HTTP header authentication supports to pass user's email as the accou…

…nt identity
flytreeleft · Sep 30, 2019 · e9c2cc7 · e9c2cc7
1 parent c52eb7f
commit e9c2cc7
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/...main/java/org/github/flytreeleft/nexus3/keycloak/plugin/internal/KeycloakAdminClient.java b/...main/java/org/github/flytreeleft/nexus3/keycloak/plugin/internal/KeycloakAdminClient.java
@@ -109,8 +109,7 @@ public UserRepresentation getUser(String userNameOrEmail) {
         HttpMethod<List<UserRepresentation>> httpMethod = getHttp().get("/admin/realms/%s/users",
                                                                         this.config.getRealm());
 
-        // https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L177
-        boolean isEmail = EMAIL_PATTERN.matcher(userNameOrEmail).matches();
+        boolean isEmail = isEmail(userNameOrEmail);
         if (isEmail) {
             httpMethod.param("email", userNameOrEmail);
         } else {
@@ -292,6 +291,11 @@ public List<GroupRepresentation> getAllGroupsRecursively(List<GroupRepresentatio
         return list;
     }
 
+    public boolean isEmail(String userNameOrEmail) {
+        // https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L177
+        return userNameOrEmail != null && EMAIL_PATTERN.matcher(userNameOrEmail).matches();
+    }
+
     public AdapterConfig getConfig() {
         return this.config;
     }

diff --git a/...main/java/org/github/flytreeleft/nexus3/keycloak/plugin/internal/NexusKeycloakClient.java b/...main/java/org/github/flytreeleft/nexus3/keycloak/plugin/internal/NexusKeycloakClient.java
@@ -66,9 +66,18 @@ public boolean authenticate(UsernamePasswordToken token) {
     public boolean authenticate(KeycloakHttpHeaderAuthToken token) {
         String principal = token.getPrincipal();
         String credentials = token.getCredentials().toString();
+
         UserInfo userInfo = this.keycloakAdminClient.obtainUserInfo(credentials);
+        if (userInfo == null) {
+            return false;
+        }
+
+        boolean isEmail = this.keycloakAdminClient.isEmail(principal);
+        if (isEmail) {
+            return userInfo.getEmailVerified() && principal.equals(userInfo.getEmail());
+        }
 
-        return userInfo != null && userInfo.getPreferredUsername().equals(principal);
+        return userInfo.getPreferredUsername().equals(principal);
     }
 
     public Set<String> findRoleIdsByUserId(String userId) {