Initial commit

Author: PauliusLe

.github/workflows/release.yml

@@ -0,0 +1,87 @@
+name: Build and Release JAR
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'src/**'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag name to release (e.g., v1.0.0)"
+        required: false
+      create_release:
+        description: "Create GitHub release"
+        type: boolean
+        default: false
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: "21"
+          cache: maven
+
+      - name: Build with Maven
+        run: mvn -B -DskipTests package
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: jar
+          path: target/zgw-token-introspection.jar
+
+  release:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Determine tag
+        id: vars
+        shell: bash
+        run: |
+          if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
+            TAG="${GITHUB_REF#refs/tags/}"
+          else
+            TAG="${{ inputs.tag }}"
+          fi
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
+          echo "release_name=zgw-token-introspection $TAG" >> $GITHUB_OUTPUT
+
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: jar
+          path: dist
+
+      - name: Create GitHub Release
+        if: ${{ steps.vars.outputs.tag != '' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          tag="${{ steps.vars.outputs.tag }}"
+          title="${{ steps.vars.outputs.release_name }}"
+
+          if gh release view "$tag" >/dev/null 2>&1; then
+            gh release upload "$tag" "dist/zgw-token-introspection.jar" --clobber
+          else
+            gh release create "$tag" "dist/zgw-token-introspection.jar" \
+              --title "$title" \
+              --notes "Automated release $tag" \
+              --target "$GITHUB_SHA"
+          fi
+
+

.gitignore

@@ -0,0 +1,32 @@
+### Java ###
+# Compiled class file
+*.class
+
+# Log file
+*.log
+
+# BlueJ files
+*.ctxt
+
+# Mobile Tools for Java (J2ME)
+.mtj.tmp/
+
+# Package Files #
+*.jar
+*.war
+*.nar
+*.ear
+*.zip
+*.tar.gz
+*.rar
+### Maven ###
+target/
+pom.xml.tag
+pom.xml.releaseBackup
+pom.xml.versionsBackup
+pom.xml.next
+release.properties
+dependency-reduced-pom.xml
+buildNumber.properties
+.mvn/timing.properties
+.mvn/wrapper/maven-wrapper.jar

LICENSE

@@ -0,0 +1,28 @@
+BSD 3-Clause License
+
+Copyright (c) 2025, Visma Roxit B.V. (https://roxit.nl)
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -0,0 +1,71 @@
+# ZGW JWT tokens Introspection Provider for Keycloak
+
+This provider adds ZGW token verification and parsing to Keycloak. It exposes a realm endpoint that validates HS256-signed ZGW JWTs by looking up the token's `client_id` in Keycloak and verifying the signature with that client's secret, returning an OAuth2 token introspection response.
+
+## Overview
+
+Introspection endpoint:
+- Requires a `client_id` claim
+- Resolves the Keycloak client by `client_id` and verifies the HS256 signature using that client's secret stored in Keycloak (no external secret store)
+- Includes claims from any OIDC Hardcoded Claim protocol mappers configured in keycloak, on the client
+- Enforces token activity (validates `exp`/`nbf` when present)
+- Tokens without `exp` claim will be treated as active, but warning will be logged in keycloak. It's recommended to use short lived tokens.
+
+## Build
+
+1. Ensure you have Java 21 installed (download from https://learn.microsoft.com/en-us/java/openjdk/download)
+2. Download Maven `Binary zip archive` from https://maven.apache.org/download.cgi
+3. Add the bin directory of the created directory apache-maven-* to the PATH environment variable
+4. Run the following command to build the JAR:
+   ```bash
+   mvn clean package
+   ```
+5. The compiled JAR will be in the `target/` directory: `zgw-token-introspection.jar`
+
+## Deployment
+
+1. Copy the JAR file to your Keycloak deployment:
+   - For host install: `{KEYCLOAK_HOME}/providers/`
+   - For Docker: mount to `/opt/keycloak/providers/`
+
+2. Restart Keycloak. In dev:
+   - `{KEYCLOAK_HOME}/bin/kc.sh start-dev`
+   In prod:
+   - `{KEYCLOAK_HOME}/bin/kc.sh build && {KEYCLOAK_HOME}/bin/kc.sh start`
+
+## Endpoint
+
+- Path: `/realms/{realm}/zgw-token-introspection/introspect`
+- Method: `POST`
+- Content-Type: `application/x-www-form-urlencoded`
+- Parameter: `token=<JWT>`
+
+## Token requirements
+
+The provider expects JWT tokens generated with the following characteristics:
+
+- **Algorithm**: HS256
+- **Secret**: Client secret from Keycloak
+- **Required claim**: `client_id` (must match a client in the realm)
+- **Temporal**: Token must be active; `exp` is recommended
+
+
+## Usage
+
+Submit the token to the introspection endpoint:
+```bash
+curl -X POST \
+  "http://localhost:8080/realms/{realm}/zgw-token-introspection/introspect" \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  --data-urlencode "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
+```
+Returns an OAuth2 introspection-style payload with selected standard and custom claims.
+On success you will receive `{ "active": true, ... }` and claim from token; otherwise `{ "active": false }`.
+
+## Troubleshooting
+
+- Check Keycloak logs for detailed error messages
+- Ensure the client exists in Keycloak and has a secret configured
+- Verify the token is properly formatted and not expired
+- Confirm the signing algorithm is HS256
+- Make sure the client secret matches what was used to sign the token

docker-compose.yml

@@ -0,0 +1,12 @@
+services:
+  keycloak:
+    image: quay.io/keycloak/keycloak:24.0.5
+    command: start-dev --http-port=8080
+    environment:
+      - KEYCLOAK_ADMIN=admin
+      - KEYCLOAK_ADMIN_PASSWORD=admin
+    ports:
+      - "8080:8080"
+    volumes:
+      - ./target/zgw-token-introspection.jar:/opt/keycloak/providers/zgw-token-introspection.jar:ro
+    restart: unless-stopped

pom.xml

@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
+         http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.example</groupId>
+    <artifactId>zgw-token-introspection</artifactId>
+    <version>1.0.0</version>
+    <packaging>jar</packaging>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.compiler.source>17</maven.compiler.source>
+        <maven.compiler.target>17</maven.compiler.target>
+        <keycloak.version>24.0.5</keycloak.version>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-server-spi</artifactId>
+            <version>${keycloak.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-server-spi-private</artifactId>
+            <version>${keycloak.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-services</artifactId>
+            <version>${keycloak.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.ws.rs</groupId>
+            <artifactId>jakarta.ws.rs-api</artifactId>
+            <version>3.1.0</version>
+            <scope>provided</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <finalName>zgw-token-introspection</finalName>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.11.0</version>
+                <configuration>
+                    <source>17</source>
+                    <target>17</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>