org.keycloak.vault

Class ElytronCSKeyStoreProviderFactory

java.lang.Object

org.keycloak.vault.AbstractVaultProviderFactory

org.keycloak.vault.ElytronCSKeyStoreProviderFactory

All Implemented Interfaces:

ProviderFactory<VaultProvider>, VaultProviderFactory

public class ElytronCSKeyStoreProviderFactory
extends AbstractVaultProviderFactory

A VaultProviderFactory implementation that creates and configures ElytronCSKeyStoreProviders. The following configuration attributes are available for the ElytronCSKeyStoreProviderFactory:

• location (required): the path to he keystore file that contains the secrets. This file is created and managed by Elytron using either the elytron subsystem in WildFly/EAP or the elytron-tool.sh script.
• secret (required): the keystore master secret. Can be specified in clear text form or in masked form. The masked form can be generated using the elytron-tool.sh script. For further details, check the Elytron tool documentation.
• keyStoreType (optional): the keystore type. Defaults to JCEKS.
• keyResolvers (optional): a comma-separated list of vault key resolvers. Defaults to REALM_UNDERSCORE_KEY.

If any of the required configuration attributes is missing, the factory logs a debug message indicating that it has not been properly configured and will return null when create(KeycloakSession) is called.

If the factory has been properly configured but the location attribute points to a keystore that does not exist, a VaultNotFoundException is raised on init. Similarly, if the key resolvers are configured and none of the specified resolvers is valid, a VaultConfigurationException is raised on init.

Author:

Stefan Guilhen

Nested Class Summary

Nested classes/interfaces inherited from class org.keycloak.vault.AbstractVaultProviderFactory

AbstractVaultProviderFactory.AvailableResolvers

Field Summary

Fields inherited from class org.keycloak.vault.AbstractVaultProviderFactory

KEY_RESOLVERS, keyResolvers

Constructor Summary

Constructors

Constructor and Description
ElytronCSKeyStoreProviderFactory()

Method Summary

Modifier and Type	Method and Description
void	close()
VaultProvider	create(KeycloakSession session)
protected org.wildfly.security.credential.source.CredentialSource	getCredentialSource(String secret) Obtains the CredentialSource to be used as a protection parameter when initializing the Elytron credential store.
String	getId()
void	init(Config.Scope config)
void	postInit(KeycloakSessionFactory factory)

Methods inherited from class org.keycloak.vault.AbstractVaultProviderFactory

getFactoryResolver, getRealmName

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.provider.ProviderFactory

order

Constructor Detail

ElytronCSKeyStoreProviderFactory

public ElytronCSKeyStoreProviderFactory()

Method Detail

create

public VaultProvider create(KeycloakSession session)

init

public void init(Config.Scope config)

Specified by:

init in interface ProviderFactory<VaultProvider>

Overrides:

init in class AbstractVaultProviderFactory

postInit

public void postInit(KeycloakSessionFactory factory)

close

public void close()

getId

public String getId()

getCredentialSource

protected org.wildfly.security.credential.source.CredentialSource getCredentialSource(String secret)

Obtains the CredentialSource to be used as a protection parameter when initializing the Elytron credential store. The source is essentially a wrapper for the credential store secret. The credential store secret can be specified in clear text form or in masked form. Check the Elytron tool documentation for instruction on how to mask the credential store secret.

Note: This logic should ideally be provided directly by Elytron but is currently missing.

Parameters:

secret - the secret obtained from the ElytronCSKeyStoreProviderFactory configuration.

Returns:

the constructed CredentialSource.