Package org.keycloak.broker.oidc
Class OIDCIdentityProvider
- java.lang.Object
-
- org.keycloak.broker.provider.AbstractIdentityProvider<C>
-
- org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
- org.keycloak.broker.oidc.OIDCIdentityProvider
-
- All Implemented Interfaces:
ExchangeExternalToken,ExchangeTokenToIdentityProviderToken,IdentityProvider<OIDCIdentityProviderConfig>,Provider
- Direct Known Subclasses:
GitLabIdentityProvider,GoogleIdentityProvider,KeycloakOIDCIdentityProvider
public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig> implements ExchangeExternalToken
- Author:
- Pedro Igor
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description protected static classOIDCIdentityProvider.OIDCEndpoint-
Nested classes/interfaces inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
AbstractOAuth2IdentityProvider.Endpoint
-
Nested classes/interfaces inherited from interface org.keycloak.broker.provider.IdentityProvider
IdentityProvider.AuthenticationCallback
-
-
Field Summary
Fields Modifier and Type Field Description static StringACCESS_TOKEN_EXPIRATIONstatic StringEXCHANGE_PROVIDERstatic StringFEDERATED_ACCESS_TOKEN_RESPONSEstatic StringFEDERATED_ID_TOKENprotected static org.jboss.logging.Loggerloggerstatic StringSCOPE_OPENIDstatic StringUSER_INFOstatic StringVALIDATED_ID_TOKEN-
Fields inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
ACCESS_DENIED, FEDERATED_REFRESH_TOKEN, FEDERATED_TOKEN_EXPIRATION, mapper, OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN, OAUTH2_PARAMETER_ACCESS_TOKEN, OAUTH2_PARAMETER_CLIENT_ID, OAUTH2_PARAMETER_CLIENT_SECRET, OAUTH2_PARAMETER_CODE, OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_PARAMETER_REDIRECT_URI, OAUTH2_PARAMETER_RESPONSE_TYPE, OAUTH2_PARAMETER_SCOPE, OAUTH2_PARAMETER_STATE
-
Fields inherited from class org.keycloak.broker.provider.AbstractIdentityProvider
ACCOUNT_LINK_URL, session
-
Fields inherited from interface org.keycloak.broker.provider.IdentityProvider
EXTERNAL_IDENTITY_PROVIDER, FEDERATED_ACCESS_TOKEN
-
-
Constructor Summary
Constructors Constructor Description OIDCIdentityProvider(KeycloakSession session, OIDCIdentityProviderConfig config)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description voidauthenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context)voidbackchannelLogout(KeycloakSession session, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, RealmModel realm)protected voidbackchannelLogout(UserSessionModel userSession, String idToken)Objectcallback(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event)JAXRS callback endpoint for when the remote IDP wants to callback to keycloak.protected javax.ws.rs.core.UriBuildercreateAuthorizationUrl(AuthenticationRequest request)protected BrokeredIdentityContextexchangeExternalImpl(EventBuilder event, javax.ws.rs.core.MultivaluedMap<String,String> params)protected javax.ws.rs.core.ResponseexchangeSessionToken(javax.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)protected javax.ws.rs.core.ResponseexchangeStoredToken(javax.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)protected BrokeredIdentityContextextractIdentity(AccessTokenResponse tokenResponse, String accessToken, JsonWebToken idToken)protected BrokeredIdentityContextextractIdentityFromProfile(EventBuilder event, com.fasterxml.jackson.databind.JsonNode userInfo)protected StringgetDefaultScopes()BrokeredIdentityContextgetFederatedIdentity(String response)protected StringgetProfileEndpointForValidation(EventBuilder event)protected SimpleHttpgetRefreshTokenRequest(KeycloakSession session, String refreshToken, String clientId, String clientSecret)protected StringgetUserInfoUrl()protected StringgetusernameClaimNameForIdToken()protected StringgetUsernameFromUserInfo(com.fasterxml.jackson.databind.JsonNode userInfo)protected booleanisAuthTimeExpired(JsonWebToken idToken, AuthenticationSessionModel authSession)booleanisIssuer(String issuer, javax.ws.rs.core.MultivaluedMap<String,String> params)javax.ws.rs.core.ResponsekeycloakInitiatedBrowserLogout(KeycloakSession session, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, RealmModel realm)Called when a Keycloak application initiates a logout through the browser.voidpreprocessFederatedIdentity(KeycloakSession session, RealmModel realm, BrokeredIdentityContext context)protected voidprocessAccessTokenResponse(BrokeredIdentityContext context, AccessTokenResponse response)StringrefreshTokenForLogout(KeycloakSession session, UserSessionModel userSession)Returns access token response as a string from a refresh token invocation on the remote OIDC brokerprotected booleansupportsExternalExchange()protected BrokeredIdentityContextvalidateJwt(EventBuilder event, String subjectToken, String subjectTokenType)JsonWebTokenvalidateToken(String encodedToken)protected JsonWebTokenvalidateToken(String encodedToken, boolean ignoreAudience)protected booleanverify(JWSInput jws)-
Methods inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
asJsonNode, authenticateTokenRequest, buildUserInfoRequest, doGetFederatedIdentity, exchangeExternal, exchangeExternalComplete, exchangeExternalUserInfoValidationOnly, exchangeFromToken, extractTokenFromResponse, generateToken, getAccessTokenResponseParameter, getConfig, getJsonProperty, getSignatureContext, hasExternalExchangeToken, performLogin, retrieveToken, validateExternalTokenThroughUserInfo
-
Methods inherited from class org.keycloak.broker.provider.AbstractIdentityProvider
close, exchangeErrorResponse, exchangeNotLinked, exchangeNotLinkedNoStore, exchangeNotSupported, exchangeTokenExpired, exchangeUnsupportedRequiredType, export, getLinkingUrl, getMarshaller, importNewUser, updateBrokeredUser
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.keycloak.broker.provider.ExchangeExternalToken
exchangeExternal, exchangeExternalComplete
-
-
-
-
Field Detail
-
logger
protected static final org.jboss.logging.Logger logger
-
SCOPE_OPENID
public static final String SCOPE_OPENID
- See Also:
- Constant Field Values
-
FEDERATED_ID_TOKEN
public static final String FEDERATED_ID_TOKEN
- See Also:
- Constant Field Values
-
USER_INFO
public static final String USER_INFO
- See Also:
- Constant Field Values
-
FEDERATED_ACCESS_TOKEN_RESPONSE
public static final String FEDERATED_ACCESS_TOKEN_RESPONSE
- See Also:
- Constant Field Values
-
VALIDATED_ID_TOKEN
public static final String VALIDATED_ID_TOKEN
- See Also:
- Constant Field Values
-
ACCESS_TOKEN_EXPIRATION
public static final String ACCESS_TOKEN_EXPIRATION
- See Also:
- Constant Field Values
-
EXCHANGE_PROVIDER
public static final String EXCHANGE_PROVIDER
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
OIDCIdentityProvider
public OIDCIdentityProvider(KeycloakSession session, OIDCIdentityProviderConfig config)
-
-
Method Detail
-
callback
public Object callback(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event)
Description copied from interface:IdentityProviderJAXRS callback endpoint for when the remote IDP wants to callback to keycloak.- Specified by:
callbackin interfaceIdentityProvider<OIDCIdentityProviderConfig>- Overrides:
callbackin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>- Returns:
-
refreshTokenForLogout
public String refreshTokenForLogout(KeycloakSession session, UserSessionModel userSession)
Returns access token response as a string from a refresh token invocation on the remote OIDC broker- Parameters:
session-userSession-- Returns:
-
backchannelLogout
public void backchannelLogout(KeycloakSession session, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, RealmModel realm)
- Specified by:
backchannelLogoutin interfaceIdentityProvider<OIDCIdentityProviderConfig>- Overrides:
backchannelLogoutin classAbstractIdentityProvider<OIDCIdentityProviderConfig>
-
backchannelLogout
protected void backchannelLogout(UserSessionModel userSession, String idToken)
-
keycloakInitiatedBrowserLogout
public javax.ws.rs.core.Response keycloakInitiatedBrowserLogout(KeycloakSession session, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, RealmModel realm)
Description copied from interface:IdentityProviderCalled when a Keycloak application initiates a logout through the browser. This is expected to do a logout with the IDP- Specified by:
keycloakInitiatedBrowserLogoutin interfaceIdentityProvider<OIDCIdentityProviderConfig>- Overrides:
keycloakInitiatedBrowserLogoutin classAbstractIdentityProvider<OIDCIdentityProviderConfig>- Returns:
- null if this is not supported by this provider
-
exchangeStoredToken
protected javax.ws.rs.core.Response exchangeStoredToken(javax.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)- Overrides:
exchangeStoredTokenin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
processAccessTokenResponse
protected void processAccessTokenResponse(BrokeredIdentityContext context, AccessTokenResponse response)
-
getRefreshTokenRequest
protected SimpleHttp getRefreshTokenRequest(KeycloakSession session, String refreshToken, String clientId, String clientSecret)
-
exchangeSessionToken
protected javax.ws.rs.core.Response exchangeSessionToken(javax.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)- Overrides:
exchangeSessionTokenin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getFederatedIdentity
public BrokeredIdentityContext getFederatedIdentity(String response)
- Overrides:
getFederatedIdentityin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
isAuthTimeExpired
protected boolean isAuthTimeExpired(JsonWebToken idToken, AuthenticationSessionModel authSession)
-
extractIdentity
protected BrokeredIdentityContext extractIdentity(AccessTokenResponse tokenResponse, String accessToken, JsonWebToken idToken) throws IOException
- Throws:
IOException
-
getusernameClaimNameForIdToken
protected String getusernameClaimNameForIdToken()
-
getUserInfoUrl
protected String getUserInfoUrl()
-
verify
protected boolean verify(JWSInput jws)
-
validateToken
public JsonWebToken validateToken(String encodedToken)
-
validateToken
protected JsonWebToken validateToken(String encodedToken, boolean ignoreAudience)
-
authenticationFinished
public void authenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context)
- Specified by:
authenticationFinishedin interfaceIdentityProvider<OIDCIdentityProviderConfig>- Overrides:
authenticationFinishedin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getDefaultScopes
protected String getDefaultScopes()
- Specified by:
getDefaultScopesin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
isIssuer
public boolean isIssuer(String issuer, javax.ws.rs.core.MultivaluedMap<String,String> params)
- Specified by:
isIssuerin interfaceExchangeExternalToken- Overrides:
isIssuerin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
supportsExternalExchange
protected boolean supportsExternalExchange()
- Overrides:
supportsExternalExchangein classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getProfileEndpointForValidation
protected String getProfileEndpointForValidation(EventBuilder event)
- Overrides:
getProfileEndpointForValidationin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
extractIdentityFromProfile
protected BrokeredIdentityContext extractIdentityFromProfile(EventBuilder event, com.fasterxml.jackson.databind.JsonNode userInfo)
- Overrides:
extractIdentityFromProfilein classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getUsernameFromUserInfo
protected String getUsernameFromUserInfo(com.fasterxml.jackson.databind.JsonNode userInfo)
-
validateJwt
protected final BrokeredIdentityContext validateJwt(EventBuilder event, String subjectToken, String subjectTokenType)
-
exchangeExternalImpl
protected BrokeredIdentityContext exchangeExternalImpl(EventBuilder event, javax.ws.rs.core.MultivaluedMap<String,String> params)
- Overrides:
exchangeExternalImplin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
createAuthorizationUrl
protected javax.ws.rs.core.UriBuilder createAuthorizationUrl(AuthenticationRequest request)
- Overrides:
createAuthorizationUrlin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
preprocessFederatedIdentity
public void preprocessFederatedIdentity(KeycloakSession session, RealmModel realm, BrokeredIdentityContext context)
- Specified by:
preprocessFederatedIdentityin interfaceIdentityProvider<OIDCIdentityProviderConfig>- Overrides:
preprocessFederatedIdentityin classAbstractIdentityProvider<OIDCIdentityProviderConfig>
-
-