Package org.keycloak.broker.oidc

Class OIDCIdentityProvider

java.lang.Object

org.keycloak.broker.provider.AbstractIdentityProvider<C>

org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

org.keycloak.broker.oidc.OIDCIdentityProvider

All Implemented Interfaces:

org.keycloak.broker.provider.ExchangeExternalToken, org.keycloak.broker.provider.ExchangeTokenToIdentityProviderToken, org.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>, org.keycloak.provider.Provider

Direct Known Subclasses:

GitLabIdentityProvider, GoogleIdentityProvider, KeycloakOIDCIdentityProvider

public class OIDCIdentityProvider
extends AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
implements org.keycloak.broker.provider.ExchangeExternalToken

Author:

Pedro Igor

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
protected static class	OIDCIdentityProvider.OIDCEndpoint

Nested classes/interfaces inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider

AbstractOAuth2IdentityProvider.Endpoint

Nested classes/interfaces inherited from interface org.keycloak.broker.provider.IdentityProvider

org.keycloak.broker.provider.IdentityProvider.AuthenticationCallback

Field Summary

Fields

Modifier and Type	Field	Description
static String	ACCESS_TOKEN_EXPIRATION
static String	EXCHANGE_PROVIDER
static String	FEDERATED_ACCESS_TOKEN_RESPONSE
static String	FEDERATED_ID_TOKEN
protected static org.jboss.logging.Logger	logger
static String	SCOPE_OPENID
static String	USER_INFO
static String	VALIDATED_ID_TOKEN

Fields inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider

ACCESS_DENIED, FEDERATED_REFRESH_TOKEN, FEDERATED_TOKEN_EXPIRATION, mapper, OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN, OAUTH2_PARAMETER_ACCESS_TOKEN, OAUTH2_PARAMETER_CLIENT_ID, OAUTH2_PARAMETER_CLIENT_SECRET, OAUTH2_PARAMETER_CODE, OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_PARAMETER_REDIRECT_URI, OAUTH2_PARAMETER_RESPONSE_TYPE, OAUTH2_PARAMETER_SCOPE, OAUTH2_PARAMETER_STATE

Fields inherited from class org.keycloak.broker.provider.AbstractIdentityProvider

ACCOUNT_LINK_URL, session

Fields inherited from interface org.keycloak.broker.provider.IdentityProvider

EXTERNAL_IDENTITY_PROVIDER, FEDERATED_ACCESS_TOKEN

Constructor Summary

Constructors

Constructor	Description
OIDCIdentityProvider(org.keycloak.models.KeycloakSession session, OIDCIdentityProviderConfig config)

Method Summary

Modifier and Type	Method	Description
void	authenticationFinished(org.keycloak.sessions.AuthenticationSessionModel authSession, org.keycloak.broker.provider.BrokeredIdentityContext context)
void	backchannelLogout(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.models.RealmModel realm)
protected void	backchannelLogout(org.keycloak.models.UserSessionModel userSession, String idToken)
Object	callback(org.keycloak.models.RealmModel realm, org.keycloak.broker.provider.IdentityProvider.AuthenticationCallback callback, org.keycloak.events.EventBuilder event)
protected javax.ws.rs.core.UriBuilder	createAuthorizationUrl(org.keycloak.broker.provider.AuthenticationRequest request)
protected org.keycloak.broker.provider.BrokeredIdentityContext	exchangeExternalImpl(org.keycloak.events.EventBuilder event, javax.ws.rs.core.MultivaluedMap<String,String> params)
protected javax.ws.rs.core.Response	exchangeSessionToken(javax.ws.rs.core.UriInfo uriInfo, org.keycloak.events.EventBuilder event, org.keycloak.models.ClientModel authorizedClient, org.keycloak.models.UserSessionModel tokenUserSession, org.keycloak.models.UserModel tokenSubject)
protected javax.ws.rs.core.Response	exchangeStoredToken(javax.ws.rs.core.UriInfo uriInfo, org.keycloak.events.EventBuilder event, org.keycloak.models.ClientModel authorizedClient, org.keycloak.models.UserSessionModel tokenUserSession, org.keycloak.models.UserModel tokenSubject)
protected org.keycloak.broker.provider.BrokeredIdentityContext	extractIdentity(org.keycloak.representations.AccessTokenResponse tokenResponse, String accessToken, org.keycloak.representations.JsonWebToken idToken)
protected org.keycloak.broker.provider.BrokeredIdentityContext	extractIdentityFromProfile(org.keycloak.events.EventBuilder event, com.fasterxml.jackson.databind.JsonNode userInfo)
protected String	getDefaultScopes()
org.keycloak.broker.provider.BrokeredIdentityContext	getFederatedIdentity(String response)
protected String	getProfileEndpointForValidation(org.keycloak.events.EventBuilder event)
protected org.keycloak.broker.provider.util.SimpleHttp	getRefreshTokenRequest(org.keycloak.models.KeycloakSession session, String refreshToken, String clientId, String clientSecret)
protected String	getUserInfoUrl()
protected String	getusernameClaimNameForIdToken()
protected String	getUsernameFromUserInfo(com.fasterxml.jackson.databind.JsonNode userInfo)
protected boolean	isAuthTimeExpired(org.keycloak.representations.JsonWebToken idToken, org.keycloak.sessions.AuthenticationSessionModel authSession)
boolean	isIssuer(String issuer, javax.ws.rs.core.MultivaluedMap<String,String> params)
javax.ws.rs.core.Response	keycloakInitiatedBrowserLogout(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.models.RealmModel realm)
void	preprocessFederatedIdentity(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.broker.provider.BrokeredIdentityContext context)
protected void	processAccessTokenResponse(org.keycloak.broker.provider.BrokeredIdentityContext context, org.keycloak.representations.AccessTokenResponse response)
String	refreshTokenForLogout(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession)	Returns access token response as a string from a refresh token invocation on the remote OIDC broker
protected boolean	supportsExternalExchange()
protected org.keycloak.broker.provider.BrokeredIdentityContext	validateJwt(org.keycloak.events.EventBuilder event, String subjectToken, String subjectTokenType)
org.keycloak.representations.JsonWebToken	validateToken(String encodedToken)
protected org.keycloak.representations.JsonWebToken	validateToken(String encodedToken, boolean ignoreAudience)
protected boolean	verify(org.keycloak.jose.jws.JWSInput jws)

Methods inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider

asJsonNode, authenticateTokenRequest, buildUserInfoRequest, doGetFederatedIdentity, exchangeExternal, exchangeExternalComplete, exchangeExternalUserInfoValidationOnly, exchangeFromToken, extractTokenFromResponse, generateToken, getAccessTokenResponseParameter, getConfig, getJsonProperty, getSignatureContext, hasExternalExchangeToken, performLogin, retrieveToken, validateExternalTokenThroughUserInfo

Methods inherited from class org.keycloak.broker.provider.AbstractIdentityProvider

close, exchangeErrorResponse, exchangeNotLinked, exchangeNotLinkedNoStore, exchangeNotSupported, exchangeTokenExpired, exchangeUnsupportedRequiredType, export, getLinkingUrl, getMarshaller, importNewUser, updateBrokeredUser

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.broker.provider.ExchangeExternalToken

exchangeExternal, exchangeExternalComplete

Field Detail

logger

protected static final org.jboss.logging.Logger logger

SCOPE_OPENID

public static final String SCOPE_OPENID

See Also:

Constant Field Values

FEDERATED_ID_TOKEN

public static final String FEDERATED_ID_TOKEN

See Also:

Constant Field Values

USER_INFO

public static final String USER_INFO

See Also:

Constant Field Values

FEDERATED_ACCESS_TOKEN_RESPONSE

public static final String FEDERATED_ACCESS_TOKEN_RESPONSE

See Also:

Constant Field Values

VALIDATED_ID_TOKEN

public static final String VALIDATED_ID_TOKEN

See Also:

Constant Field Values

ACCESS_TOKEN_EXPIRATION

public static final String ACCESS_TOKEN_EXPIRATION

See Also:

Constant Field Values

EXCHANGE_PROVIDER

public static final String EXCHANGE_PROVIDER

See Also:

Constant Field Values

Constructor Detail

OIDCIdentityProvider

public OIDCIdentityProvider(org.keycloak.models.KeycloakSession session,
                            OIDCIdentityProviderConfig config)

Method Detail

callback

public Object callback(org.keycloak.models.RealmModel realm,
                       org.keycloak.broker.provider.IdentityProvider.AuthenticationCallback callback,
                       org.keycloak.events.EventBuilder event)

Specified by:

callback in interface org.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>

Overrides:

callback in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

refreshTokenForLogout

public String refreshTokenForLogout(org.keycloak.models.KeycloakSession session,
                                    org.keycloak.models.UserSessionModel userSession)

Returns access token response as a string from a refresh token invocation on the remote OIDC broker

Parameters:

session -

userSession -

Returns:

backchannelLogout

public void backchannelLogout(org.keycloak.models.KeycloakSession session,
                              org.keycloak.models.UserSessionModel userSession,
                              javax.ws.rs.core.UriInfo uriInfo,
                              org.keycloak.models.RealmModel realm)

Specified by:

backchannelLogout in interface org.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>

Overrides:

backchannelLogout in class org.keycloak.broker.provider.AbstractIdentityProvider<OIDCIdentityProviderConfig>

backchannelLogout

protected void backchannelLogout(org.keycloak.models.UserSessionModel userSession,
                                 String idToken)

keycloakInitiatedBrowserLogout

public javax.ws.rs.core.Response keycloakInitiatedBrowserLogout(org.keycloak.models.KeycloakSession session,
                                                                org.keycloak.models.UserSessionModel userSession,
                                                                javax.ws.rs.core.UriInfo uriInfo,
                                                                org.keycloak.models.RealmModel realm)

Specified by:

keycloakInitiatedBrowserLogout in interface org.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>

Overrides:

keycloakInitiatedBrowserLogout in class org.keycloak.broker.provider.AbstractIdentityProvider<OIDCIdentityProviderConfig>

exchangeStoredToken

protected javax.ws.rs.core.Response exchangeStoredToken(javax.ws.rs.core.UriInfo uriInfo,
                                                        org.keycloak.events.EventBuilder event,
                                                        org.keycloak.models.ClientModel authorizedClient,
                                                        org.keycloak.models.UserSessionModel tokenUserSession,
                                                        org.keycloak.models.UserModel tokenSubject)

Overrides:

exchangeStoredToken in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

processAccessTokenResponse

protected void processAccessTokenResponse(org.keycloak.broker.provider.BrokeredIdentityContext context,
                                          org.keycloak.representations.AccessTokenResponse response)

getRefreshTokenRequest

protected org.keycloak.broker.provider.util.SimpleHttp getRefreshTokenRequest(org.keycloak.models.KeycloakSession session,
                                                                              String refreshToken,
                                                                              String clientId,
                                                                              String clientSecret)

exchangeSessionToken

protected javax.ws.rs.core.Response exchangeSessionToken(javax.ws.rs.core.UriInfo uriInfo,
                                                         org.keycloak.events.EventBuilder event,
                                                         org.keycloak.models.ClientModel authorizedClient,
                                                         org.keycloak.models.UserSessionModel tokenUserSession,
                                                         org.keycloak.models.UserModel tokenSubject)

Overrides:

exchangeSessionToken in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

getFederatedIdentity

public org.keycloak.broker.provider.BrokeredIdentityContext getFederatedIdentity(String response)

Overrides:

getFederatedIdentity in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

isAuthTimeExpired

protected boolean isAuthTimeExpired(org.keycloak.representations.JsonWebToken idToken,
                                    org.keycloak.sessions.AuthenticationSessionModel authSession)

extractIdentity

protected org.keycloak.broker.provider.BrokeredIdentityContext extractIdentity(org.keycloak.representations.AccessTokenResponse tokenResponse,
                                                                               String accessToken,
                                                                               org.keycloak.representations.JsonWebToken idToken)
                                                                        throws IOException

Throws:

IOException

getusernameClaimNameForIdToken

protected String getusernameClaimNameForIdToken()

getUserInfoUrl

protected String getUserInfoUrl()

verify

protected boolean verify(org.keycloak.jose.jws.JWSInput jws)

validateToken

public org.keycloak.representations.JsonWebToken validateToken(String encodedToken)

validateToken

protected org.keycloak.representations.JsonWebToken validateToken(String encodedToken,
                                                                  boolean ignoreAudience)

authenticationFinished

public void authenticationFinished(org.keycloak.sessions.AuthenticationSessionModel authSession,
                                   org.keycloak.broker.provider.BrokeredIdentityContext context)

Specified by:

authenticationFinished in interface org.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>

Overrides:

authenticationFinished in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

getDefaultScopes

protected String getDefaultScopes()

Specified by:

getDefaultScopes in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

isIssuer

public boolean isIssuer(String issuer,
                        javax.ws.rs.core.MultivaluedMap<String,String> params)

Specified by:

isIssuer in interface org.keycloak.broker.provider.ExchangeExternalToken

Overrides:

isIssuer in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

supportsExternalExchange

protected boolean supportsExternalExchange()

Overrides:

supportsExternalExchange in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

getProfileEndpointForValidation

protected String getProfileEndpointForValidation(org.keycloak.events.EventBuilder event)

Overrides:

getProfileEndpointForValidation in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

extractIdentityFromProfile

protected org.keycloak.broker.provider.BrokeredIdentityContext extractIdentityFromProfile(org.keycloak.events.EventBuilder event,
                                                                                          com.fasterxml.jackson.databind.JsonNode userInfo)

Overrides:

extractIdentityFromProfile in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

getUsernameFromUserInfo

protected String getUsernameFromUserInfo(com.fasterxml.jackson.databind.JsonNode userInfo)

validateJwt

protected final org.keycloak.broker.provider.BrokeredIdentityContext validateJwt(org.keycloak.events.EventBuilder event,
                                                                                 String subjectToken,
                                                                                 String subjectTokenType)

exchangeExternalImpl

protected org.keycloak.broker.provider.BrokeredIdentityContext exchangeExternalImpl(org.keycloak.events.EventBuilder event,
                                                                                    javax.ws.rs.core.MultivaluedMap<String,String> params)

Overrides:

exchangeExternalImpl in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

createAuthorizationUrl

protected javax.ws.rs.core.UriBuilder createAuthorizationUrl(org.keycloak.broker.provider.AuthenticationRequest request)

Overrides:

createAuthorizationUrl in class AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>

preprocessFederatedIdentity

public void preprocessFederatedIdentity(org.keycloak.models.KeycloakSession session,
                                        org.keycloak.models.RealmModel realm,
                                        org.keycloak.broker.provider.BrokeredIdentityContext context)

Specified by:

preprocessFederatedIdentity in interface org.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>

Overrides:

preprocessFederatedIdentity in class org.keycloak.broker.provider.AbstractIdentityProvider<OIDCIdentityProviderConfig>