org.keycloak.federation.kerberos

Class KerberosFederationProvider

java.lang.Object

org.keycloak.federation.kerberos.KerberosFederationProvider

All Implemented Interfaces:

UserFederationProvider, Provider

public class KerberosFederationProvider
extends Object
implements UserFederationProvider

Author:

Marek Posolda

Nested Class Summary

Nested classes/interfaces inherited from interface org.keycloak.models.UserFederationProvider

UserFederationProvider.EditMode

Field Summary

Fields

Modifier and Type	Field and Description
protected KerberosFederationProviderFactory	factory
static String	KERBEROS_PRINCIPAL
protected KerberosConfig	kerberosConfig
protected UserFederationProviderModel	model
protected KeycloakSession	session

Fields inherited from interface org.keycloak.models.UserFederationProvider

EMAIL, FIRST_NAME, LAST_NAME, USERNAME

Constructor Summary

Constructors

Constructor and Description
KerberosFederationProvider(KeycloakSession session, UserFederationProviderModel model, KerberosFederationProviderFactory factory)

Method Summary

Methods

Modifier and Type	Method and Description
void	close()
protected UserModel	findOrCreateAuthenticatedUser(RealmModel realm, String username) Called after successful authentication
Set<String>	getSupportedCredentialTypes() What UserCredentialModel types should be handled by this provider? This is called in scenarios when we don't know user, who is going to authenticate (For example Kerberos authentication).
Set<String>	getSupportedCredentialTypes(UserModel local) What UserCredentialModel types should be handled by this provider for this user? Keycloak will only call validCredentials() with the credential types specified in this method.
UserModel	getUserByEmail(RealmModel realm, String email) Required to import into local storage any user found.
UserModel	getUserByUsername(RealmModel realm, String username) Required to import into local storage any user found.
protected UserModel	importUserToKeycloak(RealmModel realm, String username)
boolean	isValid(UserModel local) Is the Keycloak UserModel still valid and/or existing in federated storage?
void	preRemove(RealmModel realm) called whenever a Realm is removed
void	preRemove(RealmModel realm, RoleModel role) called before a role is removed.
UserModel	proxy(UserModel local) Gives the provider an option to proxy UserModels loaded from local storage.
UserModel	register(RealmModel realm, UserModel user) Called if this federation provider has priority and supports synchronized registrations.
boolean	removeUser(RealmModel realm, UserModel user)
List<UserModel>	searchByAttributes(Map<String,String> attributes, RealmModel realm, int maxResults) Required to import into local storage any user found.
boolean	synchronizeRegistrations() Should user registrations be synchronized with this provider? FYI, only one provider will be chosen (by priority) to have this synchronization
CredentialValidationOutput	validCredentials(RealmModel realm, UserCredentialModel credential) Validate credentials of unknown user.
boolean	validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input) Validate credentials for this user.
boolean	validCredentials(RealmModel realm, UserModel user, UserCredentialModel... input)
protected boolean	validPassword(String username, String password)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

KERBEROS_PRINCIPAL

public static final String KERBEROS_PRINCIPAL

See Also:

Constant Field Values

session

protected KeycloakSession session

model

protected UserFederationProviderModel model

kerberosConfig

protected KerberosConfig kerberosConfig

factory

protected KerberosFederationProviderFactory factory

Constructor Detail

KerberosFederationProvider

public KerberosFederationProvider(KeycloakSession session,
                          UserFederationProviderModel model,
                          KerberosFederationProviderFactory factory)

Method Detail

proxy

public UserModel proxy(UserModel local)

Description copied from interface: UserFederationProvider

Gives the provider an option to proxy UserModels loaded from local storage. This method is called whenever a UserModel is pulled from local storage. For example, the LDAP provider proxies the UserModel and does on-demand synchronization with LDAP whenever UserModel update methods are invoked. It also overrides UserModel.updateCredential for the credential types it supports

Specified by:

proxy in interface UserFederationProvider

Returns:

synchronizeRegistrations

public boolean synchronizeRegistrations()

Description copied from interface: UserFederationProvider

Should user registrations be synchronized with this provider? FYI, only one provider will be chosen (by priority) to have this synchronization

Specified by:

synchronizeRegistrations in interface UserFederationProvider

Returns:

register

public UserModel register(RealmModel realm,
                 UserModel user)

Description copied from interface: UserFederationProvider

Called if this federation provider has priority and supports synchronized registrations.

Specified by:

register in interface UserFederationProvider

Returns:

removeUser

public boolean removeUser(RealmModel realm,
                 UserModel user)

Specified by:

removeUser in interface UserFederationProvider

getUserByUsername

public UserModel getUserByUsername(RealmModel realm,
                          String username)

Description copied from interface: UserFederationProvider

Required to import into local storage any user found.

Specified by:

getUserByUsername in interface UserFederationProvider

Returns:

getUserByEmail

public UserModel getUserByEmail(RealmModel realm,
                       String email)

Description copied from interface: UserFederationProvider

Required to import into local storage any user found.

Specified by:

getUserByEmail in interface UserFederationProvider

Returns:

searchByAttributes

public List<UserModel> searchByAttributes(Map<String,String> attributes,
                                 RealmModel realm,
                                 int maxResults)

Description copied from interface: UserFederationProvider

Required to import into local storage any user found. Must not import if user already exists in KeycloakSession.userStorage()! Currently only attributes USERNAME, EMAIL, FIRST_NAME and LAST_NAME will be used.

Specified by:

searchByAttributes in interface UserFederationProvider

Returns:

preRemove

public void preRemove(RealmModel realm)

Description copied from interface: UserFederationProvider

called whenever a Realm is removed

Specified by:

preRemove in interface UserFederationProvider

preRemove

public void preRemove(RealmModel realm,
             RoleModel role)

Description copied from interface: UserFederationProvider

called before a role is removed.

Specified by:

preRemove in interface UserFederationProvider

isValid

public boolean isValid(UserModel local)

Description copied from interface: UserFederationProvider

Is the Keycloak UserModel still valid and/or existing in federated storage?

Specified by:

isValid in interface UserFederationProvider

Returns:

getSupportedCredentialTypes

public Set<String> getSupportedCredentialTypes(UserModel local)

Description copied from interface: UserFederationProvider

What UserCredentialModel types should be handled by this provider for this user? Keycloak will only call validCredentials() with the credential types specified in this method.

Specified by:

getSupportedCredentialTypes in interface UserFederationProvider

Returns:

getSupportedCredentialTypes

public Set<String> getSupportedCredentialTypes()

Description copied from interface: UserFederationProvider

What UserCredentialModel types should be handled by this provider? This is called in scenarios when we don't know user, who is going to authenticate (For example Kerberos authentication).

Specified by:

getSupportedCredentialTypes in interface UserFederationProvider

Returns:

validCredentials

public boolean validCredentials(RealmModel realm,
                       UserModel user,
                       List<UserCredentialModel> input)

Description copied from interface: UserFederationProvider

Validate credentials for this user. This method will only be called with credential parameters supported by this provider

Specified by:

validCredentials in interface UserFederationProvider

Returns:

validPassword

protected boolean validPassword(String username,
                    String password)

validCredentials

public boolean validCredentials(RealmModel realm,
                       UserModel user,
                       UserCredentialModel... input)

Specified by:

validCredentials in interface UserFederationProvider

validCredentials

public CredentialValidationOutput validCredentials(RealmModel realm,
                                          UserCredentialModel credential)

Description copied from interface: UserFederationProvider

Validate credentials of unknown user. The authenticated user is recognized based on provided credentials and returned back in CredentialValidationOutput

Specified by:

validCredentials in interface UserFederationProvider

Returns:

close

public void close()

Specified by:

close in interface UserFederationProvider

Specified by:

close in interface Provider

findOrCreateAuthenticatedUser

protected UserModel findOrCreateAuthenticatedUser(RealmModel realm,
                                      String username)

Called after successful authentication

Parameters:

realm - realm

username - username without realm prefix

Returns:

user if found or successfully created. Null if user with same username already exists, but is not linked to this provider

importUserToKeycloak

protected UserModel importUserToKeycloak(RealmModel realm,
                             String username)