Package org.keycloak.broker.oidc
Class OIDCIdentityProvider
- java.lang.Object
-
- org.keycloak.broker.provider.AbstractIdentityProvider<C>
-
- org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
- org.keycloak.broker.oidc.OIDCIdentityProvider
-
- All Implemented Interfaces:
org.keycloak.broker.provider.ExchangeExternalToken
,org.keycloak.broker.provider.ExchangeTokenToIdentityProviderToken
,org.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>
,org.keycloak.provider.Provider
- Direct Known Subclasses:
GitLabIdentityProvider
,GoogleIdentityProvider
,KeycloakOIDCIdentityProvider
public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig> implements org.keycloak.broker.provider.ExchangeExternalToken
- Author:
- Pedro Igor
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description protected static class
OIDCIdentityProvider.OIDCEndpoint
-
Nested classes/interfaces inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
AbstractOAuth2IdentityProvider.Endpoint
-
-
Field Summary
Fields Modifier and Type Field Description static String
ACCESS_TOKEN_EXPIRATION
static String
EXCHANGE_PROVIDER
static String
FEDERATED_ACCESS_TOKEN_RESPONSE
static String
FEDERATED_ID_TOKEN
protected static org.jboss.logging.Logger
logger
static String
SCOPE_OPENID
static String
USER_INFO
static String
VALIDATED_ID_TOKEN
-
Fields inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
ACCESS_DENIED, FEDERATED_REFRESH_TOKEN, FEDERATED_TOKEN_EXPIRATION, mapper, OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN, OAUTH2_PARAMETER_ACCESS_TOKEN, OAUTH2_PARAMETER_CLIENT_ID, OAUTH2_PARAMETER_CLIENT_SECRET, OAUTH2_PARAMETER_CODE, OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_PARAMETER_REDIRECT_URI, OAUTH2_PARAMETER_RESPONSE_TYPE, OAUTH2_PARAMETER_SCOPE, OAUTH2_PARAMETER_STATE
-
-
Constructor Summary
Constructors Constructor Description OIDCIdentityProvider(org.keycloak.models.KeycloakSession session, OIDCIdentityProviderConfig config)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
authenticationFinished(org.keycloak.sessions.AuthenticationSessionModel authSession, org.keycloak.broker.provider.BrokeredIdentityContext context)
void
backchannelLogout(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.models.RealmModel realm)
protected void
backchannelLogout(org.keycloak.models.UserSessionModel userSession, String idToken)
Object
callback(org.keycloak.models.RealmModel realm, org.keycloak.broker.provider.IdentityProvider.AuthenticationCallback callback, org.keycloak.events.EventBuilder event)
protected javax.ws.rs.core.UriBuilder
createAuthorizationUrl(org.keycloak.broker.provider.AuthenticationRequest request)
protected org.keycloak.broker.provider.BrokeredIdentityContext
exchangeExternalImpl(org.keycloak.events.EventBuilder event, javax.ws.rs.core.MultivaluedMap<String,String> params)
protected javax.ws.rs.core.Response
exchangeSessionToken(javax.ws.rs.core.UriInfo uriInfo, org.keycloak.events.EventBuilder event, org.keycloak.models.ClientModel authorizedClient, org.keycloak.models.UserSessionModel tokenUserSession, org.keycloak.models.UserModel tokenSubject)
protected javax.ws.rs.core.Response
exchangeStoredToken(javax.ws.rs.core.UriInfo uriInfo, org.keycloak.events.EventBuilder event, org.keycloak.models.ClientModel authorizedClient, org.keycloak.models.UserSessionModel tokenUserSession, org.keycloak.models.UserModel tokenSubject)
protected org.keycloak.broker.provider.BrokeredIdentityContext
extractIdentity(org.keycloak.representations.AccessTokenResponse tokenResponse, String accessToken, org.keycloak.representations.JsonWebToken idToken)
protected org.keycloak.broker.provider.BrokeredIdentityContext
extractIdentityFromProfile(org.keycloak.events.EventBuilder event, com.fasterxml.jackson.databind.JsonNode userInfo)
protected String
getDefaultScopes()
org.keycloak.broker.provider.BrokeredIdentityContext
getFederatedIdentity(String response)
protected String
getProfileEndpointForValidation(org.keycloak.events.EventBuilder event)
protected org.keycloak.broker.provider.util.SimpleHttp
getRefreshTokenRequest(org.keycloak.models.KeycloakSession session, String refreshToken, String clientId, String clientSecret)
protected String
getUserInfoUrl()
protected String
getusernameClaimNameForIdToken()
protected String
getUsernameFromUserInfo(com.fasterxml.jackson.databind.JsonNode userInfo)
protected boolean
isAuthTimeExpired(org.keycloak.representations.JsonWebToken idToken, org.keycloak.sessions.AuthenticationSessionModel authSession)
boolean
isIssuer(String issuer, javax.ws.rs.core.MultivaluedMap<String,String> params)
javax.ws.rs.core.Response
keycloakInitiatedBrowserLogout(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.models.RealmModel realm)
void
preprocessFederatedIdentity(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.broker.provider.BrokeredIdentityContext context)
protected void
processAccessTokenResponse(org.keycloak.broker.provider.BrokeredIdentityContext context, org.keycloak.representations.AccessTokenResponse response)
String
refreshTokenForLogout(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession)
Returns access token response as a string from a refresh token invocation on the remote OIDC brokerprotected boolean
supportsExternalExchange()
protected org.keycloak.broker.provider.BrokeredIdentityContext
validateJwt(org.keycloak.events.EventBuilder event, String subjectToken, String subjectTokenType)
org.keycloak.representations.JsonWebToken
validateToken(String encodedToken)
protected org.keycloak.representations.JsonWebToken
validateToken(String encodedToken, boolean ignoreAudience)
protected boolean
verify(org.keycloak.jose.jws.JWSInput jws)
-
Methods inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
asJsonNode, authenticateTokenRequest, buildUserInfoRequest, doGetFederatedIdentity, exchangeExternal, exchangeExternalComplete, exchangeExternalUserInfoValidationOnly, exchangeFromToken, extractTokenFromResponse, generateToken, getAccessTokenResponseParameter, getConfig, getJsonProperty, getSignatureContext, hasExternalExchangeToken, performLogin, retrieveToken, validateExternalTokenThroughUserInfo
-
Methods inherited from class org.keycloak.broker.provider.AbstractIdentityProvider
close, exchangeErrorResponse, exchangeNotLinked, exchangeNotLinkedNoStore, exchangeNotSupported, exchangeTokenExpired, exchangeUnsupportedRequiredType, export, getLinkingUrl, getMarshaller, importNewUser, updateBrokeredUser
-
-
-
-
Field Detail
-
logger
protected static final org.jboss.logging.Logger logger
-
SCOPE_OPENID
public static final String SCOPE_OPENID
- See Also:
- Constant Field Values
-
FEDERATED_ID_TOKEN
public static final String FEDERATED_ID_TOKEN
- See Also:
- Constant Field Values
-
USER_INFO
public static final String USER_INFO
- See Also:
- Constant Field Values
-
FEDERATED_ACCESS_TOKEN_RESPONSE
public static final String FEDERATED_ACCESS_TOKEN_RESPONSE
- See Also:
- Constant Field Values
-
VALIDATED_ID_TOKEN
public static final String VALIDATED_ID_TOKEN
- See Also:
- Constant Field Values
-
ACCESS_TOKEN_EXPIRATION
public static final String ACCESS_TOKEN_EXPIRATION
- See Also:
- Constant Field Values
-
EXCHANGE_PROVIDER
public static final String EXCHANGE_PROVIDER
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
OIDCIdentityProvider
public OIDCIdentityProvider(org.keycloak.models.KeycloakSession session, OIDCIdentityProviderConfig config)
-
-
Method Detail
-
callback
public Object callback(org.keycloak.models.RealmModel realm, org.keycloak.broker.provider.IdentityProvider.AuthenticationCallback callback, org.keycloak.events.EventBuilder event)
- Specified by:
callback
in interfaceorg.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>
- Overrides:
callback
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
refreshTokenForLogout
public String refreshTokenForLogout(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession)
Returns access token response as a string from a refresh token invocation on the remote OIDC broker- Parameters:
session
-userSession
-- Returns:
-
backchannelLogout
public void backchannelLogout(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.models.RealmModel realm)
- Specified by:
backchannelLogout
in interfaceorg.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>
- Overrides:
backchannelLogout
in classorg.keycloak.broker.provider.AbstractIdentityProvider<OIDCIdentityProviderConfig>
-
backchannelLogout
protected void backchannelLogout(org.keycloak.models.UserSessionModel userSession, String idToken)
-
keycloakInitiatedBrowserLogout
public javax.ws.rs.core.Response keycloakInitiatedBrowserLogout(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.models.RealmModel realm)
- Specified by:
keycloakInitiatedBrowserLogout
in interfaceorg.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>
- Overrides:
keycloakInitiatedBrowserLogout
in classorg.keycloak.broker.provider.AbstractIdentityProvider<OIDCIdentityProviderConfig>
-
exchangeStoredToken
protected javax.ws.rs.core.Response exchangeStoredToken(javax.ws.rs.core.UriInfo uriInfo, org.keycloak.events.EventBuilder event, org.keycloak.models.ClientModel authorizedClient, org.keycloak.models.UserSessionModel tokenUserSession, org.keycloak.models.UserModel tokenSubject)
- Overrides:
exchangeStoredToken
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
processAccessTokenResponse
protected void processAccessTokenResponse(org.keycloak.broker.provider.BrokeredIdentityContext context, org.keycloak.representations.AccessTokenResponse response)
-
getRefreshTokenRequest
protected org.keycloak.broker.provider.util.SimpleHttp getRefreshTokenRequest(org.keycloak.models.KeycloakSession session, String refreshToken, String clientId, String clientSecret)
-
exchangeSessionToken
protected javax.ws.rs.core.Response exchangeSessionToken(javax.ws.rs.core.UriInfo uriInfo, org.keycloak.events.EventBuilder event, org.keycloak.models.ClientModel authorizedClient, org.keycloak.models.UserSessionModel tokenUserSession, org.keycloak.models.UserModel tokenSubject)
- Overrides:
exchangeSessionToken
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getFederatedIdentity
public org.keycloak.broker.provider.BrokeredIdentityContext getFederatedIdentity(String response)
- Overrides:
getFederatedIdentity
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
isAuthTimeExpired
protected boolean isAuthTimeExpired(org.keycloak.representations.JsonWebToken idToken, org.keycloak.sessions.AuthenticationSessionModel authSession)
-
extractIdentity
protected org.keycloak.broker.provider.BrokeredIdentityContext extractIdentity(org.keycloak.representations.AccessTokenResponse tokenResponse, String accessToken, org.keycloak.representations.JsonWebToken idToken) throws IOException
- Throws:
IOException
-
getusernameClaimNameForIdToken
protected String getusernameClaimNameForIdToken()
-
getUserInfoUrl
protected String getUserInfoUrl()
-
verify
protected boolean verify(org.keycloak.jose.jws.JWSInput jws)
-
validateToken
public org.keycloak.representations.JsonWebToken validateToken(String encodedToken)
-
validateToken
protected org.keycloak.representations.JsonWebToken validateToken(String encodedToken, boolean ignoreAudience)
-
authenticationFinished
public void authenticationFinished(org.keycloak.sessions.AuthenticationSessionModel authSession, org.keycloak.broker.provider.BrokeredIdentityContext context)
- Specified by:
authenticationFinished
in interfaceorg.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>
- Overrides:
authenticationFinished
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getDefaultScopes
protected String getDefaultScopes()
- Specified by:
getDefaultScopes
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
isIssuer
public boolean isIssuer(String issuer, javax.ws.rs.core.MultivaluedMap<String,String> params)
- Specified by:
isIssuer
in interfaceorg.keycloak.broker.provider.ExchangeExternalToken
- Overrides:
isIssuer
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
supportsExternalExchange
protected boolean supportsExternalExchange()
- Overrides:
supportsExternalExchange
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getProfileEndpointForValidation
protected String getProfileEndpointForValidation(org.keycloak.events.EventBuilder event)
- Overrides:
getProfileEndpointForValidation
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
extractIdentityFromProfile
protected org.keycloak.broker.provider.BrokeredIdentityContext extractIdentityFromProfile(org.keycloak.events.EventBuilder event, com.fasterxml.jackson.databind.JsonNode userInfo)
- Overrides:
extractIdentityFromProfile
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getUsernameFromUserInfo
protected String getUsernameFromUserInfo(com.fasterxml.jackson.databind.JsonNode userInfo)
-
validateJwt
protected final org.keycloak.broker.provider.BrokeredIdentityContext validateJwt(org.keycloak.events.EventBuilder event, String subjectToken, String subjectTokenType)
-
exchangeExternalImpl
protected org.keycloak.broker.provider.BrokeredIdentityContext exchangeExternalImpl(org.keycloak.events.EventBuilder event, javax.ws.rs.core.MultivaluedMap<String,String> params)
- Overrides:
exchangeExternalImpl
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
createAuthorizationUrl
protected javax.ws.rs.core.UriBuilder createAuthorizationUrl(org.keycloak.broker.provider.AuthenticationRequest request)
- Overrides:
createAuthorizationUrl
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
preprocessFederatedIdentity
public void preprocessFederatedIdentity(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.broker.provider.BrokeredIdentityContext context)
- Specified by:
preprocessFederatedIdentity
in interfaceorg.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>
- Overrides:
preprocessFederatedIdentity
in classorg.keycloak.broker.provider.AbstractIdentityProvider<OIDCIdentityProviderConfig>
-
-