Package org.keycloak.broker.oidc
Class OIDCIdentityProvider
- java.lang.Object
-
- org.keycloak.broker.provider.AbstractIdentityProvider<C>
-
- org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
- org.keycloak.broker.oidc.OIDCIdentityProvider
-
- All Implemented Interfaces:
org.keycloak.broker.provider.ExchangeExternalToken,org.keycloak.broker.provider.ExchangeTokenToIdentityProviderToken,org.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>,org.keycloak.provider.Provider
- Direct Known Subclasses:
GitLabIdentityProvider,GoogleIdentityProvider,KeycloakOIDCIdentityProvider
public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig> implements org.keycloak.broker.provider.ExchangeExternalToken
- Author:
- Pedro Igor
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description protected classOIDCIdentityProvider.OIDCEndpoint-
Nested classes/interfaces inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
AbstractOAuth2IdentityProvider.Endpoint
-
-
Field Summary
Fields Modifier and Type Field Description static StringACCESS_TOKEN_EXPIRATIONstatic StringEXCHANGE_PROVIDERstatic StringFEDERATED_ACCESS_TOKEN_RESPONSEstatic StringFEDERATED_ID_TOKENprotected static org.jboss.logging.Loggerloggerstatic StringSCOPE_OPENIDstatic StringUSER_INFOstatic StringVALIDATED_ID_TOKEN-
Fields inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
ACCESS_DENIED, FEDERATED_REFRESH_TOKEN, FEDERATED_TOKEN_EXPIRATION, mapper, OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN, OAUTH2_PARAMETER_ACCESS_TOKEN, OAUTH2_PARAMETER_CLIENT_ID, OAUTH2_PARAMETER_CLIENT_SECRET, OAUTH2_PARAMETER_CODE, OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_PARAMETER_REDIRECT_URI, OAUTH2_PARAMETER_RESPONSE_TYPE, OAUTH2_PARAMETER_SCOPE, OAUTH2_PARAMETER_STATE
-
-
Constructor Summary
Constructors Constructor Description OIDCIdentityProvider(org.keycloak.models.KeycloakSession session, OIDCIdentityProviderConfig config)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description voidauthenticationFinished(org.keycloak.sessions.AuthenticationSessionModel authSession, org.keycloak.broker.provider.BrokeredIdentityContext context)voidbackchannelLogout(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.models.RealmModel realm)protected voidbackchannelLogout(org.keycloak.models.UserSessionModel userSession, String idToken)Objectcallback(org.keycloak.models.RealmModel realm, org.keycloak.broker.provider.IdentityProvider.AuthenticationCallback callback, org.keycloak.events.EventBuilder event)protected javax.ws.rs.core.UriBuildercreateAuthorizationUrl(org.keycloak.broker.provider.AuthenticationRequest request)protected org.keycloak.broker.provider.BrokeredIdentityContextexchangeExternalImpl(org.keycloak.events.EventBuilder event, javax.ws.rs.core.MultivaluedMap<String,String> params)protected javax.ws.rs.core.ResponseexchangeSessionToken(javax.ws.rs.core.UriInfo uriInfo, org.keycloak.events.EventBuilder event, org.keycloak.models.ClientModel authorizedClient, org.keycloak.models.UserSessionModel tokenUserSession, org.keycloak.models.UserModel tokenSubject)protected javax.ws.rs.core.ResponseexchangeStoredToken(javax.ws.rs.core.UriInfo uriInfo, org.keycloak.events.EventBuilder event, org.keycloak.models.ClientModel authorizedClient, org.keycloak.models.UserSessionModel tokenUserSession, org.keycloak.models.UserModel tokenSubject)protected org.keycloak.broker.provider.BrokeredIdentityContextextractIdentity(org.keycloak.representations.AccessTokenResponse tokenResponse, String accessToken, org.keycloak.representations.JsonWebToken idToken)protected org.keycloak.broker.provider.BrokeredIdentityContextextractIdentityFromProfile(org.keycloak.events.EventBuilder event, com.fasterxml.jackson.databind.JsonNode userInfo)protected StringgetDefaultScopes()org.keycloak.broker.provider.BrokeredIdentityContextgetFederatedIdentity(String response)protected StringgetProfileEndpointForValidation(org.keycloak.events.EventBuilder event)protected org.keycloak.broker.provider.util.SimpleHttpgetRefreshTokenRequest(org.keycloak.models.KeycloakSession session, String refreshToken, String clientId, String clientSecret)protected StringgetUserInfoUrl()protected StringgetusernameClaimNameForIdToken()protected StringgetUsernameFromUserInfo(com.fasterxml.jackson.databind.JsonNode userInfo)protected booleanisAuthTimeExpired(org.keycloak.representations.JsonWebToken idToken, org.keycloak.sessions.AuthenticationSessionModel authSession)booleanisIssuer(String issuer, javax.ws.rs.core.MultivaluedMap<String,String> params)javax.ws.rs.core.ResponsekeycloakInitiatedBrowserLogout(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.models.RealmModel realm)voidpreprocessFederatedIdentity(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.broker.provider.BrokeredIdentityContext context)protected voidprocessAccessTokenResponse(org.keycloak.broker.provider.BrokeredIdentityContext context, org.keycloak.representations.AccessTokenResponse response)StringrefreshTokenForLogout(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession)Returns access token response as a string from a refresh token invocation on the remote OIDC brokerprotected booleansupportsExternalExchange()protected org.keycloak.broker.provider.BrokeredIdentityContextvalidateJwt(org.keycloak.events.EventBuilder event, String subjectToken, String subjectTokenType)org.keycloak.representations.JsonWebTokenvalidateToken(String encodedToken)protected org.keycloak.representations.JsonWebTokenvalidateToken(String encodedToken, boolean ignoreAudience)protected booleanverify(org.keycloak.jose.jws.JWSInput jws)-
Methods inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
asJsonNode, authenticateTokenRequest, buildUserInfoRequest, doGetFederatedIdentity, exchangeExternal, exchangeExternalComplete, exchangeExternalUserInfoValidationOnly, exchangeFromToken, extractTokenFromResponse, generateToken, getAccessTokenResponseParameter, getConfig, getJsonProperty, getSignatureContext, hasExternalExchangeToken, performLogin, retrieveToken, validateExternalTokenThroughUserInfo
-
Methods inherited from class org.keycloak.broker.provider.AbstractIdentityProvider
close, exchangeErrorResponse, exchangeNotLinked, exchangeNotLinkedNoStore, exchangeNotSupported, exchangeTokenExpired, exchangeUnsupportedRequiredType, export, getLinkingUrl, getMarshaller, importNewUser, updateBrokeredUser
-
-
-
-
Field Detail
-
logger
protected static final org.jboss.logging.Logger logger
-
SCOPE_OPENID
public static final String SCOPE_OPENID
- See Also:
- Constant Field Values
-
FEDERATED_ID_TOKEN
public static final String FEDERATED_ID_TOKEN
- See Also:
- Constant Field Values
-
USER_INFO
public static final String USER_INFO
- See Also:
- Constant Field Values
-
FEDERATED_ACCESS_TOKEN_RESPONSE
public static final String FEDERATED_ACCESS_TOKEN_RESPONSE
- See Also:
- Constant Field Values
-
VALIDATED_ID_TOKEN
public static final String VALIDATED_ID_TOKEN
- See Also:
- Constant Field Values
-
ACCESS_TOKEN_EXPIRATION
public static final String ACCESS_TOKEN_EXPIRATION
- See Also:
- Constant Field Values
-
EXCHANGE_PROVIDER
public static final String EXCHANGE_PROVIDER
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
OIDCIdentityProvider
public OIDCIdentityProvider(org.keycloak.models.KeycloakSession session, OIDCIdentityProviderConfig config)
-
-
Method Detail
-
callback
public Object callback(org.keycloak.models.RealmModel realm, org.keycloak.broker.provider.IdentityProvider.AuthenticationCallback callback, org.keycloak.events.EventBuilder event)
- Specified by:
callbackin interfaceorg.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>- Overrides:
callbackin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
refreshTokenForLogout
public String refreshTokenForLogout(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession)
Returns access token response as a string from a refresh token invocation on the remote OIDC broker- Parameters:
session-userSession-- Returns:
-
backchannelLogout
public void backchannelLogout(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.models.RealmModel realm)- Specified by:
backchannelLogoutin interfaceorg.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>- Overrides:
backchannelLogoutin classorg.keycloak.broker.provider.AbstractIdentityProvider<OIDCIdentityProviderConfig>
-
backchannelLogout
protected void backchannelLogout(org.keycloak.models.UserSessionModel userSession, String idToken)
-
keycloakInitiatedBrowserLogout
public javax.ws.rs.core.Response keycloakInitiatedBrowserLogout(org.keycloak.models.KeycloakSession session, org.keycloak.models.UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, org.keycloak.models.RealmModel realm)- Specified by:
keycloakInitiatedBrowserLogoutin interfaceorg.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>- Overrides:
keycloakInitiatedBrowserLogoutin classorg.keycloak.broker.provider.AbstractIdentityProvider<OIDCIdentityProviderConfig>
-
exchangeStoredToken
protected javax.ws.rs.core.Response exchangeStoredToken(javax.ws.rs.core.UriInfo uriInfo, org.keycloak.events.EventBuilder event, org.keycloak.models.ClientModel authorizedClient, org.keycloak.models.UserSessionModel tokenUserSession, org.keycloak.models.UserModel tokenSubject)- Overrides:
exchangeStoredTokenin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
processAccessTokenResponse
protected void processAccessTokenResponse(org.keycloak.broker.provider.BrokeredIdentityContext context, org.keycloak.representations.AccessTokenResponse response)
-
getRefreshTokenRequest
protected org.keycloak.broker.provider.util.SimpleHttp getRefreshTokenRequest(org.keycloak.models.KeycloakSession session, String refreshToken, String clientId, String clientSecret)
-
exchangeSessionToken
protected javax.ws.rs.core.Response exchangeSessionToken(javax.ws.rs.core.UriInfo uriInfo, org.keycloak.events.EventBuilder event, org.keycloak.models.ClientModel authorizedClient, org.keycloak.models.UserSessionModel tokenUserSession, org.keycloak.models.UserModel tokenSubject)- Overrides:
exchangeSessionTokenin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getFederatedIdentity
public org.keycloak.broker.provider.BrokeredIdentityContext getFederatedIdentity(String response)
- Overrides:
getFederatedIdentityin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
isAuthTimeExpired
protected boolean isAuthTimeExpired(org.keycloak.representations.JsonWebToken idToken, org.keycloak.sessions.AuthenticationSessionModel authSession)
-
extractIdentity
protected org.keycloak.broker.provider.BrokeredIdentityContext extractIdentity(org.keycloak.representations.AccessTokenResponse tokenResponse, String accessToken, org.keycloak.representations.JsonWebToken idToken) throws IOException- Throws:
IOException
-
getusernameClaimNameForIdToken
protected String getusernameClaimNameForIdToken()
-
getUserInfoUrl
protected String getUserInfoUrl()
-
verify
protected boolean verify(org.keycloak.jose.jws.JWSInput jws)
-
validateToken
public org.keycloak.representations.JsonWebToken validateToken(String encodedToken)
-
validateToken
protected org.keycloak.representations.JsonWebToken validateToken(String encodedToken, boolean ignoreAudience)
-
authenticationFinished
public void authenticationFinished(org.keycloak.sessions.AuthenticationSessionModel authSession, org.keycloak.broker.provider.BrokeredIdentityContext context)- Specified by:
authenticationFinishedin interfaceorg.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>- Overrides:
authenticationFinishedin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getDefaultScopes
protected String getDefaultScopes()
- Specified by:
getDefaultScopesin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
isIssuer
public boolean isIssuer(String issuer, javax.ws.rs.core.MultivaluedMap<String,String> params)
- Specified by:
isIssuerin interfaceorg.keycloak.broker.provider.ExchangeExternalToken- Overrides:
isIssuerin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
supportsExternalExchange
protected boolean supportsExternalExchange()
- Overrides:
supportsExternalExchangein classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getProfileEndpointForValidation
protected String getProfileEndpointForValidation(org.keycloak.events.EventBuilder event)
- Overrides:
getProfileEndpointForValidationin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
extractIdentityFromProfile
protected org.keycloak.broker.provider.BrokeredIdentityContext extractIdentityFromProfile(org.keycloak.events.EventBuilder event, com.fasterxml.jackson.databind.JsonNode userInfo)- Overrides:
extractIdentityFromProfilein classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getUsernameFromUserInfo
protected String getUsernameFromUserInfo(com.fasterxml.jackson.databind.JsonNode userInfo)
-
validateJwt
protected final org.keycloak.broker.provider.BrokeredIdentityContext validateJwt(org.keycloak.events.EventBuilder event, String subjectToken, String subjectTokenType)
-
exchangeExternalImpl
protected org.keycloak.broker.provider.BrokeredIdentityContext exchangeExternalImpl(org.keycloak.events.EventBuilder event, javax.ws.rs.core.MultivaluedMap<String,String> params)- Overrides:
exchangeExternalImplin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
createAuthorizationUrl
protected javax.ws.rs.core.UriBuilder createAuthorizationUrl(org.keycloak.broker.provider.AuthenticationRequest request)
- Overrides:
createAuthorizationUrlin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
preprocessFederatedIdentity
public void preprocessFederatedIdentity(org.keycloak.models.KeycloakSession session, org.keycloak.models.RealmModel realm, org.keycloak.broker.provider.BrokeredIdentityContext context)- Specified by:
preprocessFederatedIdentityin interfaceorg.keycloak.broker.provider.IdentityProvider<OIDCIdentityProviderConfig>- Overrides:
preprocessFederatedIdentityin classorg.keycloak.broker.provider.AbstractIdentityProvider<OIDCIdentityProviderConfig>
-
-