java.lang.Object
- org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator

All Implemented Interfaces:

Authenticator, Provider

Direct Known Subclasses:

AbstractX509ClientCertificateDirectGrantAuthenticator, X509ClientCertificateAuthenticator
```
public abstract class AbstractX509ClientCertificateAuthenticator
extends Object
implements Authenticator
```
Version:

$Revision: 1 $

Author:

Peter Nalyvayko

Nested Class Summary

Nested Classes
Modifier and Type	Class	Description
`protected static class`	`AbstractX509ClientCertificateAuthenticator.CertificateValidatorConfigBuilder`
`protected static class`	`AbstractX509ClientCertificateAuthenticator.UserIdentityExtractorBuilder`
`protected static class`	`AbstractX509ClientCertificateAuthenticator.UserIdentityToModelMapperBuilder`

Field Summary

Fields
Modifier and Type	Field	Description
`static String`	`CANONICAL_DN`
`static String`	`CERTIFICATE_EXTENDED_KEY_USAGE`
`static String`	`CERTIFICATE_KEY_USAGE`
`static String`	`CERTIFICATE_POLICY`
`static String`	`CERTIFICATE_POLICY_MODE`
`static String`	`CERTIFICATE_POLICY_MODE_ALL`
`static String`	`CERTIFICATE_POLICY_MODE_ANY`
`static String`	`CONFIRMATION_PAGE_DISALLOWED`
`static String`	`CRL_RELATIVE_PATH`
`static String`	`CUSTOM_ATTRIBUTE_NAME`
`static String`	`DEFAULT_ATTRIBUTE_NAME`
`static String`	`ENABLE_CRL`
`static String`	`ENABLE_CRLDP`
`static String`	`ENABLE_OCSP`
`protected static ServicesLogger`	`logger`
`static String`	`MAPPING_SOURCE_CERT_CERTIFICATE_PEM`
`static String`	`MAPPING_SOURCE_CERT_ISSUERDN`
`static String`	`MAPPING_SOURCE_CERT_SERIALNUMBER`
`static String`	`MAPPING_SOURCE_CERT_SERIALNUMBER_ISSUERDN`
`static String`	`MAPPING_SOURCE_CERT_SHA256_THUMBPRINT`
`static String`	`MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL`
`static String`	`MAPPING_SOURCE_CERT_SUBJECTALTNAME_OTHERNAME`
`static String`	`MAPPING_SOURCE_CERT_SUBJECTDN`
`static String`	`MAPPING_SOURCE_CERT_SUBJECTDN_CN`
`static String`	`MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL`
`static String`	`MAPPING_SOURCE_SELECTION`
`static String`	`OCSP_FAIL_OPEN`
`static String`	`OCSPRESPONDER_CERTIFICATE`
`static String`	`OCSPRESPONDER_URI`
`static String`	`REGULAR_EXPRESSION`
`static String`	`REVALIDATE_CERTIFICATE`
`static String`	`SERIALNUMBER_HEX`
`static String`	`TIMESTAMP_VALIDATION`
`static String`	`USER_ATTRIBUTE_MAPPER`
`static String`	`USER_MAPPER_SELECTION`
`static String`	`USERNAME_EMAIL_MAPPER`

Constructor Summary

Constructors
Constructor Description

AbstractX509ClientCertificateAuthenticator()

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`CertificateValidator.CertificateValidatorBuilder`	`certificateValidationParameters(KeycloakSession session, X509AuthenticatorConfigModel config)`
`void`	`close()`
`boolean`	`configuredFor(KeycloakSession session, RealmModel realm, UserModel user)`	Is this authenticator configured for this user.
`protected javax.ws.rs.core.Response`	`createInfoResponse(AuthenticationFlowContext context, String infoMessage, Object... parameters)`
`protected X509Certificate[]`	`getCertificateChain(AuthenticationFlowContext context)`
`UserIdentityExtractor`	`getUserIdentityExtractor(X509AuthenticatorConfigModel config)`
`UserIdentityToModelMapper`	`getUserIdentityToModelMapper(X509AuthenticatorConfigModel config)`
`protected void`	`recordX509CertificateAuditDataViaContextEvent(AuthenticationFlowContext context)`
`boolean`	`requiresUser()`	Does this authenticator require that the user has already been identified? That AuthenticatorContext.getUser() is not null?
`protected void`	`saveX509CertificateAuditDataToAuthSession(AuthenticationFlowContext context, X509Certificate cert)`
`void`	`setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user)`	Set actions to configure authenticator

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.authentication.Authenticator
action, areRequiredActionsEnabled, authenticate, getRequiredActions

Field Detail

DEFAULT_ATTRIBUTE_NAME

public static final String DEFAULT_ATTRIBUTE_NAME

See Also:: Constant Field Values

logger
```
protected static ServicesLogger logger
```

REGULAR_EXPRESSION

public static final String REGULAR_EXPRESSION

See Also:: Constant Field Values

ENABLE_CRL
```
public static final String ENABLE_CRL
```
See Also:

Constant Field Values

ENABLE_OCSP
```
public static final String ENABLE_OCSP
```
See Also:

Constant Field Values

OCSP_FAIL_OPEN

public static final String OCSP_FAIL_OPEN

See Also:: Constant Field Values

ENABLE_CRLDP

public static final String ENABLE_CRLDP

See Also:: Constant Field Values

CANONICAL_DN

public static final String CANONICAL_DN

See Also:: Constant Field Values

TIMESTAMP_VALIDATION

public static final String TIMESTAMP_VALIDATION

See Also:: Constant Field Values

SERIALNUMBER_HEX

public static final String SERIALNUMBER_HEX

See Also:: Constant Field Values

CRL_RELATIVE_PATH

public static final String CRL_RELATIVE_PATH

See Also:: Constant Field Values

OCSPRESPONDER_URI

public static final String OCSPRESPONDER_URI

See Also:: Constant Field Values

OCSPRESPONDER_CERTIFICATE

public static final String OCSPRESPONDER_CERTIFICATE

See Also:: Constant Field Values

MAPPING_SOURCE_SELECTION

public static final String MAPPING_SOURCE_SELECTION

See Also:: Constant Field Values

MAPPING_SOURCE_CERT_SUBJECTDN

public static final String MAPPING_SOURCE_CERT_SUBJECTDN

See Also:: Constant Field Values

MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL

public static final String MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL

See Also:: Constant Field Values

MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL

public static final String MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL

See Also:: Constant Field Values

MAPPING_SOURCE_CERT_SUBJECTALTNAME_OTHERNAME

public static final String MAPPING_SOURCE_CERT_SUBJECTALTNAME_OTHERNAME

See Also:: Constant Field Values

MAPPING_SOURCE_CERT_SUBJECTDN_CN

public static final String MAPPING_SOURCE_CERT_SUBJECTDN_CN

See Also:: Constant Field Values

MAPPING_SOURCE_CERT_ISSUERDN

public static final String MAPPING_SOURCE_CERT_ISSUERDN

See Also:: Constant Field Values

MAPPING_SOURCE_CERT_SERIALNUMBER

public static final String MAPPING_SOURCE_CERT_SERIALNUMBER

See Also:: Constant Field Values

MAPPING_SOURCE_CERT_SHA256_THUMBPRINT

public static final String MAPPING_SOURCE_CERT_SHA256_THUMBPRINT

See Also:: Constant Field Values

MAPPING_SOURCE_CERT_SERIALNUMBER_ISSUERDN

public static final String MAPPING_SOURCE_CERT_SERIALNUMBER_ISSUERDN

See Also:: Constant Field Values

MAPPING_SOURCE_CERT_CERTIFICATE_PEM

public static final String MAPPING_SOURCE_CERT_CERTIFICATE_PEM

See Also:: Constant Field Values

USER_MAPPER_SELECTION

public static final String USER_MAPPER_SELECTION

See Also:: Constant Field Values

USER_ATTRIBUTE_MAPPER

public static final String USER_ATTRIBUTE_MAPPER

See Also:: Constant Field Values

USERNAME_EMAIL_MAPPER

public static final String USERNAME_EMAIL_MAPPER

See Also:: Constant Field Values

CUSTOM_ATTRIBUTE_NAME

public static final String CUSTOM_ATTRIBUTE_NAME

See Also:: Constant Field Values

CERTIFICATE_KEY_USAGE

public static final String CERTIFICATE_KEY_USAGE

See Also:: Constant Field Values

CERTIFICATE_EXTENDED_KEY_USAGE

public static final String CERTIFICATE_EXTENDED_KEY_USAGE

See Also:: Constant Field Values

CERTIFICATE_POLICY

public static final String CERTIFICATE_POLICY

See Also:: Constant Field Values

CERTIFICATE_POLICY_MODE

public static final String CERTIFICATE_POLICY_MODE

See Also:: Constant Field Values

CERTIFICATE_POLICY_MODE_ALL

public static final String CERTIFICATE_POLICY_MODE_ALL

See Also:: Constant Field Values

CERTIFICATE_POLICY_MODE_ANY

public static final String CERTIFICATE_POLICY_MODE_ANY

See Also:: Constant Field Values

CONFIRMATION_PAGE_DISALLOWED

public static final String CONFIRMATION_PAGE_DISALLOWED

See Also:: Constant Field Values

REVALIDATE_CERTIFICATE

public static final String REVALIDATE_CERTIFICATE

See Also:: Constant Field Values

Constructor Detail
- AbstractX509ClientCertificateAuthenticator
```
public AbstractX509ClientCertificateAuthenticator()
```

Method Detail

createInfoResponse

protected javax.ws.rs.core.Response createInfoResponse(AuthenticationFlowContext context,
                                                       String infoMessage,
                                                       Object... parameters)

certificateValidationParameters

public CertificateValidator.CertificateValidatorBuilder certificateValidationParameters(KeycloakSession session,
                                                                                        X509AuthenticatorConfigModel config)
                                                                                 throws Exception

Throws:: Exception

close
```
public void close()
```
Specified by:

close in interface Provider

getCertificateChain

protected X509Certificate[] getCertificateChain(AuthenticationFlowContext context)

saveX509CertificateAuditDataToAuthSession

protected void saveX509CertificateAuditDataToAuthSession(AuthenticationFlowContext context,
                                                         X509Certificate cert)

recordX509CertificateAuditDataViaContextEvent

protected void recordX509CertificateAuditDataViaContextEvent(AuthenticationFlowContext context)

getUserIdentityExtractor

public UserIdentityExtractor getUserIdentityExtractor(X509AuthenticatorConfigModel config)

getUserIdentityToModelMapper

public UserIdentityToModelMapper getUserIdentityToModelMapper(X509AuthenticatorConfigModel config)

requiresUser
```
public boolean requiresUser()
```
Description copied from interface: Authenticator

Does this authenticator require that the user has already been identified? That AuthenticatorContext.getUser() is not null?

Specified by:

requiresUser in interface Authenticator

Returns:

configuredFor

public boolean configuredFor(KeycloakSession session,
                             RealmModel realm,
                             UserModel user)

Description copied from interface: Authenticator

Is this authenticator configured for this user.

Specified by:: configuredFor in interface Authenticator
Returns:

setRequiredActions

public void setRequiredActions(KeycloakSession session,
                               RealmModel realm,
                               UserModel user)

Description copied from interface: Authenticator

Set actions to configure authenticator

Specified by:: setRequiredActions in interface Authenticator

Class AbstractX509ClientCertificateAuthenticator

Nested Class Summary

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Methods inherited from interface org.keycloak.authentication.Authenticator

Field Detail

DEFAULT_ATTRIBUTE_NAME

logger

REGULAR_EXPRESSION

ENABLE_CRL

ENABLE_OCSP

OCSP_FAIL_OPEN

ENABLE_CRLDP

CANONICAL_DN

TIMESTAMP_VALIDATION

SERIALNUMBER_HEX

CRL_RELATIVE_PATH

OCSPRESPONDER_URI

OCSPRESPONDER_CERTIFICATE

MAPPING_SOURCE_SELECTION

MAPPING_SOURCE_CERT_SUBJECTDN

MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL

MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL

MAPPING_SOURCE_CERT_SUBJECTALTNAME_OTHERNAME

MAPPING_SOURCE_CERT_SUBJECTDN_CN

MAPPING_SOURCE_CERT_ISSUERDN

MAPPING_SOURCE_CERT_SERIALNUMBER

MAPPING_SOURCE_CERT_SHA256_THUMBPRINT

MAPPING_SOURCE_CERT_SERIALNUMBER_ISSUERDN

MAPPING_SOURCE_CERT_CERTIFICATE_PEM

USER_MAPPER_SELECTION

USER_ATTRIBUTE_MAPPER

USERNAME_EMAIL_MAPPER

CUSTOM_ATTRIBUTE_NAME

CERTIFICATE_KEY_USAGE

CERTIFICATE_EXTENDED_KEY_USAGE

CERTIFICATE_POLICY

CERTIFICATE_POLICY_MODE

CERTIFICATE_POLICY_MODE_ALL

CERTIFICATE_POLICY_MODE_ANY

CONFIRMATION_PAGE_DISALLOWED

REVALIDATE_CERTIFICATE

Constructor Detail

AbstractX509ClientCertificateAuthenticator

Method Detail

createInfoResponse

certificateValidationParameters

close

getCertificateChain

saveX509CertificateAuditDataToAuthSession

recordX509CertificateAuditDataViaContextEvent

getUserIdentityExtractor

getUserIdentityToModelMapper

requiresUser

configuredFor

setRequiredActions