All Classes and Interfaces
Class
Description
Abstract class that handles the logic for importing and updating brokered users for all mappers that map a SAML
attribute into a
Keycloak group.Abstract class that handles the logic for importing and updating brokered users for all mappers that map a SAML
attribute into a
Keycloak role.Abstract class that handles the logic for importing and updating brokered users for all mappers that map an OIDC
claim into a
Keycloak role.Abstract helper class that Authenticator implementations can leverage
Abstract class for Social Provider mappers which allow mapping of JSON user profile field into Keycloak user
attribute.
Set the 'sub' claim to pairwise .
Base PartialImport for most resource types.
Abstract saml request context for any SAML request received.
Helper class for securing local services.
Base token exchange implementation.
Abstract base for Freemarker context bean providing information about user profile to render dynamic or crafted forms.
Base class for mapping of user role mappings to an ID and Access Token claim.
Abstract class that is meant to be extended by implementations of
VaultProvider that want to have support for
key resolvers.Abstract class that is meant to be extended by implementations of
VaultProviderFactory that want to offer support
for the configuration of key resolvers.Enum containing the available
VaultKeyResolvers.Some context info about the token
Created by st on 29/03/17.
CRUD data in the authentication session, which are related to step-up authentication
Handler of the action token.
Created by st on 21/03/17.
Useful as a function pointer, i.e.
Useful as a function pointer, i.e.
A sub-resource instances for paths relative
to Realm's RESTful Admin API that could not be resolved by the server.
AdminRealmResourceProvider creates JAX-RS A factory that creates
AdminRealmResourceProvider instances.A
Spi to plug additional sub-resources to Realms' RESTful Admin API.Root resource for admin console and admin REST API
Authenticator will always successfully authenticate.
Populates token with requested scope.
Protocol mapper to add allowed web origins to the access token to the 'allowed-origins' claim
The provider allows to extract X.509 client certificate forwarded
to keycloak configured behind the Apache reverse proxy.
When using
AsyncResponse.resume(Object) directly in the code, the response is returned before all changes
done withing this execution are committed.Base resource class for the admin REST api of one realm
Pass-thru atheneticator that just sets the context to attempted.
Validator to check that User Profile attribute value is not blank (nor null) if the attribute is required based on
AttributeMetadata predicate.
Protocol mapper, which adds all client_ids of "allowed" clients to the audience field of the token.
Provides the interface for requesting the authentication(AuthN) and authorization(AuthZ) by an authentication device (AD) to the external entity via Authentication Channel.
Stateless object that manages authentication
OAuth 2.0 Authorization Code Grant
https://datatracker.ietf.org/doc/html/rfc6749#section-4.1
Factory for OAuth 2.0 Authorization Code Grant
Common base class for Authorization REST endpoints implementation, which have to be implemented by each protocol.
Implements some checks typical for OIDC Authorization Endpoint.
Parse the parameters from PAR
Parse the parameters from request queryString
Parse the parameters from OIDC "request" object
Validator to check that User Profile attribute value is not blank (null value is OK!).
Validator to check that User Profile username is provided during Brokerin/Federation.
TODO: Remove this class once support for "client initiated account linking" is removed (Probably Keycloak 27)
The point of this is to improve experience of browser history (back/forward/refresh buttons), but ensure there is no more redirects then necessary.
Configure Certificate validation
Represents a chunk from the Vite build manifest (see
ViteManifest).Represents an authentication request sent by a consumption device (CD).
OpenID Connect Client-Initiated Backchannel Authentication Flow
https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.10.1
Factory for OpenID Connect Client-Initiated Backchannel Authentication Flow
Provides the resolver that converts several types of receives login hint to its corresponding UserModel.
Holding metadata on a claim of verifiable credential.
OAuth 2.0 Client Credentials Grant
https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
Factory for OAuth 2.0 Client Credentials Grant
Represents the context in the request to register/read/update/unregister client by Dynamic Client Registration or Admin REST API.
Provider plugin interface for importing clients from an arbitrary configuration format
Provider plugin interface for importing clients from an arbitrary configuration format
Validates client based on "client_id" and "client_secret" sent either in request parameters or in "Authorization: Basic" header .
Utilities for treating client policies/profiles
Base resource class for managing one particular client of a realm.
Partial Import handler for Client Roles.
Base resource class for managing one particular client of a realm.
Base resource class for managing a realm's client scopes.
PartialImport handler for Clients.
Base resource class for managing a realm's clients.
Conditional authenticator to check if specified client-scope is present in the authentication request
An
OTPFormAuthenticator that can conditionally require OTP authentication.Conditional authenticator to know if a sub-flow was executed successfully in the authentication flow.
Conditional factory to know if a sub-flow was executed successfully in the authentication flow.
Created by st on 21/03/17.
Incomplete representations of format-specific credentials.
Define credential-specific configurations for its builder.
Exception to be thrown if credentials building does fail
Provider Factory to create
CredentialBuilder'sSpi implementation of the creation of
CredentialBuilderPojo to represent a CredentialDefinition for internal handling
Represents a credentials issuer according to the OID4VCI Credentials Issuer Metadata
Holds all information required to build a uri to a credentials offer.
Represents a CredentialRequest according to OID4VCI
Represents a CredentialResponse according to the OID4VCI Spec
Interface to be used for signing verifiable credentials.
Exception to be thrown if credentials signing does fail
Spi implementation of the creation of
CredentialSignerRepresents a CredentialsOffer according to the OID4VCI Spec
Pojo to represent a CredentialSubject for internal handling
Util class for localized date and time representation
UserProfileProvider loading configuration from the changeable JSON file stored in component config.Part of action token that is intended to be used e.g.
A single thread will log failures.
The provider retrieves a client certificate and the certificate chain
(if any) from the incoming TLS connection.
The factory and the corresponding providers extract a client certificate
and the certificate chain (if any) from the incoming TLS connection.
Not thread safe.
The default
HttpClientFactory for HttpClientProvider's used by Keycloak for outbound HTTP calls.Various common utils needed for migration from older version to newer
ArtifactResolver for artifact-04 format.
The default implementation for the security profile.
Default
VaultCharSecret implementation based on CharBuffer.Default raw secret implementation for
byte[].Default
VaultCharSecret implementation based on String.Default
VaultTranscriber implementation that uses the configured VaultProvider to obtain raw secrets
and convert them into other types.Explicitly deny access to the resources.
Cookie encapsulating data to be displayed on the info/error page.
OAuth 2.0 Device Authorization Grant
https://datatracker.ietf.org/doc/html/rfc8628#section-3.4
Factory for OAuth 2.0 Device Authorization Grant
Represents a DisplayObject, as used in the OID4VCI Credentials Issuer Metadata
Representation of the docker-compose.yaml file
Implements a docker-client understandable format.
The “kid” field has to be in a libtrust fingerprint compatible format.
Validator to check User Profile email duplication conditions based on realm settings like isDuplicateEmailsAllowed.
Validator to check that User Profile username already exists in database for another user in case of it's change, and
fail in this case.
Implementation of an LD-Crypto Suite for Ed25519Signature2018
Validator to check User Profile email duplication conditions if isDuplicateEmailsAllowed is false but
isRegistrationEmailAsUsername is true.
Represents an error response, containing the error type as defined by OID4VCI
Enum to handle potential errors in issuing credentials with the error types defined in OID4VCI
AttributeChangeListener to audit user profile attribute changes into Event.Token verification exception that bears an error to be logged via event system
and a message to show to the user e.g.
Provider for external-internal token exchange
TODO Should not extend from V1TokenExchangeProvider, but rather AbstractTokenExchangeProvider or from StandardTokenExchangeProvider (as issuing internal tokens might be done in a same/similar way like for standard V2 provider)
Provider factory for external-internal token exchange
User attribute mapper.
A text-based vault provider, which stores each secret in a separate file.
Creates and configures
FilesPlainTextVaultProvider.Enum of supported credential formats
Set the 'name' claim to be first + last name.
Check that switch "fullScopeAllowed" is not enabled for the clients
Check that switch "fullScopeAllowed" is not enabled for the clients
User attribute mapper.
User attribute mapper.
Maps user group membership
Partial import handler for Groups.
The provider allows to extract X.509 client certificate forwarded
to the keycloak middleware configured behind the haproxy reverse proxy.
Mappings UserModel property (the property name of a getter method) to an AttributeStatement.
Add a role to a token
Mappings UserModel property (the property name of a getter method) to an AttributeStatement.
Abstraction for creating HttpClients.
PartialImport handler for Identity Provider Mappers.
PartialImport handler for Identity Providers.
Same like classic username+password form, but for use in IdP linking.
Representation of a token that represents a time-limited verify e-mail action.
Action token handler for verification of e-mail address.
A validator that fails when the attribute is marked as read only and its value has changed.
User attribute mapper.
Representation of a token that represents a time-limited verify e-mail action.
Action token handler for handling invitation of an existing user to an organization.
Client authentication based on JWT signed by client private key .
Client authentication based on JWT signed by client secret instead of private key .
Common validation for JWT client authentication with private_key_jwt or with client_secret
CredentialSigner implementing the JWT_VC format.JWT Proof for Credential Request in OID4VCI (Section 8.2.1.1).
Validates the conformance and authenticity of presented JWT proofs.
JWT VC Issuer metadata for endpoint /.well-known/jwt-vc-issuer
WellKnownProvider implementation for JWT VC Issuer metadata at endpoint /.well-known/jwt-vc-issuerWellKnownProviderFactory implementation for JWT VC Issuer metadata at endpoint /.well-known/jwt-vc-issuer
Override explicitly added ExceptionMapper for handling
UnrecognizedPropertyException in RestEasy Jackson
org.jboss.resteasy.plugins.providers.jackson.UnrecognizedPropertyExceptionHandlerA
CompatibilityMetadataProvider implementation to provide the Keycloak version.Override explicitly added ExceptionMapper for handling
MismatchedInputException in RestEasy JacksonClass of constants relating to the OpenAPI annotations in Keycloak and the Keycloak Admin REST API
Allows sanitizing of html that uses Freemarker ?no_esc.
Based on the EbayPolicyExample in owasp java-html-sanitizer.
Builds verifiable credentials for the LDP_VC format.
CredentialSigner implementing the JWT_VC format.Pojo to represent a linked-data proof
LDP-VP Proof for Credential Request in OID4VCI (Section 8.2.1.1).
Enum containing the w3c-registered Signature Suites
API for linking/unlinking social login accounts
Interface for all implementations of LD-Signature Suites
Specific OIDC LinkedIn provider for Sign In with LinkedIn using OpenID Connect
product app.
Specific OIDC LinkedIn provider for Sign In with LinkedIn using OpenID Connect
product app.
Specific public key loader that assumes that use for the keys is the requested one.
User attribute mapper.
Method used to format the link expiration time period in emails.
Prepare information for the load balancer (possibly in a multi-site setup) whether this Keycloak cluster should receive traffic.
This check verifies that user ID (subject) from the token matches
the one from the authentication session.
Verifies that if authentication session exists and any action is required according to it, then it is
the expected one.
Verifies whether the given redirect URL, when set, is valid for the given client.
Utilities for OIDC logout
Bean used to hold form messages per field.
Identity provider for Microsoft account.
User attribute mapper.
The NGINX Provider extract end user X.509 certificate send during TLS mutual authentication,
and forwarded in an http header.
The factory and the corresponding providers extract a client certificate
from a NGINX reverse proxy (TLS termination).
The NGINX Trusted Provider verify extract end user X.509 certificate sent during TLS mutual authentication,
verifies it against provided CA the and forwarded in an HTTP header along with a new header ssl-client-verify: SUCCESS.
Simple mapper that adds the nonce claim into the access token as before.
NonceResponse as defined in
https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-nonce-response
Data associated with the oauth2 code.
Base class for OAuth 2.0 grant types
OAuth2WellKnownProviderFactory implementation for the OAuth2 auto discoveryAny class with package org.jboss.resteasy.skeleton.key will use NON_DEFAULT inclusion
Type of credential offer uri to be returned.
Implementation of the
TimeProvider that delegates calls to the common Time class.Pojo, containing all information required to create a VCClient.
Provides the client-registration functionality for OID4VC-clients.
Implementation of the
ClientRegistrationProviderFactory to integrate the OID4VC protocols with
Keycloak's client-registration.Allows to add the context to the credential subject
Interface for all OID4VC related provider factories, to ensure usage of the same feature flag.
Adds a generated ID to the credential (as a configurable property).
Map issuance date to the credential, under the default claim name "iat"
Provides the (REST-)endpoints required for the OID4VCI protocol.
WellKnownProvider implementation to provide the .well-known/openid-credential-issuer endpoint, offering
the Credential Issuer Metadata as defined by the OID4VCI protocol
WellKnownProviderFactory implementation for the OID4VCI metadataFactory for creating all OID4VC related endpoints and the default mappers.
Base class for OID4VC Mappers, to provide common configuration and functionality for all of them
Allows to add statically configured claims to the credential subject
Sets an ID for the credential, either randomly generated or statically configured
Adds the users roles to the credential subject
Allows to add types to the credential subject
Allows to add user attributes to the credential subject
Resource class for the oauth/openid connect token service
Identity provider for Openshift V4.
OpenShift 4 Identity Provider configuration class.
OpenShift 4 Identity Provider factory class.
An enum with utility methods to process the
OIDCLoginProtocolFactory.ORGANIZATION scope.Pushed Authorization Request endpoint
Parse the parameters from a request object sent to PAR Endpoint
Main interface for PartialImport handlers.
This class manages the PartialImport handlers.
Deprecated, for removal: This API element is subject to removal in a future version.
Deprecated, for removal: This API element is subject to removal in a future version.
Factory is deprecated as passkeys are now integrated with the
default username authenticators.
User attribute mapper.
User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization
https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html#uma-grant-type
Factory for User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization
This validator disallowing bunch of characters we really not to expect in names of persons (fist, middle, last names).
Represents a pre-authorized grant, as used by the Credential Offer in OID4VCI
Factory for Pre-Authorized Code Grant
Container for the pre-authorized code to be used in a Credential Offer
Interface for proof types in OID4VCI Credential Request (Section 8.2.1.1).
Enum to provide potential proof types for holder-binding
See: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-jwt-proof-type
See: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-ldp_vp-proof-type
See: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types
Spi implementation of the creation of
ProofValidatorBase resource for managing users
ProxyMappings describes an ordered mapping for hostname regex patterns to a HttpHost proxy.ProxyMappings.ProxyMapping describes a Proxy Mapping with a Hostname Pattern
that is mapped to a proxy HttpHost.A
DefaultRoutePlanner that determines the proxy to use for a given target hostname by consulting
the given ProxyMappings.Resource class for public realm information
Validator to check that User Profile attribute value is not changed if attribute is read-only.
Base resource class for the admin REST api of one realm
Per request object
Deprecated.
Deprecated.
PartialImport handler for Realm Roles.
Top level resource for Admin REST API
OAuth 2.0 Refresh Token Grant
https://datatracker.ietf.org/doc/html/rfc6749#section-6
Factory for OAuth 2.0 Refresh Token Grant
Validator to check User Profile email attribute value during Registration when "RegistrationEmailAsUsername()" is
enabled.
Validator to check User Profile username attribute value during Registration when "RegistrationEmailAsUsername()" is
enabled.
Validator to check User Profile username attribute uniqueness during registration (when
"RegistrationEmailAsUsername()" is NOT enabled).
Representation of a token that represents a time-limited reset credentials action.
OAuth 2.0 Resource Owner Password Credentials Grant
https://datatracker.ietf.org/doc/html/rfc6749#section-4.3
Factory for OAuth 2.0 Resource Owner Password Credentials Grant
This is an an encoded token that is stored as a cookie so that if there is a client timeout, then the authentication session
can be restarted.
Pojo representation of a role to be added by the
OID4VCTargetRoleMapperSometimes its easier to just interact with roles by their ID instead of container/role-name
Base resource for managing users
Map an assigned role to a different position and name in the token
Map an assigned role to a different position and name in the token
Helper class to ensure that all the user's permitted roles (including composite roles) are loaded just once per request.
This class handles both realm roles and client roles.
Introspects token accordingly with UMA Bearer Token Profile.
PublicKeyLoader to retrieve keys from a SAML metadata entity endpoint.
SAML mapper to add a audience restriction into the assertion, to another
client (clientId) or to a custom URI.
SAML audience resolve mapper.
Provider interface for SAML authentication preprocessing.
Context for the saml authn request.
Executor factory for SAML client that ensures REDIRECT is not used for responses
and forces POST binding configuration option in the client creation/update.
Configuration of a SAML-enabled client.
This implementation locates the decryption keys within realm keys.
This enum provides mapping between Keycloak provided encryption algorithms and algorithms from xmlsec.
Context for the saml logout request.
KeyLocator that caches the keys into a PublicKeyStorageProvider.
PublicKeyLoader to retrieve keys from a SAML metadata entity endpoint.
Executor factory that enforces that all URLs configured in a SAML client
are secure (https).
Resource class for the saml connect token service
Policy executor that enforces client and server (full document or
assertion) signature is ON.
Base class for managing the scope mappings of a specific client.
An
Authenticator that can execute a configured script during authentication flow.This class provides a mapper that uses javascript to attach a value to an attribute for SAML tokens.
OIDC
ProtocolMapper that uses a provided JavaScript fragment to compute the token claim value.CredentialSigner implementing the SD_JWT_VC format.A specific
Attributes implementation to handle service accounts.Main logger for the Keycloak Services module.
Warning this class consists of generated code.
Deprecated.
- DELETE once only used from within legacy datastore module
SMTP utility methods.
Using this class is ugly, but it is the only way to push our truststore to the default LDAP client implementation.
Stackoverflow social provider.
User attribute mapper.
Provider for internal-internal token exchange, which is compliant with the token exchange specification https://datatracker.ietf.org/doc/html/rfc8693
Provider factory for internal-internal token exchange, which is compliant with the token exchange specification https://datatracker.ietf.org/doc/html/rfc8693
A supported credential, as used in the Credentials Issuer Metadata in OID4VCI
Theme resource
Interface to provide the current time
Provides ability to encode some context into access token ID, so this information can be later retrieved from the token without the need to use some proprietary/non-standard claims.
OAuth 2.0 Authorization Code Grant
https://datatracker.ietf.org/doc/html/rfc8693#section-2.1
Factory for OAuth 2.0 Authorization Code Grant
A token introspection endpoint based on RFC-7662.
Stateless object that creates tokens and manages oauth access codes
Check if access token was revoked with OAuth revocation endpoint
Used for UpdateTotp required action
Used for TOTP login
Builds a system-wide truststore from the given config options.
Represents a transaction code as used in the pre-authorized grant in the Credential Offer in OID4VCI
Delegates to client-type and underlying delegate
Utility methods to work with User Profile Configurations
Abstraction, which allows to display updateProfile page in various contexts (Required action of already existing user, or first identity provider
login when user doesn't yet exists in Keycloak DB)
Mappings UserModel.attribute to an ID Token claim.
Mappings UserModel attribute (not property name of a getter method) to an AttributeStatement.
Allows mapping of user client role mappings to an ID and Access Token claim.
Validator to check that User Profile username is provided.
Validator to check that User Profile username is provided.
Validator to check User Profile username change and prevent it if not allowed in realm.
This validator disallowing bunch of characters we really not to expect in username.
Mappings UserModel property (the property name of a getter method) to an AttributeStatement.
Mappings UserModel property (the property name of a getter method) to an ID Token claim.
Allows mapping of user realm role mappings to an ID and Access Token claim.
Base resource for managing users
Deprecated, for removal: This API element is subject to removal in a future version.
To be removed without replacement.
Mappings UserSessionModel.note to an ID Token claim.
Maps a user session note to a SAML attribute
PartialImport handler for users.
Base resource for managing users
V1 token exchange provider.
V1 token exchange provider factory.
This exception is thrown when the factory fails to init due to a configuration error.
Thrown when a vault directory doesn't exist.
Holds the verifiable credential to sign and additional context information.
Exception to be thrown in case credentials issuance fails.
Pojo to represent a VerifiableCredential for internal handling
Representation of a token that represents a time-limited verify e-mail action.
Action token handler for verification of e-mail address.
This class is used to parse the Vite manifest file which is generated by the build, this file contains
a mapping of non-hashed asset filenames to their hashed versions, which can then be used to render the
correct asset links for scripts, styles, etc.
Authenticator for WebAuthn authentication, which will be typically used when WebAuthn is used as second factor.
Credential provider for WebAuthn 2-factor credential of the user
Authenticator for WebAuthn authentication with passwordless credential.
Credential provider for WebAuthn passwordless credential of the user
Required action for register WebAuthn passwordless credential for the user.
Required action for register WebAuthn 2-factor credential for the user
Created by st on 22.09.15.