new method for linking existing idps (#159)

Author: xgp

README.md

@@ -183,9 +183,11 @@ There are some non-standard flows where the required action does not do this det
 
 #### IdP Discovery
 
-Organizations may optionally be given permission to manage their own IdP. The custom resources that allow this write a configuration in the IdP entities that is compatible with a 3rd party extension that allows for IdP discovery based on email domain configured for the Organization. It works by writing the `home.idp.discovery.domains` value into the `config` map for the IdP. Information on further configuration is available at [sventorben/keycloak-home-idp-discovery](https://github.com/sventorben/keycloak-home-idp-discovery).
+Organizations may optionally be given permission to manage their own IdP. The custom resources that allow this write a configuration in the IdP entities that is compatible with a 3rd party extension that allows for IdP discovery based on email domain configured for the Organization. It works by writing the `home.idp.discovery.orgs` value into the `config` map for the IdP. Information on further configuration is available at [sventorben/keycloak-home-idp-discovery](https://github.com/sventorben/keycloak-home-idp-discovery). However, please note that the internal discovery portion has been *forked* from his version, and does not look up IdPs in the same way.
 
-tbd screenshot of installing in flow
+![mapper](./docs/assets/home-idp-discovery-config.png)
+
+These are the configuration options for the "Home IdP Discovery" Authenticator. It will need to be placed in your flow as a replacement for a "Username form", or after another Authenticator/Form that sets the `ATTEMPTED_USERNAME` note. 
 
 ## License
 
@@ -196,6 +198,6 @@ We’ve changed the license of our core extensions from the AGPL v3 to the [Elas
 
 -----
 
-Portions of the [Home IdP Discovery](https://github.com/p2-inc/keycloak-orgs/tree/main/src/main/java/io/phasetwo/service/auth/idp) code are Copyright (c) 2021-2023 Sven-Torben Janus, and are licensed under the [MIT License](https://github.com/p2-inc/keycloak-orgs/blob/main/src/main/java/io/phasetwo/service/auth/idp/LICENSE.md).
+Portions of the [Home IdP Discovery](https://github.com/p2-inc/keycloak-orgs/tree/main/src/main/java/io/phasetwo/service/auth/idp) code are Copyright (c) 2021-2024 Sven-Torben Janus, and are licensed under the [MIT License](https://github.com/p2-inc/keycloak-orgs/blob/main/src/main/java/io/phasetwo/service/auth/idp/LICENSE.md).
 
-All other ocumentation, source code and other files in this repository are Copyright 2023 Phase Two, Inc.
+All other documentation, source code and other files in this repository are Copyright 2024 Phase Two, Inc.

docs/assets/home-idp-discovery-config.png

@@ -5,4 +5,7 @@ public class Orgs {
   public static final String ORG_OWNER_CONFIG_KEY = "home.idp.discovery.org";
   public static final String FIELD_ORG_ID = "org_id";
   public static final String ORG_AUTH_FLOW_ALIAS = "post org broker login";
+  public static final String ORG_DEFAULT_POST_BROKER_FLOW_KEY =
+      "_providerConfig.orgs.defaults.postBrokerFlow";
+  public static final String ORG_DEFAULT_SYNC_MODE_KEY = "_providerConfig.orgs.defaults.syncMode";
 }

src/main/java/io/phasetwo/service/Orgs.java

@@ -0,0 +1,19 @@
+package io.phasetwo.service.representation;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.Data;
+
+@Data
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class LinkIdp {
+
+  @JsonProperty("alias")
+  private String alias;
+
+  @JsonProperty("post_broker_flow")
+  private String postBrokerFlow;
+
+  @JsonProperty("sync_mode")
+  private String syncMode;
+}

src/main/java/io/phasetwo/service/representation/LinkIdp.java

@@ -1,5 +1,6 @@
 package io.phasetwo.service.resource;
 
+import static io.phasetwo.service.Orgs.*;
 import static io.phasetwo.service.resource.Converters.*;
 import static io.phasetwo.service.resource.OrganizationResourceType.*;
 
@@ -48,7 +49,8 @@ public Response delete() {
   public Response update(IdentityProviderRepresentation providerRep) {
     requireManage();
     // don't allow override of ownership and other conf vars
-    IdentityProvidersResource.idpDefaults(organization, providerRep);
+    providerRep.getConfig().put("hideOnLoginPage", "true");
+    providerRep.getConfig().put(ORG_OWNER_CONFIG_KEY, organization.getId());
     // force alias
     providerRep.setAlias(alias);
 

src/main/java/io/phasetwo/service/resource/IdentityProviderResource.java

@@ -4,13 +4,16 @@
 import static io.phasetwo.service.resource.Converters.*;
 import static io.phasetwo.service.resource.OrganizationResourceType.*;
 
+import com.google.common.base.Strings;
 import io.phasetwo.service.model.OrganizationModel;
+import io.phasetwo.service.representation.LinkIdp;
 import jakarta.validation.constraints.*;
 import jakarta.ws.rs.*;
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
 import java.io.IOException;
 import java.util.Map;
+import java.util.Optional;
 import java.util.stream.Stream;
 import lombok.extern.jbosslog.JBossLog;
 import org.keycloak.models.IdentityProviderModel;
@@ -55,30 +58,32 @@ public Stream<IdentityProviderRepresentation> getIdentityProviders() {
                 StripSecretsUtils.strip(ModelToRepresentation.toRepresentation(realm, provider)));
   }
 
-  public static void idpDefaults(
-      OrganizationModel organization, IdentityProviderRepresentation representation) {
+  protected void idpDefaults(
+      IdentityProviderRepresentation representation, Optional<LinkIdp> linkIdp) {
     // defaults? overrides?
-    representation.getConfig().put("syncMode", "FORCE");
+    String syncMode =
+        linkIdp
+            .map(LinkIdp::getSyncMode)
+            .orElse(
+                Optional.ofNullable(realm.getAttribute(ORG_DEFAULT_SYNC_MODE_KEY)).orElse("FORCE"));
+    String postBrokerFlow =
+        linkIdp
+            .map(LinkIdp::getPostBrokerFlow)
+            .orElse(
+                Optional.ofNullable(realm.getAttribute(ORG_DEFAULT_POST_BROKER_FLOW_KEY))
+                    .orElse(ORG_AUTH_FLOW_ALIAS));
+    log.debugf(
+        "using syncMode %s, postBrokerFlow %s for idp %s",
+        syncMode, postBrokerFlow, representation.getAlias());
+
+    representation.getConfig().put("syncMode", syncMode);
     representation.getConfig().put("hideOnLoginPage", "true");
     representation.getConfig().put(ORG_OWNER_CONFIG_KEY, organization.getId());
-    representation.setPostBrokerLoginFlowAlias(ORG_AUTH_FLOW_ALIAS);
-    //  - firstBrokerLoginFlowAlias
+    representation.setPostBrokerLoginFlowAlias(postBrokerFlow);
+    // TODO firstBrokerLoginFlowAlias
   }
 
-  @POST
-  @Consumes(MediaType.APPLICATION_JSON)
-  public Response createIdentityProvider(IdentityProviderRepresentation representation) {
-    if (!auth.hasManageOrgs() && !auth.hasOrgManageIdentityProviders(organization)) {
-      throw new NotAuthorizedException(
-          String.format(
-              "Insufficient permission to create identity providers for %s", organization.getId()));
-    }
-
-    // Override alias to prevent collisions
-    // representation.setAlias(KeycloakModelUtils.generateId());
-
-    idpDefaults(organization, representation);
-
+  private void deactivateOtherIdps(IdentityProviderRepresentation representation) {
     // Organization can have only one active idp
     // Activating an idp deactivates all others
     if (representation.isEnabled()) {
@@ -91,17 +96,79 @@ public Response createIdentityProvider(IdentityProviderRepresentation representa
                 realm.updateIdentityProvider(provider); // weird that this is necessary
               });
     }
+  }
+
+  private Response createdResponse(IdentityProviderRepresentation representation) {
+    return Response.created(
+            session
+                .getContext()
+                .getUri()
+                .getAbsolutePathBuilder()
+                .path(representation.getAlias())
+                .build())
+        .build();
+  }
+
+  @POST
+  @Consumes(MediaType.APPLICATION_JSON)
+  public Response createIdentityProvider(IdentityProviderRepresentation representation) {
+    if (!auth.hasManageOrgs() && !auth.hasOrgManageIdentityProviders(organization)) {
+      throw new NotAuthorizedException(
+          String.format(
+              "Insufficient permission to create identity providers for %s", organization.getId()));
+    }
+
+    idpDefaults(representation, Optional.empty());
+    deactivateOtherIdps(representation);
 
     Response resp = getIdpResource().create(representation);
     if (resp.getStatus() == Response.Status.CREATED.getStatusCode()) {
-      return Response.created(
-              session
-                  .getContext()
-                  .getUri()
-                  .getAbsolutePathBuilder()
-                  .path(representation.getAlias())
-                  .build())
-          .build();
+      return createdResponse(representation);
+    } else {
+      return resp;
+    }
+  }
+
+  @POST
+  @Path("link")
+  @Consumes(MediaType.APPLICATION_JSON)
+  @Produces(MediaType.APPLICATION_JSON)
+  public Response linkIdp(LinkIdp linkIdp) {
+    // authz
+    if (!auth.hasManageOrgs() && !auth.hasOrgManageIdentityProviders(organization)) {
+      throw new NotAuthorizedException(
+          String.format(
+              "Insufficient permission to create identity providers for %s", organization.getId()));
+    }
+
+    // get an idp with the same alias
+    IdentityProviderModel idp = realm.getIdentityProviderByAlias(linkIdp.getAlias());
+    if (idp == null) {
+      throw new NotFoundException(String.format("No IdP found with alias %s", linkIdp.getAlias()));
+    }
+
+    // does it already contain an orgId for a different org?
+    String orgId = idp.getConfig().get(ORG_OWNER_CONFIG_KEY);
+    if (orgId != null && !organization.getId().equals(orgId)) {
+      throw new ClientErrorException(
+          String.format("IdP with alias %s unavailable for linking.", linkIdp.getAlias()),
+          Response.Status.CONFLICT);
+    }
+
+    IdentityProviderRepresentation representation =
+        ModelToRepresentation.toRepresentation(realm, idp);
+    idpDefaults(representation, Optional.of(linkIdp));
+    if (!Strings.isNullOrEmpty(linkIdp.getSyncMode())) {
+      representation.getConfig().put("syncMode", linkIdp.getSyncMode());
+    }
+    if (!Strings.isNullOrEmpty(linkIdp.getPostBrokerFlow())) {
+      representation.setPostBrokerLoginFlowAlias(linkIdp.getPostBrokerFlow());
+    }
+    deactivateOtherIdps(representation);
+
+    Response resp = getIdpResource().getIdentityProvider(linkIdp.getAlias()).update(representation);
+    if (resp.getStatus() == Response.Status.NO_CONTENT.getStatusCode()) {
+      return createdResponse(representation);
     } else {
       return resp;
     }

src/main/java/io/phasetwo/service/resource/IdentityProvidersResource.java

@@ -11,6 +11,7 @@
 import com.google.common.collect.ImmutableMap;
 import io.phasetwo.client.openapi.model.*;
 import io.phasetwo.service.AbstractOrganizationTest;
+import io.phasetwo.service.representation.LinkIdp;
 import io.restassured.http.Header;
 import io.restassured.response.Response;
 import jakarta.ws.rs.core.MediaType;
@@ -674,6 +675,66 @@ void testListOrgsByMember() throws IOException {
     }
   }
 
+  @Test
+  void testLinkIdp() throws IOException {
+    OrganizationRepresentation org = createDefaultOrg();
+    String id = org.getId();
+
+    String alias1 = "linking-provider-1";
+    org.keycloak.representations.idm.IdentityProviderRepresentation idp =
+        new org.keycloak.representations.idm.IdentityProviderRepresentation();
+    idp.setAlias(alias1);
+    idp.setProviderId("oidc");
+    idp.setEnabled(true);
+    idp.setFirstBrokerLoginFlowAlias("first broker login");
+    idp.setConfig(
+        new ImmutableMap.Builder<String, String>()
+            .put("useJwksUrl", "true")
+            .put("syncMode", "FORCE")
+            .put("authorizationUrl", "https://foo.com")
+            .put("hideOnLoginPage", "")
+            .put("loginHint", "")
+            .put("uiLocales", "")
+            .put("backchannelSupported", "")
+            .put("disableUserInfo", "")
+            .put("acceptsPromptNoneForwardFromClient", "")
+            .put("validateSignature", "")
+            .put("pkceEnabled", "")
+            .put("tokenUrl", "https://foo.com")
+            .put("clientAuthMethod", "client_secret_post")
+            .put("clientId", "aabbcc")
+            .put("clientSecret", "112233")
+            .build());
+    keycloak.realm(REALM).identityProviders().create(idp);
+
+    // link it
+    LinkIdp link = new LinkIdp();
+    link.setAlias(alias1);
+    link.setSyncMode("IMPORT");
+    Response response = postRequest(link, org.getId(), "idps", "link");
+    assertThat(response.getStatusCode(), is(Status.CREATED.getStatusCode()));
+
+    // get it
+    response = getRequest(id, "idps");
+    assertThat(response.getStatusCode(), is(Status.OK.getStatusCode()));
+    List<IdentityProviderRepresentation> idps =
+        new ObjectMapper().readValue(response.getBody().asString(), new TypeReference<>() {});
+    assertThat(idps, notNullValue());
+    assertThat(idps, hasSize(1));
+
+    IdentityProviderRepresentation representation = idps.get(0);
+    assertThat(representation.getEnabled(), is(true));
+    assertThat(representation.getAlias(), is(alias1));
+    assertThat(representation.getProviderId(), is("oidc"));
+    assertThat(representation.getConfig().get("syncMode"), is("IMPORT"));
+
+    // delete org
+    deleteOrganization(id);
+
+    // delete idp
+    keycloak.realm(REALM).identityProviders().get(alias1).remove();
+  }
+
   @Test
   void testAddGetDeleteIdps() throws IOException {
     OrganizationRepresentation org = createDefaultOrg();