Replace the exchange approach with the bootstrap grant type in the login flow

Author: fatemeh-i

auth-gateway/auth-gateway-app/src/main/kotlin/co/nilin/opex/auth/controller/AuthController.kt

@@ -27,7 +27,7 @@ class AuthController(private val loginService: LoginService) {
     }
 
     @PostMapping("/token/resend-otp")
-    suspend fun confirmGetToken(
+    suspend fun resendOtp(
         @RequestBody resendOtpRequest: ResendOtpRequest,
         @CurrentSecurityContext securityContext: SecurityContext,
     ): ResponseEntity<ResendOtpResponse> {

auth-gateway/auth-gateway-app/src/main/kotlin/co/nilin/opex/auth/proxy/KeycloakProxy.kt

@@ -439,4 +439,35 @@ class KeycloakProxy(
         return internalId
 
     }
+
+    suspend fun getClientBTokenWithBootstrap(
+        bootstrapToken: String,
+        clientId: String,
+        clientSecret: String?,
+        rememberMe: Boolean
+    ): Token {
+        // There is no way to define a custom grant type in keycloak, so we use a password grant with a custom Bootstrap token field, we defined a custom factory to pars this request
+        val tokenUrl = "${keycloakConfig.url}/realms/${keycloakConfig.realm}/protocol/openid-connect/token"
+
+        val token = keycloakClient.post()
+            .uri(tokenUrl)
+            .header("Content-Type", "application/x-www-form-urlencoded")
+            .bodyValue(
+                "grant_type=password" +
+                        "&client_id=$clientId" +
+                        "&client_secret=$clientSecret" +
+                        "&bootstrap_token=$bootstrapToken" +
+                        "&username=bootstrap_user" + // Required dummy field
+                        "&password=bootstrap_pass" + // Required dummy field
+                        "&scope=offline_access"
+            )
+            .retrieve()
+            .onStatus({ it == HttpStatus.valueOf(401) }) {
+                throw OpexError.InvalidUserCredentials.exception()
+            }
+            .awaitBody<Token>()
+
+        if (!rememberMe) token.refreshToken = null
+        return token
+    }
 }

auth-gateway/auth-gateway-app/src/main/kotlin/co/nilin/opex/auth/service/LoginService.kt

@@ -47,6 +47,7 @@ class LoginService(
                 request.clientId,
                 request.clientSecret
             ).apply { if (!request.rememberMe) refreshToken = null }
+            sendLoginEvent(user.id, token.sessionState, request, token.expiresIn)
             return TokenResponse(token, null, null)
         }
 
@@ -106,12 +107,18 @@ class LoginService(
             }
         }
 
-        val token = keycloakProxy.exchangeUserToken(
-            request.token,
-            PRE_AUTH_CLIENT_ID,
-            preAuthClientSecretKey,
-            request.clientId
-        ).apply { if (!request.rememberMe) refreshToken = null }
+//        val token = keycloakProxy.exchangeUserToken(
+//            request.token, request.clientId,
+//            request.clientSecret,
+//            request.clientId
+//        ).apply { if (!request.rememberMe) refreshToken = null }
+        val token = keycloakProxy.getClientBTokenWithBootstrap(
+            bootstrapToken = request.token,
+            clientId = request.clientId,
+            clientSecret = request.clientSecret,
+            rememberMe = request.rememberMe
+        )
+
         sendLoginEvent(extractUserUuidFromToken(token.accessToken), token.sessionState, request, token.expiresIn)
 
         return TokenResponse(token, null, null)

auth-gateway/keycloak-setup/spi/src/main/java/co/nilin/opex/keycloak/spi/BootstrapTokenGrantAuthenticator.java

@@ -0,0 +1,79 @@
+package co.nilin.opex.keycloak.spi;
+
+import org.keycloak.TokenVerifier;
+import org.keycloak.authentication.AuthenticationFlowContext;
+import org.keycloak.authentication.AuthenticationFlowError;
+import org.keycloak.authentication.Authenticator;
+import org.keycloak.models.*;
+import jakarta.ws.rs.core.MultivaluedMap;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.core.MediaType;
+import org.keycloak.representations.AccessToken;
+
+import java.util.*;
+
+public class BootstrapTokenGrantAuthenticator implements Authenticator {
+
+    @Override
+    public void authenticate(AuthenticationFlowContext context) {
+        MultivaluedMap<String, String> params = context.getHttpRequest().getDecodedFormParameters();
+        String bootstrapTokenString = params.getFirst("bootstrap_token");
+
+        if (bootstrapTokenString == null || bootstrapTokenString.isEmpty()) {
+
+            System.out.println("No bootstrap token found, skipping to next authenticator.");
+
+            String username = context.getHttpRequest().getDecodedFormParameters().getFirst("username");
+            if (username != null) {
+                UserModel user = context.getSession().users().getUserByUsername(context.getRealm(), username);
+                if (user != null) {
+                    context.setUser(user); // Attach the user so the next step (Password) knows who to check
+                }
+            }
+            context.attempted();
+            return;
+        }
+        try {
+            // Parse the JWT to get the user ID (the 'sub' claim)
+            AccessToken token = TokenVerifier.create(bootstrapTokenString, AccessToken.class).getToken();
+            String userId = token.getSubject();
+
+            KeycloakSession session = context.getSession();
+            RealmModel realm = context.getRealm();
+
+            // Find the actual user from the database
+            UserModel user = session.users().getUserById(realm, userId);
+
+            if (user == null || !user.isEnabled()) {
+                sendError(context, "invalid_grant");
+                return;
+            }
+
+            // IMPORTANT: Identify the user and tell Keycloak this step is finished successfully
+            context.setUser(user);
+            context.success();
+
+        } catch (Exception e) {
+            // This happens if the JWT is malformed or expired
+            sendError(context, "invalid_grant");
+        }
+    }
+
+    private void sendError(AuthenticationFlowContext context, String errorCode) {
+        Map<String, String> errorEntity = new HashMap<>();
+        errorEntity.put("error", errorCode);
+
+        Response response = Response.status(Response.Status.BAD_REQUEST)
+                .entity(errorEntity)
+                .type(MediaType.APPLICATION_JSON_TYPE)
+                .build();
+
+        context.failure(AuthenticationFlowError.UNKNOWN_USER, response);
+    }
+
+    @Override public void action(AuthenticationFlowContext context) {}
+    @Override public boolean requiresUser() { return false; }
+    @Override public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) { return true; }
+    @Override public void setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user) {}
+    @Override public void close() {}
+}

auth-gateway/keycloak-setup/spi/src/main/java/co/nilin/opex/keycloak/spi/endpoints/BootstrapTokenGrantProviderFactory.java

@@ -0,0 +1,86 @@
+package co.nilin.opex.keycloak.spi.endpoints;
+
+import co.nilin.opex.keycloak.spi.BootstrapTokenGrantAuthenticator;
+import org.keycloak.Config;
+import org.keycloak.authentication.Authenticator;
+import org.keycloak.authentication.AuthenticatorFactory;
+import org.keycloak.models.AuthenticationExecutionModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.provider.ProviderConfigProperty;
+import java.util.Collections;
+import java.util.List;
+
+public class BootstrapTokenGrantProviderFactory implements AuthenticatorFactory {
+
+    // 1. Change PROVIDER_ID to a simple name.
+    // Do not use the URN here, as we are now intercepting the standard password grant.
+    public static final String PROVIDER_ID = "bootstrap-token-grant";
+
+    private static final BootstrapTokenGrantAuthenticator SINGLETON = new BootstrapTokenGrantAuthenticator();
+
+    @Override
+    public Authenticator create(KeycloakSession session) {
+        return SINGLETON;
+    }
+
+    @Override
+    public String getId() {
+        return PROVIDER_ID;
+    }
+
+    @Override
+    public String getDisplayType() {
+        // This is the name you will see in the Keycloak Admin Console 'Add Step' list
+        return "Opex Bootstrap Interceptor";
+    }
+
+    @Override
+    public String getReferenceCategory() {
+        // Keep this as "grant" so it appears in the Direct Grant flow options
+        return "grant";
+    }
+
+    @Override
+    public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
+        return new AuthenticationExecutionModel.Requirement[] {
+                AuthenticationExecutionModel.Requirement.REQUIRED,
+                AuthenticationExecutionModel.Requirement.ALTERNATIVE,
+                AuthenticationExecutionModel.Requirement.DISABLED
+        };
+    }
+
+    @Override
+    public boolean isConfigurable() {
+        return false;
+    }
+
+    @Override
+    public String getHelpText() {
+        return "Intercepts standard password grant to exchange a bootstrap_token for full tokens";
+    }
+
+    @Override
+    public void init(Config.Scope config) {}
+
+    @Override
+    public void postInit(KeycloakSessionFactory factory) {}
+
+    @Override
+    public void close() {}
+
+    @Override
+    public int order() {
+        return 0;
+    }
+
+    @Override
+    public List<ProviderConfigProperty> getConfigProperties() {
+        return Collections.emptyList();
+    }
+
+    @Override
+    public boolean isUserSetupAllowed() {
+        return false;
+    }
+}

auth-gateway/keycloak-setup/spi/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory

@@ -0,0 +1 @@
+co.nilin.opex.keycloak.spi.endpoints.BootstrapTokenGrantProviderFactory