Package org.keycloak.broker.spiffe
Class SpiffeIdentityProvider
java.lang.Object
org.keycloak.broker.spiffe.SpiffeIdentityProvider
- All Implemented Interfaces:
ClientAssertionIdentityProvider,IdentityProvider<SpiffeIdentityProviderConfig>,Provider
public class SpiffeIdentityProvider
extends Object
implements IdentityProvider<SpiffeIdentityProviderConfig>, ClientAssertionIdentityProvider
Implementation for https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/
Main differences for SPIFFE JWT SVIDs and regular client assertions:
jwt-spiffeclient assertion typeissclaim is optional, uses SPIFFE IDs, which includes trust domain insteadjticlaim is optional, and SPIFFE vendors re-use/cache tokenssubis a SPIFFE ID with the syntaxspiffe://trust-domain/workload-identity- Keys are fetched from a SPIFFE bundle endpoint, where the JWKS has additional SPIFFE specific fields (
spiffe_sequenceandspiffe_refresh_hint, the JWK does not set thealg>
-
Nested Class Summary
Nested classes/interfaces inherited from interface org.keycloak.broker.provider.IdentityProvider
IdentityProvider.AuthenticationCallback -
Field Summary
Fields inherited from interface org.keycloak.broker.provider.IdentityProvider
EXTERNAL_IDENTITY_PROVIDER, FEDERATED_ACCESS_TOKEN -
Constructor Summary
ConstructorsConstructorDescriptionSpiffeIdentityProvider(KeycloakSession session, SpiffeIdentityProviderConfig config) -
Method Summary
Modifier and TypeMethodDescriptionvoidauthenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context) voidbackchannelLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm) callback(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event) voidclose()jakarta.ws.rs.core.Responseexport(jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm, String format) voidimportNewUser(KeycloakSession session, RealmModel realm, UserModel user, BrokeredIdentityContext context) jakarta.ws.rs.core.ResponsekeycloakInitiatedBrowserLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm) jakarta.ws.rs.core.ResponseperformLogin(AuthenticationRequest request) voidpreprocessFederatedIdentity(KeycloakSession session, RealmModel realm, BrokeredIdentityContext context) jakarta.ws.rs.core.ResponseretrieveToken(KeycloakSession session, FederatedIdentityModel identity) voidupdateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, BrokeredIdentityContext context) booleanMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.keycloak.broker.provider.IdentityProvider
isMapperSupported, reloadKeys, supportsLongStateParameter
-
Constructor Details
-
SpiffeIdentityProvider
-
-
Method Details
-
getConfig
- Specified by:
getConfigin interfaceIdentityProvider<SpiffeIdentityProviderConfig>
-
verifyClientAssertion
- Specified by:
verifyClientAssertionin interfaceClientAssertionIdentityProvider- Throws:
Exception
-
close
public void close() -
preprocessFederatedIdentity
public void preprocessFederatedIdentity(KeycloakSession session, RealmModel realm, BrokeredIdentityContext context) - Specified by:
preprocessFederatedIdentityin interfaceIdentityProvider<SpiffeIdentityProviderConfig>
-
authenticationFinished
public void authenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context) - Specified by:
authenticationFinishedin interfaceIdentityProvider<SpiffeIdentityProviderConfig>
-
importNewUser
public void importNewUser(KeycloakSession session, RealmModel realm, UserModel user, BrokeredIdentityContext context) - Specified by:
importNewUserin interfaceIdentityProvider<SpiffeIdentityProviderConfig>
-
updateBrokeredUser
public void updateBrokeredUser(KeycloakSession session, RealmModel realm, UserModel user, BrokeredIdentityContext context) - Specified by:
updateBrokeredUserin interfaceIdentityProvider<SpiffeIdentityProviderConfig>
-
callback
public Object callback(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event) - Specified by:
callbackin interfaceIdentityProvider<SpiffeIdentityProviderConfig>
-
performLogin
- Specified by:
performLoginin interfaceIdentityProvider<SpiffeIdentityProviderConfig>
-
retrieveToken
public jakarta.ws.rs.core.Response retrieveToken(KeycloakSession session, FederatedIdentityModel identity) - Specified by:
retrieveTokenin interfaceIdentityProvider<SpiffeIdentityProviderConfig>
-
backchannelLogout
public void backchannelLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm) - Specified by:
backchannelLogoutin interfaceIdentityProvider<SpiffeIdentityProviderConfig>
-
keycloakInitiatedBrowserLogout
public jakarta.ws.rs.core.Response keycloakInitiatedBrowserLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm) - Specified by:
keycloakInitiatedBrowserLogoutin interfaceIdentityProvider<SpiffeIdentityProviderConfig>
-
export
public jakarta.ws.rs.core.Response export(jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm, String format) - Specified by:
exportin interfaceIdentityProvider<SpiffeIdentityProviderConfig>
-
getMarshaller
- Specified by:
getMarshallerin interfaceIdentityProvider<SpiffeIdentityProviderConfig>
-