FranceConnect+ : adapt to weird requirement on nonce

Fixed size 64 Bytes Signed-off-by: Cédric Couralet <[email protected]>
InseeFr · Oct 6, 2021 · 471b35f · 471b35f
1 parent 2278228
commit 471b35f
Showing 1 changed file with 13 additions and 5 deletions.
diff --git a/src/main/java/fr/insee/keycloak/provider/FranceConnectIdentityProvider.java b/src/main/java/fr/insee/keycloak/provider/FranceConnectIdentityProvider.java
@@ -19,6 +19,7 @@
 import org.keycloak.broker.provider.BrokeredIdentityContext;
 import org.keycloak.broker.provider.IdentityBrokerException;
 import org.keycloak.broker.social.SocialIdentityProvider;
+import org.keycloak.common.util.Base64Url;
 import org.keycloak.crypto.JavaAlgorithm;
 import org.keycloak.events.Errors;
 import org.keycloak.events.EventBuilder;
@@ -32,13 +33,16 @@
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserSessionModel;
+import org.keycloak.models.utils.KeycloakModelUtils;
+import org.keycloak.protocol.oidc.OIDCLoginProtocol;
 import org.keycloak.protocol.oidc.utils.JWKSHttpUtils;
 import org.keycloak.representations.JsonWebToken;
 import org.keycloak.services.ErrorPage;
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.messages.Messages;
 import org.keycloak.services.resources.IdentityBrokerService;
 import org.keycloak.services.resources.RealmsResource;
+import org.keycloak.sessions.AuthenticationSessionModel;
 import org.keycloak.vault.VaultStringSecret;
 
 public class FranceConnectIdentityProvider extends OIDCIdentityProvider
@@ -48,6 +52,8 @@ public class FranceConnectIdentityProvider extends OIDCIdentityProvider
 
   private static JSONWebKeySet jwks;
 
+  private static final String BROKER_NONCE_PARAM = "BROKER_NONCE";
+
   public FranceConnectIdentityProvider(
       KeycloakSession session, FranceConnectIdentityProviderConfig config) {
     super(session, config);
@@ -67,16 +73,18 @@ private void initjwks(FranceConnectIdentityProviderConfig config) {
     }
   }
 
+  /** France connect requires nonce to be exactly 64 char long, so...yes */
   @Override
   protected UriBuilder createAuthorizationUrl(AuthenticationRequest request) {
-
     FranceConnectIdentityProviderConfig config = getFranceConnectConfig();
 
-    UriBuilder uriBuilder =
-        super.createAuthorizationUrl(request).queryParam("acr_values", config.getEidasLevel());
-
-    logger.debugv("FranceConnect Authorization Url: {0}", uriBuilder.build().toString());
+    UriBuilder uriBuilder = super.createAuthorizationUrl(request);
+    String nonce = Base64Url.encode(KeycloakModelUtils.generateSecret(48));
+    AuthenticationSessionModel authenticationSession = request.getAuthenticationSession();
 
+    authenticationSession.setClientNote(BROKER_NONCE_PARAM, nonce);
+    uriBuilder.queryParam(OIDCLoginProtocol.NONCE_PARAM, nonce);
+    uriBuilder.queryParam("acr_values", config.getEidasLevel());
     return uriBuilder;
   }