when FC redirects me to Keycloak :

2024-08-01 14:35:57,145 INFO  [org.keycloak.broker.oidc.OIDCIdentityProvider] (executor-thread-3) Validating: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2ZjcC5pbnRlZzAxLmRldi1mcmFuY2Vjb25uZWN0LmZyIiwic3ViIjoiMTZiMTdiNjY1YTYwNGI4MDI4ZmQ0ZGNiODhjZTljM2NjNmNjY2M0NDQwNGIxNjBhOWRhODE0MTdmNjEyYTBkMXYxIiwiYXVkIjoiNjA4M2MwMjA2NTM2Yjk2ZTA4OGVmYTEwMjAwYzY0NDljZGI1NzhiMjVhYWFmMTMyYjA5ZGQ5M2ZiMzRhYTRjYSIsImV4cCI6MTcyMjUxNTgxNywiaWF0IjoxNzIyNTE1NzU3LCJub25jZSI6IjVBOUJGODcyNUIyMjRERUQxQUI2MDA1RTA5RkRGQ0FDMDc5OTE4RkNENEIxNDkxNDU3OTZERjk1N0FCMzEzODMiLCJpZHAiOiJGQyIsImFjciI6ImVpZGFzMSIsImFtciI6bnVsbH0.fLoNuhskbm4pEJU8cUq-TGfk_CaDDs0OGJSwInQIHb0
2024-08-01 14:35:57,159 DEBUG [org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext] (executor-thread-3) Restarting handler chain for exception exception: java.lang.NoSuchMethodError: 'void org.keycloak.broker.provider.BrokeredIdentityContext.<init>(java.lang.String)'
        at fr.insee.keycloak.providers.franceconnect.FranceConnectIdentityProvider.extractIdentity(FranceConnectIdentityProvider.java:90)
        at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:396)
        at fr.insee.keycloak.providers.common.AbstractBaseIdentityProvider.getFederatedIdentity(AbstractBaseIdentityProvider.java:161)
        at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:557)
        at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint$quarkusrestinvoker$authResponse_ab908fbdd086ee82e140d8a818c077362a2d04b4.invoke(Unknown Source)
        at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
        at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
        at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
        at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
        at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
        at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
        at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:1583)

the token seems valid,the "sub" field is present and is indeed a string.

{
  "iss": "https://fcp.integ01.dev-franceconnect.fr",
  "sub": "16b17b665a604b8028fd4dcb88ce9c3cc6cccc44404b160a9da81417f612a0d1v1",
...
}

I know nothing about java but I see the implementation of the class BrokeredIdentityContext has changed between 24.0.2 (the one used in v6.2.0 of extension if I understand correctly the pom) and 25.0.2 :

https://www.keycloak.org/docs-api/24.0.2/javadocs/org/keycloak/broker/provider/BrokeredIdentityContext.html
https://www.keycloak.org/docs-api/25.0.2/javadocs/org/keycloak/broker/provider/BrokeredIdentityContext.html

Add the possibility to choose acr value

Adaptation to France Connect requiring an ACR value.

From 2020, FranceConnect will allow you to use identities with a substantial and / or high level of guarantee for your most sensitive services. Your requests to FranceConnect will therefore have to integrate the expected Eidas guarantee level.
The "acr" claim of the OpenID Connect standard (http://openid.net/specs/openid-connect-basic-1_0.html#RequestParameters) must be filled in during the authentication request (call to the endpoint / api / v1 / authorize You must specify a value corresponding to the eIDAS level used from among the following:
eidas1: standard level (example: authentication by username / password)
eidas2: substantial level (example: second factor, eIDAS approved)
eidas3: high level (example: use of certificates, card readers, ... eIDAS approved)
Any other value or lack of value will by default be interpreted by the high guarantee level.

Simplify the administration page

Add documentation on how to get France Connect token to request data providers

Keycloak can store the token obtained from France Connect, we need some docs on how to retrieve it to call external data provider :

https://partenaires.franceconnect.gouv.fr/fcp/fournisseur-service#data

Merge the two France Connect provider

Simplify administration by merging the 2 providers and add a switch to choose between test and prod.

Add verification for eidas level

Add a step to verify that the eidas level gotten from France Connect is at least equal to the one requested (in acr values)

[FEAT] France connect V2 : set default scopes

Hello,

Would it be possible to define default scopes because I think more or less the sames are always asked.

For example :

Regards

Publish releases on maven central

[FEAT] Improve admin labels

Improve labels in admin area of this identity provider and translations

Maybe with ResourceBundle.getBundle("admin-messages", Locale.FR)

Previous labels from old admin theme are unused but still in src/main/resources/admin-messages_.properties

Add mapper automatically at the provider creation

Improvements on the provided login page

The login page, provided by the extension could be improved on design, UX...

[BUG] error with keycloak version > 15.1.0

Error when creating the Authorization URL : NoSuchMethodError byte[] org.keycloak.models.utils.KeycloakModelUtils.generateSecret(int) (at FranceConnectIdentityProvider.java:63

This commit in keycloak keycloak/keycloak@f471a11 changed the method signature.

[BUG] new endpoints for integration environment

Describe the bug
FranceConnect's integration environment seems to use new endpoints URL but only for newly created clients (old clients could still use the old endpoint).

old endpoints : https://fcp.integ01.dev-franceconnect.fr/api/v1/ or https://auth.integ01.dev-franceconnect.fr/api/v2/
new endpoint : https://fcp-low.integ01.dev-franceconnect.fr/api/v2/

See: https://docs.partenaires.franceconnect.gouv.fr/fd/technique/fd-technique-environnements/

To Reproduce
Steps to reproduce the behavior:

ask FranceConnect to create a new client
in Keycloak, create a new Identity provider "France Connect Particulier"
try to connect with the "France Connect Particulier" idp
- with INTEGRATION_V1: "Erreur E000019"
- with INTEGRATION_V2: "Erreur Y030106" "invalid_client"

But, now if I delete the "France Connect Particulier" idp and create a new "OpenID Connect v1.0" idp with the new endpoints (with the following discovery endpoint https://fcp-low.integ01.dev-franceconnect.fr/api/v2/.well-known/openid-configuration and appending "?acr_values=eidas1" to the authorization URL), I can log in with FC.

With previously created FC clients, I can still use INTEGRATION_V1.

Additional context

Keycloak Version 24.0.4
Extension Version 6.2.0

It's about code around https://github.com/InseeFr/Keycloak-FranceConnect/blob/master/src/main/java/fr/insee/keycloak/providers/common/AbstractBaseIdentityProvider.java#L202C1-L211C100

inseefr / keycloak-franceconnect Goto Github PK

keycloak-franceconnect's Introduction

keycloak-franceconnect

Fonctionnalités

Compatibilité

Migration

Installation

Utilisation

France Connect

Prérequis

Configuration

Mappers

Particularités de FranceConnect+

Agent Connect

Prérequis

Configuration

Mappers

Thème

FAQ

Comment contribuer

keycloak-franceconnect's People

Contributors

Stargazers

Watchers

Forkers

keycloak-franceconnect's Issues

Recommend Projects

Recommend Topics

Recommend Org