Use default fields for timeout + proxy

docs/Reference-Adapter.md

@@ -11,7 +11,7 @@ Configuration of adapter properties in the Share-tier `share-config-custom.xml`
 ```xml
     <config evaluator="string-compare" condition="Keycloak">
         <keycloak-adapter-config>
-            <directAuthHost></directAuthHost>
+            <proxy-url></proxy-url>
             <auth-server-url>http://localhost:8180/auth</auth-server-url>
             <realm>alfresco</realm>
             <resource>alfresco-share</resource>
@@ -30,7 +30,7 @@ Note: This listing does not include the common property key prefix `keycloak.ada
 | Property | Default Value | Description |
 | --- | ---: | --- |
 | `auth-server-url` | `http://localhost:8180/auth` | Publically resolvable base URL to the Keycloak server to be used in redirect URLs and remote calls |
-| `directAuthHost` |  | Alternative base URL for the Keycloak server (excluding path) to be used for calls from Alfresco to Keycloak - useful e.g. in scenarios where the regular `auth-server-url` can not be resolved or round-trips via a public gateway / proxy should be avoided |
+| `proxy-url` |  | Alternative base URL for the Keycloak server (excluding path) to be used for calls from Alfresco to Keycloak - useful e.g. in scenarios where the regular `auth-server-url` can not be resolved or round-trips via a public gateway / proxy should be avoided |
 | `realm` | `alfresco` | Technical name of the Keycloak realm |
 | `realm-public-key` |  | Fixed public key of the realm (PEM string) - if not set, the public key(s) will be dynamically loaded and automatically refreshed after a configurable amount of times between JSON Web Key Store requests |
 | `resource` | `alfresco` / `alfresco-share` | Technical name of the client set up in the realm |
@@ -66,15 +66,9 @@ Note: This listing does not include the common property key prefix `keycloak.ada
 | `public-key-cache-ttl` | `86400` | Time-to-live in seconds for public key cache entries |
 | `ignore-oauth-query-parameter` | `false` | Flag determining whether OAuth `access_token` in an URL query is to be ignored |
 | `verify-token-audience` | `true` / `false` | Flag enabling validation of the audience specified in an access token, enabled by default on the Repository-tier - must be disabled if Share or any other application which authenticates users via Keycloak is not delegating user authentication using RFC 8693 OAuth 2.0 Token Exchange |
-
-## Non-Standard Adapter Properties
-
-The following properties are not supported by the Keycloak adapter library, but have been added by the addon for customisation of the adapter's behaviour.
-
-| Property | Default Value | Description |
-| --- | ---: | --- |
-| `connectionTimeout` | `-1` | Connect timeout for the Apache HTTP client used in calls to Keycloak |
-| `socketTimeout` | `-1` | General socket timeout for the Apache HTTP client used in calls to Keycloak |
+| `socket-timeout-millis` | `5000` | General socket timeout for the Apache HTTP client used in calls to Keycloak |
+| `connection-timeout-millis` | `5000` | Connect timeout for the Apache HTTP client used in calls to Keycloak |
+| `connection-ttl-millis` | `-1` | The time-to-live of connections for the Apache HTTP client used in calls to Keycloak |
 
 ## Unsupported Adapter Properties
 
@@ -94,4 +88,4 @@ This listing details configuration properties from the Keycloak adapter library
 | `token-store` | `session` | Mode for how the Keycloak adapter stores user account information - related to clustering like previous two settings and not relevant for the integration as provided by the addon |
 | `turn-off-change-session-id-on-login` |  | Completely unused flag in the Keycloak adapter library |
 | `policy-enforcer` |  | Complex configuration object determining fine-grained access policies to the Repository / Share application. - This is currently not supported for configuration by the addon due to use of complex object structures |
-| `enable-pkce` | `false` | RFC 7636 - Flag enabling the use of the Proof Key for Code Exchange for OAuth public clients. - This has not yet implemented by the Keycloak adapter library. |
+| `enable-pkce` | `false` | RFC 7636 - Flag enabling the use of the Proof Key for Code Exchange for OAuth public clients. - This has not yet been implemented by the Keycloak adapter library. |

docs/Simple-Configuration.md

@@ -98,7 +98,7 @@ The following core configuration properties can be set (more extensive list in t
 | `...groupFilter.containedInGroup.property.groupPaths` |  | Comma-separated list of group paths (e.g. `/Group A/Group B,/Group A/Group C`) to use in filtering which groups are synchronised to Alfresco (by default - configured separately - any match qualifies, and transitive containment is considered) |
 | `...groupFilter.containedInGroup.property.groupIds` |  | Comma-separated list of group IDs to use in filtering which groups are synchronised to Alfresco (by default - configured separately - any match qualifies, and transitive containment is considered) |
 | `keycloak.adapter.auth-server-url` | `http://localhost:8180/auth` | Publically resolvable base URL to the Keycloak server to be used in redirect URLs and remote calls |
-| `...directAuthHost` |  | Alternative base URL for the Keycloak server (excluding path) to be used for calls from Alfresco to Keycloak - useful e.g. in scenarios where the regular `auth-server-url` can not be resolved by the Alfresco Repository host or round-trips via a public gateway / proxy should be avoided |
+| `...proxy-url` |  | Alternative base URL for the Keycloak server (excluding path) to be used for calls from Alfresco to Keycloak - useful e.g. in scenarios where the regular `auth-server-url` can not be resolved by the Alfresco Repository host or round-trips via a public gateway / proxy should be avoided |
 | `...realm` | `alfresco` | Technical name of the Keycloak realm |
 | `...resource` | `alfresco` | Technical name of the client set up for the Alfresco Repository in the realm |
 | `...credentials.secret` |  | Shared secret for validation of authorisation codes / access tokens |
@@ -118,7 +118,7 @@ The following showcases an example configuration block:
             <perform-token-exchange>true</perform-token-exchange>
         </keycloak-auth-config>
         <keycloak-adapter-config>
-            <directAuthHost></directAuthHost>
+            <proxy-url></proxy-url>
             <auth-server-url>http://localhost:8180/auth</auth-server-url>
             <realm>alfresco</realm>
             <resource>alfresco-share</resource>

repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication-context.xml

@@ -30,9 +30,6 @@
 
     <bean id="keycloakDeployment" class="${project.artifactId}.spring.KeycloakDeploymentBeanFactory">
         <property name="adapterConfig" ref="keycloakAdapterConfig" />
-        <property name="connectionTimeout" value="${keycloak.adapter.connectionTimeout}" />
-        <property name="socketTimeout" value="${keycloak.adapter.socketTimeout}" />
-        <property name="directAuthHost" value="${keycloak.adapter.directAuthHost}" />
     </bean>
 
     <bean id="sessionIdMapper" class="${project.artifactId}.authentication.SimpleCacheBackedSessionIdMapper">

repository/src/main/globalConfig/subsystems/Authentication/keycloak/keycloak-authentication.properties

@@ -15,14 +15,8 @@ keycloak.authentication.silentRemoteUserValidationFailure=true
 
 keycloak.authentication.bodyBufferLimit=10485760
 
-# override for a direct route to the auth server host
-# useful primarily for Docker-ized deployments where container running Alfresco cannot resolve the auth server via the public DNS name
-keycloak.adapter.directAuthHost=
-# other custom adapter properties not part of default Keycloak adapter library
-keycloak.adapter.connectionTimeout=5000
-keycloak.adapter.socketTimeout=5000
-
 keycloak.adapter.auth-server-url=http://localhost:8180/auth
+keycloak.adapter.proxy-url=
 keycloak.adapter.realm=alfresco
 keycloak.adapter.resource=alfresco
 keycloak.adapter.ssl-required=none
@@ -33,7 +27,47 @@ keycloak.adapter.credentials.secret=
 # for some reason, this is not a sane default in Keycloak Adapter config
 keycloak.adapter.verify-token-audience=true
 
-# TODO default settings (identical to AdapterConfig defaults) to better align with default Alfresco subsystem property handling
+keycloak.adapter.allow-any-hostname=false
+keycloak.adapter.disable-trust-manager=false
+# TODO Try and integrate ACS keystore handling
+keycloak.adapter.truststore=
+keycloak.adapter.truststore-password=
+keycloak.adapter.client-keystore=
+keycloak.adapter.client-keystore-password=
+keycloak.adapter.client-key-password=
+keycloak.adapter.connection-pool-size=20
+keycloak.adapter.always-refresh-token=false
+keycloak.adapter.register-node-at-startup=false
+keycloak.adapter.register-node-period=-1
+keycloak.adapter.token-store=
+keycloak.adapter.adapter-state-cookie-path=
+keycloak.adapter.principal-attribute=
+keycloak.adapter.turn-off-change-session-id-on-login=
+keycloak.adapter.token-minimum-time-to-live=0
+keycloak.adapter.min-time-between-jwks-requests=10
+keycloak.adapter.public-key-cache-ttl=86400
+keycloak.adapter.enable-pkce=false
+keycloak.adapter.ignore-oauth-query-parameter=false
+keycloak.adapter.min-time-between-jwks-requests=10
+keycloak.adapter.socket-timeout-millis=5000
+keycloak.adapter.connection-timeout-millis=5000
+keycloak.adapter.connection-ttl-millis=-1
+
+keycloak.adapter.use-resource-role-mappings=false
+# note: support for handling CORS is a tertiary side-effect of Keycloak integration
+keycloak.adapter.enable-cors=false
+keycloak.adapter.cors-max-age=-1
+keycloak.adapter.cors-allowed-headers=
+keycloak.adapter.cors-allowed-methods=
+keycloak.adapter.cors-exposed-headers=
+keycloak.adapter.expose-token=false
+keycloak.adapter.bearer-only=false
+keycloak.adapter.autodetect-bearer-only=false
+# recommended to never be set to true as that would disable basic auth for any local Alfresco users
+keycloak.adapter.enable-basic-auth=false
+# keycloak.adapter.redirect-rewrite-rules.x=y
+keycloak.adapter.realm-public-key= 
+
 
 keycloak.authentication.userAuthority.default.property.realmRoleNameFilter.ref=realmFilter.aggregate
 keycloak.authentication.userAuthority.default.property.realmRoleNameMapper.ref=realmMapper.aggregate

repository/src/main/java/de/acosix/alfresco/keycloak/repo/spring/KeycloakDeploymentBeanFactory.java

@@ -15,19 +15,9 @@
  */
 package de.acosix.alfresco.keycloak.repo.spring;
 
-import java.net.InetAddress;
-import java.util.concurrent.TimeUnit;
-
 import org.alfresco.httpclient.HttpClientFactory.NonBlockingHttpParamsFactory;
 import org.alfresco.util.PropertyCheck;
 import org.apache.commons.httpclient.params.DefaultHttpParams;
-import org.apache.http.HttpHost;
-import org.apache.http.client.HttpClient;
-import org.apache.http.conn.params.ConnRoutePNames;
-import org.apache.http.conn.params.ConnRouteParams;
-import org.apache.http.conn.routing.HttpRoute;
-import org.apache.http.params.HttpParams;
-import org.keycloak.adapters.HttpClientBuilder;
 import org.keycloak.adapters.KeycloakDeployment;
 import org.keycloak.adapters.KeycloakDeploymentBuilder;
 import org.keycloak.representations.adapters.config.AdapterConfig;
@@ -48,12 +38,6 @@ public class KeycloakDeploymentBeanFactory implements FactoryBean<KeycloakDeploy
 
     protected AdapterConfig adapterConfig;
 
-    protected String directAuthHost;
-
-    protected int connectionTimeout;
-
-    protected int socketTimeout;
-
     /**
      *
      * {@inheritDoc}
@@ -66,63 +50,20 @@ public class KeycloakDeploymentBeanFactory implements FactoryBean<KeycloakDeploy
 
     /**
      * @param adapterConfig
-     *            the adapterConfig to set
+     *     the adapterConfig to set
      */
     public void setAdapterConfig(final AdapterConfig adapterConfig)
     {
         this.adapterConfig = adapterConfig;
     }
 
-    /**
-     * @param directAuthHost
-     *            the directAuthHost to set
-     */
-    public void setDirectAuthHost(final String directAuthHost)
-    {
-        this.directAuthHost = directAuthHost;
-    }
-
-    /**
-     * @param connectionTimeout
-     *            the connectionTimeout to set
-     */
-    public void setConnectionTimeout(final int connectionTimeout)
-    {
-        this.connectionTimeout = connectionTimeout;
-    }
-
-    /**
-     * @param socketTimeout
-     *            the socketTimeout to set
-     */
-    public void setSocketTimeout(final int socketTimeout)
-    {
-        this.socketTimeout = socketTimeout;
-    }
-
     /**
      * {@inheritDoc}
      */
     @Override
     public KeycloakDeployment getObject() throws Exception
     {
-        final KeycloakDeployment keycloakDeployment = KeycloakDeploymentBuilder.build(this.adapterConfig);
-
-        HttpClientBuilder httpClientBuilder = new HttpClientBuilder();
-        if (this.connectionTimeout > 0)
-        {
-            httpClientBuilder = httpClientBuilder.establishConnectionTimeout(this.connectionTimeout, TimeUnit.MILLISECONDS);
-        }
-        if (this.socketTimeout > 0)
-        {
-            httpClientBuilder = httpClientBuilder.socketTimeout(this.socketTimeout, TimeUnit.MILLISECONDS);
-        }
-
-        final HttpClient client = httpClientBuilder.build(this.adapterConfig);
-        this.configureForcedRouteIfNecessary(client);
-        keycloakDeployment.setClient(client);
-
-        return keycloakDeployment;
+        return KeycloakDeploymentBuilder.build(this.adapterConfig);
     }
 
     /**
@@ -145,28 +86,4 @@ public class KeycloakDeploymentBeanFactory implements FactoryBean<KeycloakDeploy
     {
         return KeycloakDeployment.class;
     }
-
-    @SuppressWarnings("deprecation")
-    protected void configureForcedRouteIfNecessary(final HttpClient client)
-    {
-        if (this.directAuthHost != null && !this.directAuthHost.isEmpty())
-        {
-            final HttpHost directAuthHost = HttpHost.create(this.directAuthHost);
-            final HttpParams params = client.getParams();
-            final InetAddress local = ConnRouteParams.getLocalAddress(params);
-            final HttpHost proxy = ConnRouteParams.getDefaultProxy(params);
-            final boolean secure = directAuthHost.getSchemeName().equalsIgnoreCase("https");
-
-            HttpRoute route;
-            if (proxy == null)
-            {
-                route = new HttpRoute(directAuthHost, local, secure);
-            }
-            else
-            {
-                route = new HttpRoute(directAuthHost, local, proxy, secure);
-            }
-            params.setParameter(ConnRoutePNames.FORCED_ROUTE, route);
-        }
-    }
 }

repository/src/test/docker/alfresco/extension/alfresco-global.addition.properties

@@ -25,11 +25,11 @@ keycloak.adapter.credentials.provider=secret
 keycloak.adapter.credentials.secret=6f70a28f-98cd-41ca-8f2f-368a8797d708
 
 # localhost in auth-server-url won't work for direct access in a Docker deployment
-keycloak.adapter.directAuthHost=http://keycloak:8080
+keycloak.adapter.proxy-url=http://keycloak:8080
 
 keycloak.roles.requiredClientScopes=alfresco-role-service
 
 keycloak.synchronization.userFilter.containedInGroup.property.groupPaths=/Test A
 keycloak.synchronization.groupFilter.containedInGroup.property.groupPaths=/Test A
 
-keycloak.synchronization.requiredClientScopes=realm-management
+keycloak.synchronization.requiredClientScopes=alfresco-authority-sync

repository/src/test/docker/test-realm.json

@@ -676,15 +676,6 @@
                     }
                 ],
                 "policies": [
-                    {
-                        "name": "alfresco-token-exchange",
-                        "type": "client",
-                        "logic": "POSITIVE",
-                        "decisionStrategy": "UNANIMOUS",
-                        "config": {
-                            "clients": "[\"alfresco-share\"]"
-                        }
-                    },
                     {
                         "name": "token-exchange.permission.client.alfresco",
                         "type": "scope",
@@ -692,8 +683,7 @@
                         "decisionStrategy": "UNANIMOUS",
                         "config": {
                             "resources": "[\"client.resource.alfresco\"]",
-                            "scopes": "[\"token-exchange\"]",
-                            "applyPolicies": "[\"alfresco-token-exchange\"]"
+                            "scopes": "[\"token-exchange\"]"
                         }
                     },
                     {
@@ -871,33 +861,36 @@
             ]
         }
     ],
+    "defaultRole": {
+        "name": "default-roles-test",
+        "description": "${role_default-roles}",
+        "composite": true,
+        "composites": {
+            "realm": [
+                "offline_access",
+                "uma_authorization",
+                "user"
+            ],
+            "client": {
+                "account": [
+                    "view-profile",
+                    "manage-account"
+                ]
+            }
+        }
+    },
     "roles": {
         "realm": [
             {
                 "name": "uma_authorization",
                 "description": "${role_uma_authorization}"
             },
-            {
-                "name": "default-roles-test",
-                "description": "${role_default-roles}",
-                "composite": true,
-                "composites": {
-                    "realm": [
-                        "offline_access",
-                        "uma_authorization",
-                        "user"
-                    ],
-                    "client": {
-                        "account": [
-                            "view-profile",
-                            "manage-account"
-                        ]
-                    }
-                }
-            },
             {
                 "name": "offline_access",
                 "description": "${role_offline-access}"
+            },
+            {
+                "name": "user"
             }
         ],
         "client": {

share/src/main/config/default-config.xml

@@ -38,7 +38,6 @@
             <alfresco-resource-name>alfresco</alfresco-resource-name>
         </keycloak-auth-config>
         <keycloak-adapter-config>
-            <!-- by default use the same client as alfresco (not really "clean") -->
             <auth-server-url>http://localhost:8180/auth</auth-server-url>
             <realm>alfresco</realm>
             <resource>alfresco-share</resource>
@@ -51,8 +50,8 @@
             </credentials>
             <!-- for some reason, this is not a sane default in Keycloak Adapter config -->
             <verify-token-audience>true</verify-token-audience>
-            <connectionTimeout>5000</connectionTimeout>
-            <socketTimeout>5000</socketTimeout>
+            <socket-timeout-millis>5000</socket-timeout-millis>
+            <connection-timeout-millis>5000</connection-timeout-millis>
         </keycloak-adapter-config>
     </config>
     

share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElement.java

@@ -134,12 +134,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
 
     protected final Set<String> markedAsUnset = new HashSet<>();
 
-    protected final ConfigValueHolder<Long> connectionTimeout = new ConfigValueHolder<>();
-
-    protected final ConfigValueHolder<Long> socketTimeout = new ConfigValueHolder<>();
-
-    protected final ConfigValueHolder<String> directAuthHost = new ConfigValueHolder<>();
-
     /**
      * Creates a new instance of this class.
      */
@@ -148,57 +142,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
         super(NAME);
     }
 
-    /**
-     * @return the connectionTimeout
-     */
-    public Long getConnectionTimeout()
-    {
-        return this.connectionTimeout.getValue();
-    }
-
-    /**
-     * @param connectionTimeout
-     *            the connectionTimeout to set
-     */
-    public void setConnectionTimeout(final Long connectionTimeout)
-    {
-        this.connectionTimeout.setValue(connectionTimeout);
-    }
-
-    /**
-     * @return the socketTimeout
-     */
-    public Long getSocketTimeout()
-    {
-        return this.socketTimeout.getValue();
-    }
-
-    /**
-     * @param socketTimeout
-     *            the socketTimeout to set
-     */
-    public void setSocketTimeout(final Long socketTimeout)
-    {
-        this.socketTimeout.setValue(socketTimeout);
-    }
-
-    /**
-     * @return the directAuthHost
-     */
-    public String getDirectAuthHost()
-    {
-        return this.directAuthHost.getValue();
-    }
-
-    /**
-     * @param directAuthHost
-     *            the directAuthHost to set
-     */
-    public void setDirectAuthHost(final String directAuthHost)
-    {
-        this.directAuthHost.setValue(directAuthHost);
-    }
-
     /**
      * Checks if a specific field is supported by this config element.
      *
@@ -390,36 +333,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
             }
         }
 
-        if (otherConfigElement.connectionTimeout.isUnset())
-        {
-            combined.connectionTimeout.unset();
-        }
-        else
-        {
-            combined.setConnectionTimeout(otherConfigElement.getConnectionTimeout() != null ? otherConfigElement.getConnectionTimeout()
-                    : this.getConnectionTimeout());
-        }
-
-        if (otherConfigElement.socketTimeout.isUnset())
-        {
-            combined.socketTimeout.unset();
-        }
-        else
-        {
-            combined.setSocketTimeout(
-                    otherConfigElement.getSocketTimeout() != null ? otherConfigElement.getSocketTimeout() : this.getSocketTimeout());
-        }
-
-        if (otherConfigElement.directAuthHost.isUnset())
-        {
-            combined.directAuthHost.unset();
-        }
-        else
-        {
-            combined.setDirectAuthHost(
-                    otherConfigElement.getDirectAuthHost() != null ? otherConfigElement.getDirectAuthHost() : this.getDirectAuthHost());
-        }
-
         return combined;
     }
 
@@ -435,12 +348,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
         builder.append(this.configValueByField);
         builder.append(",markedAsUnset=");
         builder.append(this.markedAsUnset);
-        builder.append(",connectionTimeout=");
-        builder.append(this.connectionTimeout);
-        builder.append(",socketTimeout=");
-        builder.append(this.socketTimeout);
-        builder.append(",directAuthHost=");
-        builder.append(this.directAuthHost);
         builder.append("]");
         return builder.toString();
     }
@@ -462,10 +369,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
             result = prime * result + valueHash;
         }
 
-        result = prime * result + this.connectionTimeout.hashCode();
-        result = prime * result + this.socketTimeout.hashCode();
-        result = prime * result + this.directAuthHost.hashCode();
-
         return result;
     }
 
@@ -496,14 +399,6 @@ public class KeycloakAdapterConfigElement extends BaseCustomConfigElement
         {
             return false;
         }
-        if (!EqualsHelper.nullSafeEquals(this.connectionTimeout, other.connectionTimeout))
-        {
-            return false;
-        }
-        if (!EqualsHelper.nullSafeEquals(this.socketTimeout, other.socketTimeout))
-        {
-            return false;
-        }
         return true;
     }
 

share/src/main/java/de/acosix/alfresco/keycloak/share/config/KeycloakAdapterConfigElementReader.java

@@ -116,26 +116,7 @@ public class KeycloakAdapterConfigElementReader implements ConfigElementReader
             }
             else
             {
-                switch (subElementName)
-                {
-                    // use -1 as dummy value for empty value to signify that empty value has explicitly been set (relevant for merge/combine
-                    // of config)
-                    case "connectionTimeout":
-                        final String prospectiveConnectionTimeout = subElement.getTextTrim();
-                        configElement.setConnectionTimeout(
-                                prospectiveConnectionTimeout.isEmpty() ? null : Long.valueOf(prospectiveConnectionTimeout));
-                        break;
-                    case "socketTimeout":
-                        final String prospectiveSocketTimeout = subElement.getTextTrim();
-                        configElement.setSocketTimeout(prospectiveSocketTimeout.isEmpty() ? null : Long.valueOf(prospectiveSocketTimeout));
-                        break;
-                    case "directAuthHost":
-                        final String prospectiveDirectAuthHost = subElement.getTextTrim();
-                        configElement.setDirectAuthHost(prospectiveDirectAuthHost.isEmpty() ? null : prospectiveDirectAuthHost);
-                        break;
-                    default:
-                        LOGGER.warn("Encountered unsupported Keycloak Adapter config element {}", subElementName);
-                }
+                LOGGER.warn("Encountered unsupported Keycloak Adapter config element {}", subElementName);
             }
         }
         LOGGER.debug("Read configuration element {} from XML section", configElement);

share/src/main/java/de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.java

@@ -22,13 +22,11 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
-import java.net.InetAddress;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
-import java.util.concurrent.TimeUnit;
 import java.util.function.BiFunction;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -50,17 +48,12 @@ import org.alfresco.util.EqualsHelper;
 import org.alfresco.util.PropertyCheck;
 import org.alfresco.web.site.servlet.SSOAuthenticationFilter;
 import org.apache.http.HttpEntity;
-import org.apache.http.HttpHost;
 import org.apache.http.HttpResponse;
 import org.apache.http.NameValuePair;
 import org.apache.http.client.HttpClient;
 import org.apache.http.client.entity.UrlEncodedFormEntity;
 import org.apache.http.client.methods.HttpPost;
-import org.apache.http.conn.params.ConnRoutePNames;
-import org.apache.http.conn.params.ConnRouteParams;
-import org.apache.http.conn.routing.HttpRoute;
 import org.apache.http.message.BasicNameValuePair;
-import org.apache.http.params.HttpParams;
 import org.apache.http.util.EntityUtils;
 import org.keycloak.KeycloakSecurityContext;
 import org.keycloak.OAuth2Constants;
@@ -68,7 +61,6 @@ import org.keycloak.TokenVerifier;
 import org.keycloak.adapters.AdapterDeploymentContext;
 import org.keycloak.adapters.AuthenticatedActionsHandler;
 import org.keycloak.adapters.BearerTokenRequestAuthenticator;
-import org.keycloak.adapters.HttpClientBuilder;
 import org.keycloak.adapters.KeycloakDeployment;
 import org.keycloak.adapters.KeycloakDeploymentBuilder;
 import org.keycloak.adapters.OAuthRequestAuthenticator;
@@ -512,35 +504,7 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
     protected void initFromAdapterConfig(final KeycloakAdapterConfigElement keycloakAdapterConfig)
     {
         final AdapterConfig adapterConfiguration = keycloakAdapterConfig.buildAdapterConfiguration();
-
-        // disable any CORS handling (if CORS is relevant, it should be handled by Share / Surf)
-        adapterConfiguration.setCors(false);
-        // BASIC authentication should never be used
-        adapterConfiguration.setEnableBasicAuth(false);
-
         this.keycloakDeployment = KeycloakDeploymentBuilder.build(adapterConfiguration);
-
-        // even in newer version than used by ACS 6.x does Keycloak lib not allow timeout configuration
-        if (this.keycloakDeployment.getClient() != null)
-        {
-            final Long connectionTimeout = keycloakAdapterConfig.getConnectionTimeout();
-            final Long socketTimeout = keycloakAdapterConfig.getSocketTimeout();
-
-            HttpClientBuilder httpClientBuilder = new HttpClientBuilder();
-            if (connectionTimeout != null && connectionTimeout.longValue() >= 0)
-            {
-                httpClientBuilder = httpClientBuilder.establishConnectionTimeout(connectionTimeout.longValue(), TimeUnit.MILLISECONDS);
-            }
-            if (socketTimeout != null && socketTimeout.longValue() >= 0)
-            {
-                httpClientBuilder = httpClientBuilder.socketTimeout(socketTimeout.longValue(), TimeUnit.MILLISECONDS);
-            }
-
-            final HttpClient client = httpClientBuilder.build(adapterConfiguration);
-            this.configureForcedRouteIfNecessary(keycloakAdapterConfig, client);
-            this.keycloakDeployment.setClient(client);
-        }
-
         this.deploymentContext = new AdapterDeploymentContext(this.keycloakDeployment);
     }
 
@@ -1863,39 +1827,4 @@ public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, I
         }
         return sslPort;
     }
-
-    /**
-     * Sets up a forced route for the Keycloak-library backing HTTP client if configured. This may be necessary to deal with situations
-     * where Share cannot use the public address of the authentication server (used in authentication redirects) to talk with the server
-     * directly, due to network isolation / addressing restrictions (e.g. in Docker-ized deployments).
-     *
-     * @param configElement
-     *     the adapter configuration
-     * @param client
-     *     the client to configure
-     */
-    @SuppressWarnings("deprecation")
-    protected void configureForcedRouteIfNecessary(final KeycloakAdapterConfigElement configElement, final HttpClient client)
-    {
-        final String directAuthHost = configElement.getDirectAuthHost();
-        if (directAuthHost != null && !directAuthHost.isEmpty())
-        {
-            final HttpHost host = HttpHost.create(directAuthHost);
-            final HttpParams params = client.getParams();
-            final InetAddress local = ConnRouteParams.getLocalAddress(params);
-            final HttpHost proxy = ConnRouteParams.getDefaultProxy(params);
-            final boolean secure = host.getSchemeName().equalsIgnoreCase("https");
-
-            HttpRoute route;
-            if (proxy == null)
-            {
-                route = new HttpRoute(host, local, secure);
-            }
-            else
-            {
-                route = new HttpRoute(host, local, proxy, secure);
-            }
-            params.setParameter(ConnRoutePNames.FORCED_ROUTE, route);
-        }
-    }
 }

share/src/test/docker/alfresco/extension/alfresco-global.addition.properties

@@ -25,7 +25,7 @@ keycloak.adapter.credentials.provider=secret
 keycloak.adapter.credentials.secret=6f70a28f-98cd-41ca-8f2f-368a8797d708
 
 # localhost in auth-server-url won't work for direct access in a Docker deployment
-keycloak.adapter.directAuthHost=http://keycloak:8080
+keycloak.adapter.proxy-url=http://keycloak:8080
 
 keycloak.roles.requiredClientScopes=alfresco-role-service
 

share/src/test/docker/alfresco/web-extension/share-config-custom.xml

@@ -75,7 +75,7 @@
             <perform-token-exchange>true</perform-token-exchange>
         </keycloak-auth-config>
         <keycloak-adapter-config>
-            <directAuthHost>http://keycloak:8080</directAuthHost>
+            <proxy-url>http://keycloak:8080</proxy-url>
             <auth-server-url>http://localhost:${docker.tests.keycloakPort}/auth</auth-server-url>
             <realm>test</realm>
             <resource>alfresco-share</resource>

share/src/test/docker/test-realm.json

@@ -683,6 +683,7 @@
             "secret": "a5b3e8bc-39cc-4ddd-8c8f-1c34e7a35975",
             "publicClient": false,
             "protocol": "openid-connect",
+            "alwaysDisplayInConsole": true,
             "fullScopeAllowed": false,
             "defaultClientScopes": [
                 "roles",
@@ -930,33 +931,36 @@
             ]
         }
     ],
+    "defaultRole": {
+        "name": "default-roles-test",
+        "description": "${role_default-roles}",
+        "composite": true,
+        "composites": {
+            "realm": [
+                "offline_access",
+                "uma_authorization",
+                "user"
+            ],
+            "client": {
+                "account": [
+                    "view-profile",
+                    "manage-account"
+                ]
+            }
+        }
+    },
     "roles": {
         "realm": [
             {
                 "name": "uma_authorization",
                 "description": "${role_uma_authorization}"
             },
-            {
-                "name": "default-roles-test",
-                "description": "${role_default-roles}",
-                "composite": true,
-                "composites": {
-                    "realm": [
-                        "offline_access",
-                        "uma_authorization",
-                        "user"
-                    ],
-                    "client": {
-                        "account": [
-                            "view-profile",
-                            "manage-account"
-                        ]
-                    }
-                }
-            },
             {
                 "name": "offline_access",
                 "description": "${role_offline-access}"
+            },
+            {
+                "name": "user"
             }
         ],
         "client": {

share/src/test/resources/default-config.xml

@@ -40,7 +40,7 @@
             <alfresco-resource-name>alfresco</alfresco-resource-name>
         </keycloak-auth-config>
         <keycloak-adapter-config>
-            <directAuthHost>http://keycloak:8080</directAuthHost>
+            <proxy-url>http://keycloak:8080</proxy-url>
             <!-- by default use the same client as alfresco (not really "clean") -->
             <auth-server-url>http://localhost:8180/auth</auth-server-url>
             <realm>alfresco</realm>