All Classes and Interfaces
Class
Description
Abstract class that handles the logic for importing and updating brokered users for all mappers that map a SAML
attribute into a
Keycloak
group.Abstract class that handles the logic for importing and updating brokered users for all mappers that map a SAML
attribute into a
Keycloak
role.Abstract class that handles the logic for importing and updating brokered users for all mappers that map an OIDC
claim into a
Keycloak
role.Abstract helper class that Authenticator implementations can leverage
Abstract class for Social Provider mappers which allow mapping of JSON user profile field into Keycloak user
attribute.
Set the 'sub' claim to pairwise .
Base PartialImport for most resource types.
Helper class for securing local services.
Abstract base for Freemarker context bean providing informations about user profile to render dynamic or crafted forms.
A base class for
UserProfileProvider
implementations providing the main hooks for customizations.Abstract class that is meant to be extended by implementations of
VaultProvider
that want to have support for
key resolvers.Abstract class that is meant to be extended by implementations of
VaultProviderFactory
that want to offer support
for the configuration of key resolvers.Enum containing the available
VaultKeyResolver
s.Created by st on 29/03/17.
CRUD data in the authentication session, which are related to step-up authentication
Handler of the action token.
Created by st on 21/03/17.
Useful as a function pointer, i.e.
Useful as a function pointer, i.e.
A sub-resource instances for paths relative
to Realm's RESTful Admin API that could not be resolved by the server.
AdminRealmResourceProvider
creates JAX-RS A factory that creates
AdminRealmResourceProvider
instances.A
Spi
to plug additional sub-resources to Realms' RESTful Admin API.Root resource for admin console and admin REST API
Authenticator will always successfully authenticate.
Populates token with requested scope.
Protocol mapper to add allowed web origins to the access token to the 'allowed-origins' claim
The provider allows to extract X.509 client certificate forwarded
to keycloak configured behind the Apache reverse proxy.
When using
AsyncResponse.resume(Object)
directly in the code, the response is returned before all changes
done withing this execution are committed.Base resource class for the admin REST api of one realm
Pass-thru atheneticator that just sets the context to attempted.
Validator to check that User Profile attribute value is not blank (nor null) if the attribute is required based on
AttributeMetadata predicate.
Protocol mapper, which adds all client_ids of "allowed" clients to the audience field of the token.
Provides the interface for requesting the authentication(AuthN) and authorization(AuthZ) by an authentication device (AD) to the external entity via Authentication Channel.
Stateless object that manages authentication
Non http-only cookie with tracking remaining authSessions in current root authentication session
Common base class for Authorization REST endpoints implementation, which have to be implemented by each protocol.
Implements some checks typical for OIDC Authorization Endpoint.
Parse the parameters from PAR
Parse the parameters from request queryString
Parse the parameters from OIDC "request" object
Validator to check that User Profile attribute value is not blank (null value is OK!).
Validator to check that User Profile username is provided during Brokerin/Federation.
The point of this is to improve experience of browser history (back/forward/refresh buttons), but ensure there is no more redirects then necessary.
Configure Certificate validation
Represents an authentication request sent by a consumption device (CD).
Provides the resolver that converts several types of receives login hint to its corresponding UserModel.
Represents the context in the request to register/read/update/unregister client by Dynamic Client Registration or Admin REST API.
Provider plugin interface for importing clients from an arbitrary configuration format
Provider plugin interface for importing clients from an arbitrary configuration format
Validates client based on "client_id" and "client_secret" sent either in request parameters or in "Authorization: Basic" header .
Utilities for treating client policies/profiles
Base resource class for managing one particular client of a realm.
Partial Import handler for Client Roles.
Base resource class for managing one particular client of a realm.
Base resource class for managing a realm's client scopes.
PartialImport handler for Clients.
Base resource class for managing a realm's clients.
An
OTPFormAuthenticator
that can conditionally require OTP authentication.Created by st on 21/03/17.
Util class for localized date and time representation
UserProfileProvider
loading configuration from the changeable JSON file stored in component config.Part of action token that is intended to be used e.g.
A single thread will log failures.
The provider retrieves a client certificate and the certificate chain
(if any) from the incoming TLS connection.
The factory and the corresponding providers extract a client certificate
and the certificate chain (if any) from the incoming TLS connection.
Not thread safe.
The default
HttpClientFactory
for HttpClientProvider's
used by Keycloak for outbound HTTP calls.Various common utils needed for migration from older version to newer
ArtifactResolver for artifact-04 format.
Default token exchange implementation
Default token exchange provider factory
Default
VaultCharSecret
implementation based on CharBuffer
.Default raw secret implementation for
byte[]
.Default
VaultCharSecret
implementation based on String
.Default
VaultTranscriber
implementation that uses the configured VaultProvider
to obtain raw secrets
and convert them into other types.Explicitly deny access to the resources.
Cookie encapsulating data to be displayed on the info/error page.
Representation of the docker-compose.yaml file
Implements a docker-client understandable format.
The “kid” field has to be in a libtrust fingerprint compatible format.
Validator to check User Profile email duplication conditions based on realm settings like isDuplicateEmailsAllowed.
Validator to check that User Profile username already exists in database for another user in case of it's change, and
fail in this case.
Validator to check User Profile email duplication conditions if isDuplicateEmailsAllowed is false but
isRegistrationEmailAsUsername is true.
An exception that can hold a Response object.
AttributeChangeListener
to audit user profile attribute changes into Event
.Token verification exception that bears an error to be logged via event system
and a message to show to the user e.g.
User attribute mapper.
A text-based vault provider, which stores each secret in a separate file.
Creates and configures
FilesPlainTextVaultProvider
.Deprecated.
Deprecated.
To provide a typed exception for Forbidden (This doesn't exist in Resteasy 2.3.7)
Set the 'name' claim to be first + last name.
Check that switch "fullScopeAllowed" is not enabled for the clients
Check that switch "fullScopeAllowed" is not enabled for the clients
User attribute mapper.
User attribute mapper.
Maps user group membership
Partial import handler for Groups.
The provider allows to extract X.509 client certificate forwarded
to the keycloak middleware configured behind the haproxy reverse proxy.
Mappings UserModel property (the property name of a getter method) to an AttributeStatement.
Add a role to a token
Mappings UserModel property (the property name of a getter method) to an AttributeStatement.
Abstraction for creating HttpClients.
PartialImport handler for Identitiy Provider Mappers.
PartialImport handler for Identitiy Providers.
Same like classic username+password form, but for use in IdP linking.
Representation of a token that represents a time-limited verify e-mail action.
Action token handler for verification of e-mail address.
A validator that fails when the attribute is marked as read only and its value has changed.
User attribute mapper.
Get keycloak.js file for javascript clients
Client authentication based on JWT signed by client private key .
Client authentication based on JWT signed by client secret instead of private key .
Common validation for JWT client authentication with private_key_jwt or with client_secret
Override explicitly added ExceptionMapper for handling
UnrecognizedPropertyException
in RestEasy Jackson
org.jboss.resteasy.plugins.providers.jackson.UnrecognizedPropertyExceptionHandler
Override explicitly added ExceptionMapper for handling
MismatchedInputException
in RestEasy JacksonClass of constants relating to the OpenAPI annotations in Keycloak and the Keycloak Admin REST API
Allows sanitizing of html that uses Freemarker ?no_esc.
Based on the EbayPolicyExample in owasp java-html-sanitizer.
Enables legacy support when managing attributes without the declarative provider.
API for linking/unlinking social login accounts
Deprecated.
Deprecated.
Specific OIDC LinkedIn provider for Sign In with LinkedIn using OpenID Connect
product app.
Specific OIDC LinkedIn provider for Sign In with LinkedIn using OpenID Connect
product app.
Specific public key loader that assumes that use for the keys is the requested one.
User attribute mapper.
Method used to format the link expiration time period in emails.
This check verifies that user ID (subject) from the token matches
the one from the authentication session.
Verifies that if authentication session exists and any action is required according to it, then it is
the expected one.
Verifies whether the given redirect URL, when set, is valid for the given client.
Various util methods, so the logic is not hardcoded in freemarker beans
Utilities for OIDC logout
Bean used to hold form messages per field.
Identity provider for Microsoft account.
User attribute mapper.
The NGINX Provider extract end user X.509 certificate send during TLS mutual authentication,
and forwarded in an http header.
The factory and the corresponding providers extract a client certificate
from a NGINX reverse proxy (TLS termination).
The NGINX Trusted Provider verify extract end user X.509 certificate sent during TLS mutual authentication,
verifies it against provided CA the and forwarded in an HTTP header along with a new header ssl-client-verify: SUCCESS.
Data associated with the oauth2 code.
Any class with package org.jboss.resteasy.skeleton.key will use NON_DEFAULT inclusion
Resource class for the oauth/openid connect token service
Identity provider for Openshift V3.
Identity provider for Openshift V4.
OpenShift 4 Identity Provider configuration class.
OpenShift 4 Identity Provider factory class.
Pushed Authorization Request endpoint
Parse the parameters from a request object sent to PAR Endpoint
Main interface for PartialImport handlers.
This class manages the PartialImport handlers.
User attribute mapper.
This validator disallowing bunch of characters we really not to expect in names of persons (fist, middle, last names).
Base resource for managing users
ProxyMappings
describes an ordered mapping for hostname regex patterns to a HttpHost
proxy.ProxyMappings.ProxyMapping
describes a Proxy Mapping with a Hostname Pattern
that is mapped to a proxy HttpHost
.A
DefaultRoutePlanner
that determines the proxy to use for a given target hostname by consulting
the given ProxyMappings
.Resource class for public realm information
Validator to check that User Profile attribute value is not changed if attribute is read-only.
Base resource class for the admin REST api of one realm
Per request object
Deprecated.
Deprecated.
PartialImport handler for Realm Roles.
Top level resource for Admin REST API
Validator to check User Profile email attribute value during Registration when "RegistrationEmailAsUsername()" is
enabled.
Validator to check User Profile username attribute value during Registration when "RegistrationEmailAsUsername()" is
enabled.
Validator to check User Profile username attribute uniqueness during registration (when
"RegistrationEmailAsUsername()" is NOT enabled).
Deprecated.
Deprecated.
Representation of a token that represents a time-limited reset credentials action.
A
KeycloakSessionTaskWithResult
that is aimed to be used by endpoints that want to produce a Response
in
a retriable transaction.This is an an encoded token that is stored as a cookie so that if there is a client timeout, then the authentication session
can be restarted.
Provides a layer of indirection to abstract invocations to Resteasy internal APIs.
Sometimes its easier to just interact with roles by their ID instead of container/role-name
Base resource for managing users
Map an assigned role to a different position and name in the token
Map an assigned role to a different position and name in the token
Helper class to ensure that all the user's permitted roles (including composite roles) are loaded just once per request.
This class handles both realm roles and client roles.
Introspects token accordingly with UMA Bearer Token Profile.
SAML mapper to add a audience restriction into the assertion, to another
client (clientId) or to a custom URI.
SAML audience resolve mapper.
Provider interface for SAML authentication preprocessing.
Configuration of a SAML-enabled client.
This implementation locates the decryption keys within realm keys.
This enum provides mapping between Keycloak provided encryption algorithms and algorithms from xmlsec.
Resource class for the saml connect token service
Base class for managing the scope mappings of a specific client.
An
Authenticator
that can execute a configured script during authentication flow.This class provides a mapper that uses javascript to attach a value to an attribute for SAML tokens.
OIDC
ProtocolMapper
that uses a provided JavaScript fragment to compute the token claim value.Main logger for the Keycloak Services module.
Warning this class consists of generated code.
Deprecated.
- DELETE once only used from within legacy datastore module
Using this class is ugly, but it is the only way to push our truststore to the default LDAP client implementation.
Stackoverflow social provider.
User attribute mapper.
Theme resource
A token introspection endpoint based on RFC-7662.
Stateless object that creates tokens and manages oauth access codes
Check if access token was revoked with OAuth revocation endpoint
Used for UpdateTotp required action
Used for TOTP login
Utility methods to work with User Profile Configurations
Abstraction, which allows to display updateProfile page in various contexts (Required action of already existing user, or first identity provider
login when user doesn't yet exists in Keycloak DB)
Mappings UserModel.attribute to an ID Token claim.
Mappings UserModel attribute (not property name of a getter method) to an AttributeStatement.
Allows mapping of user client role mappings to an ID and Access Token claim.
Validator to check that User Profile username is provided.
Validator to check that User Profile username is provided.
Validator to check User Profile username change and prevent it if not allowed in realm.
This validator disallowing bunch of characters we really not to expect in username.
Mappings UserModel property (the property name of a getter method) to an AttributeStatement.
Mappings UserModel property (the property name of a getter method) to an ID Token claim.
Allows mapping of user realm role mappings to an ID and Access Token claim.
Base resource for managing users
Mappings UserSessionModel.note to an ID Token claim.
Maps a user session note to a SAML attribute
PartialImport handler for users.
Base resource for managing users
This exception is thrown when the factory fails to init due to a configuration error.
Thrown when a vault directory doesn't exist.
Representation of a token that represents a time-limited verify e-mail action.
Action token handler for verification of e-mail address.
Authenticator for WebAuthn authentication, which will be typically used when WebAuthn is used as second factor.
Credential provider for WebAuthn 2-factor credential of the user
Authenticator for WebAuthn authentication with passwordless credential.
Credential provider for WebAuthn passwordless credential of the user
Required action for register WebAuthn passwordless credential for the user.
Required action for register WebAuthn 2-factor credential for the user
Created by st on 22.09.15.