v1.0.1 pom

pom.xml

@@ -4,7 +4,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.inteligr8.activiti</groupId>
 	<artifactId>keycloak-activiti-app-ext</artifactId>
-	<version>1.0.0</version>
+	<version>1.0.1</version>
 	<name>Keycloak Authentication &amp; Authorization for APS</name>
 
 	<properties>

src/main/java/com/activiti/extension/conf/KeycloakExtSpringComponentScanner.java

@@ -4,7 +4,7 @@ import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
 
 @Configuration
-@ComponentScan(basePackages = {"com.inteligr8.activiti.oidc"})
-public class OidcExtSpringComponentScanner {
+@ComponentScan(basePackages = {"com.inteligr8.activiti.ais"})
+public class KeycloakExtSpringComponentScanner {
 
 }

src/main/java/com/inteligr8/activiti/Authenticator.java

@@ -1,4 +1,4 @@
-package com.inteligr8.activiti.ais;
+package com.inteligr8.activiti;
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;

src/main/java/com/inteligr8/activiti/ais/AbstractIdentityServiceActivitiAuthenticator.java

@@ -2,19 +2,21 @@ package com.inteligr8.activiti.ais;
 
 import java.util.Collection;
 import java.util.HashSet;
+import java.util.Map.Entry;
 import java.util.Set;
 
+import org.apache.commons.lang3.StringUtils;
 import org.keycloak.KeycloakPrincipal;
 import org.keycloak.KeycloakSecurityContext;
-import org.keycloak.adapters.OidcKeycloakAccount;
 import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken;
 import org.keycloak.representations.AccessToken;
+import org.keycloak.representations.AccessToken.Access;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 
-import com.activiti.security.identity.service.authentication.provider.IdentityServiceAuthenticationToken;
+import com.inteligr8.activiti.Authenticator;
 
 public abstract class AbstractIdentityServiceActivitiAuthenticator implements Authenticator {
 	
@@ -22,33 +24,76 @@ public abstract class AbstractIdentityServiceActivitiAuthenticator implements Au
     
 
     
-    protected AccessToken getOidcAccessToken(Authentication auth) {
+    protected Set<String> getRoles(Authentication auth) {
+    	Set<String> authorities = this.toSet(auth.getAuthorities());
+		this.logger.debug("Auto-parsed authorities: {}", authorities);
+		
+		if (authorities.isEmpty()) {
+			AccessToken atoken = this.getKeycloakAccessToken(auth);
+			if (atoken == null) {
+				this.logger.debug("Access token not available");
+				return null;
+			} else if (atoken.getRealmAccess() == null && atoken.getResourceAccess().isEmpty()) {
+				this.logger.debug("Access token has no role information");
+				return null;
+			} else {
+				if (atoken.getRealmAccess() != null) {
+					this.logger.debug("Access token realm roles: {}", atoken.getRealmAccess().getRoles());
+					authorities.addAll(atoken.getRealmAccess().getRoles());
+				}
+				
+				for (Entry<String, Access> resourceAccess : atoken.getResourceAccess().entrySet()) {
+					this.logger.debug("Access token resources '{}' roles: {}", resourceAccess.getKey(), resourceAccess.getValue().getRoles());
+					authorities.addAll(resourceAccess.getValue().getRoles());
+				}
+	
+				this.logger.debug("Access token authorities: {}", authorities);
+			}
+		}
+		
+		return authorities;
+    }
+    
+    protected AccessToken getKeycloakAccessToken(Authentication auth) {
     	KeycloakSecurityContext ksc = this.getKeycloakSecurityContext(auth);
-    	return ksc.getToken();
+    	return ksc == null ? null : ksc.getToken();
     }
     
     @SuppressWarnings("unchecked")
 	protected KeycloakSecurityContext getKeycloakSecurityContext(Authentication auth) {
-    	if (auth instanceof KeycloakAuthenticationToken) {
-    		this.logger.debug("Fetching KeycloakSecurityContext from KeycloakAuthenticationToken");
-    		if (auth.getPrincipal() instanceof KeycloakPrincipal) {
-    			return ((KeycloakPrincipal<? extends KeycloakSecurityContext>)auth.getPrincipal()).getKeycloakSecurityContext();
-    		} else {
-    			return null;
-    		}
-    	} else if (auth instanceof IdentityServiceAuthenticationToken) {
-    		this.logger.debug("Fetching KeycloakSecurityContext from IdentityServiceAuthenticationToken");
-    		OidcKeycloakAccount account = ((IdentityServiceAuthenticationToken)auth).getAccount();
-    		return account == null ? null : account.getKeycloakSecurityContext();
-    	} else {
+		if (auth.getCredentials() instanceof KeycloakSecurityContext) {
+			this.logger.debug("Found keycloak context in credentials");
+			return (KeycloakSecurityContext)auth.getCredentials();
+		} else if (auth.getPrincipal() instanceof KeycloakPrincipal) {
+			this.logger.debug("Found keycloak context in principal: {}", auth.getPrincipal());
+			return ((KeycloakPrincipal<? extends KeycloakSecurityContext>)auth.getPrincipal()).getKeycloakSecurityContext();
+		} else if (!(auth instanceof KeycloakAuthenticationToken)) {
+			this.logger.warn("Unexpected token: {}", auth.getClass());
     		return null;
     	}
+    	
+		KeycloakAuthenticationToken ktoken = (KeycloakAuthenticationToken)auth;
+		if (ktoken.getAccount() != null) {
+			this.logger.debug("Found keycloak context in account: {}", ktoken.getAccount().getPrincipal() == null ? null : ktoken.getAccount().getPrincipal().getName());
+			return ktoken.getAccount().getKeycloakSecurityContext();
+		} else {
+			this.logger.warn("Unable to find keycloak security context");
+			this.logger.debug("Principal: {}", auth.getPrincipal());
+			this.logger.debug("Account: {}", ktoken.getAccount());
+			if (auth.getPrincipal() != null)
+				this.logger.debug("Principal type: {}", auth.getPrincipal().getClass());
+			return null;
+		}
     }
     
     protected Set<String> toSet(Collection<? extends GrantedAuthority> grantedAuthorities) {
-    	Set<String> authorities = new HashSet<>(grantedAuthorities.size());
-    	for (GrantedAuthority grantedAuthority : grantedAuthorities)
-    		authorities.add(grantedAuthority.getAuthority());
+    	Set<String> authorities = new HashSet<>(Math.max(grantedAuthorities.size(), 16));
+    	for (GrantedAuthority grantedAuthority : grantedAuthorities) {
+    		String authority = StringUtils.trimToNull(grantedAuthority.getAuthority());
+    		if (authority == null)
+    			this.logger.warn("The granted authorities include an empty authority!?: '{}'", grantedAuthority.getAuthority());
+    		authorities.add(authority);
+    	}
     	return authorities;
     }
 }

src/main/java/com/inteligr8/activiti/ais/IdentityServiceActivitiAppAuthenticator.java

@@ -24,6 +24,7 @@ import com.activiti.service.api.GroupService;
 import com.activiti.service.api.UserService;
 import com.activiti.service.idm.TenantService;
 import com.activiti.service.license.LicenseService;
+import com.inteligr8.activiti.Authenticator;
 
 /**
  * This class/bean implements an Open ID Connect authenticator for Alfresco
@@ -147,9 +148,9 @@ public class IdentityServiceActivitiAppAuthenticator extends AbstractIdentitySer
     }
     
     private User createUser(Authentication auth, Long tenantId) {
-		AccessToken atoken = this.getOidcAccessToken(auth);
+		AccessToken atoken = this.getKeycloakAccessToken(auth);
 		if (atoken == null) {
-    		this.logger.debug("The OIDC access token could not be found; using email to determine names: {}", auth.getName());
+    		this.logger.debug("The keycloak access token could not be found; using email to determine names: {}", auth.getName());
     		Matcher emailNamesMatcher = this.emailNamesPattern.matcher(auth.getName());
     		if (!emailNamesMatcher.matches()) {
         		this.logger.warn("The email address could not be parsed for names: {}", auth.getName());
@@ -165,8 +166,11 @@ public class IdentityServiceActivitiAppAuthenticator extends AbstractIdentitySer
     }
 
     private void syncUserAuthorities(User user, Authentication auth, Long tenantId) {
-    	Set<String> authorities = this.toSet(auth.getAuthorities());
-		this.logger.debug("OIDC authorities: {}", authorities);
+    	Set<String> authorities = this.getRoles(auth);
+    	if (authorities == null) {
+    		this.logger.debug("The user authorities could not be determined; skipping sync: {}", user.getEmail());
+    		return;
+    	}
     	
 		// check Activiti groups
 		User userWithGroups = this.userService.findUserByEmailFetchGroups(user.getEmail());

src/main/java/com/inteligr8/activiti/ais/IdentityServiceActivitiEngineAuthenticator.java

@@ -15,6 +15,8 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.stereotype.Component;
 
+import com.inteligr8.activiti.Authenticator;
+
 /**
  * This is an unused implementation for non-APS installation.  It is not tested
  * and probably pointless.
@@ -104,8 +106,11 @@ public class IdentityServiceActivitiEngineAuthenticator extends AbstractIdentity
     }
 
     private void syncUserAuthorities(User user, Authentication auth) {
-    	Set<String> authorities = this.toSet(auth.getAuthorities());
-		this.logger.debug("OIDC authorities: {}", authorities);
+    	Set<String> authorities = this.getRoles(auth);
+    	if (authorities == null) {
+    		this.logger.debug("The user authorities could not be determined; skipping sync: {}", user.getEmail());
+    		return;
+    	}
     	
 		// check Activiti groups
     	List<Group> groups = this.identityService.createGroupQuery()

src/main/java/com/inteligr8/activiti/ais/IdentityServiceAuthenticationProviderAdapter.java

@@ -7,6 +7,7 @@ import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.security.authentication.AuthenticationProvider;
 
 import com.activiti.api.security.AlfrescoAuthenticationProviderOverride;
+import com.inteligr8.activiti.Authenticator;
 
 /**
  * FIXME This would be nice, but with AIS enabled, it is never called.  The use

src/main/java/com/inteligr8/activiti/ais/IdentityServiceSecurityConfigurationAdapter.java

@@ -13,6 +13,7 @@ import org.springframework.stereotype.Component;
 import com.activiti.api.msmt.MsmtTenantResolver;
 import com.activiti.api.security.AlfrescoSecurityConfigOverride;
 import com.activiti.conf.MsmtProperties;
+import com.inteligr8.activiti.Authenticator;
 
 /**
  * This class/bean overrides the AIS authentication provider, enabling a more

src/main/java/com/inteligr8/activiti/ais/InterceptingIdentityServiceAuthenticationProvider.java

@@ -6,6 +6,7 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 
 import com.activiti.security.identity.service.authentication.provider.IdentityServiceAuthenticationProvider;
+import com.inteligr8.activiti.Authenticator;
 
 /**
  * This class/bean extends the APS AIS OOTB authentication provider.  It uses