Package org.keycloak.broker.oidc
Class OIDCIdentityProvider
- java.lang.Object
-
- org.keycloak.broker.provider.AbstractIdentityProvider<C>
-
- org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
- org.keycloak.broker.oidc.OIDCIdentityProvider
-
- All Implemented Interfaces:
ExchangeExternalToken
,ExchangeTokenToIdentityProviderToken
,IdentityProvider<OIDCIdentityProviderConfig>
,Provider
- Direct Known Subclasses:
GitLabIdentityProvider
,GoogleIdentityProvider
,KeycloakOIDCIdentityProvider
public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig> implements ExchangeExternalToken
- Author:
- Pedro Igor
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description protected static class
OIDCIdentityProvider.OIDCEndpoint
-
Nested classes/interfaces inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
AbstractOAuth2IdentityProvider.Endpoint
-
Nested classes/interfaces inherited from interface org.keycloak.broker.provider.IdentityProvider
IdentityProvider.AuthenticationCallback
-
-
Field Summary
Fields Modifier and Type Field Description static String
ACCESS_TOKEN_EXPIRATION
static String
EXCHANGE_PROVIDER
static String
FEDERATED_ACCESS_TOKEN_RESPONSE
static String
FEDERATED_ID_TOKEN
protected static org.jboss.logging.Logger
logger
static String
SCOPE_OPENID
static String
USER_INFO
static String
VALIDATED_ID_TOKEN
-
Fields inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
ACCESS_DENIED, FEDERATED_REFRESH_TOKEN, FEDERATED_TOKEN_EXPIRATION, mapper, OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN, OAUTH2_PARAMETER_ACCESS_TOKEN, OAUTH2_PARAMETER_CLIENT_ID, OAUTH2_PARAMETER_CLIENT_SECRET, OAUTH2_PARAMETER_CODE, OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_PARAMETER_REDIRECT_URI, OAUTH2_PARAMETER_RESPONSE_TYPE, OAUTH2_PARAMETER_SCOPE, OAUTH2_PARAMETER_STATE
-
Fields inherited from class org.keycloak.broker.provider.AbstractIdentityProvider
ACCOUNT_LINK_URL, session
-
Fields inherited from interface org.keycloak.broker.provider.IdentityProvider
EXTERNAL_IDENTITY_PROVIDER, FEDERATED_ACCESS_TOKEN
-
-
Constructor Summary
Constructors Constructor Description OIDCIdentityProvider(KeycloakSession session, OIDCIdentityProviderConfig config)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
authenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context)
void
backchannelLogout(KeycloakSession session, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, RealmModel realm)
protected void
backchannelLogout(UserSessionModel userSession, String idToken)
Object
callback(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event)
JAXRS callback endpoint for when the remote IDP wants to callback to keycloak.protected javax.ws.rs.core.UriBuilder
createAuthorizationUrl(AuthenticationRequest request)
protected BrokeredIdentityContext
exchangeExternalImpl(EventBuilder event, javax.ws.rs.core.MultivaluedMap<String,String> params)
protected javax.ws.rs.core.Response
exchangeSessionToken(javax.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)
protected javax.ws.rs.core.Response
exchangeStoredToken(javax.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)
protected BrokeredIdentityContext
extractIdentity(AccessTokenResponse tokenResponse, String accessToken, JsonWebToken idToken)
protected BrokeredIdentityContext
extractIdentityFromProfile(EventBuilder event, com.fasterxml.jackson.databind.JsonNode userInfo)
protected String
getDefaultScopes()
BrokeredIdentityContext
getFederatedIdentity(String response)
protected String
getProfileEndpointForValidation(EventBuilder event)
protected SimpleHttp
getRefreshTokenRequest(KeycloakSession session, String refreshToken, String clientId, String clientSecret)
protected String
getUserInfoUrl()
protected String
getusernameClaimNameForIdToken()
protected String
getUsernameFromUserInfo(com.fasterxml.jackson.databind.JsonNode userInfo)
protected boolean
isAuthTimeExpired(JsonWebToken idToken, AuthenticationSessionModel authSession)
boolean
isIssuer(String issuer, javax.ws.rs.core.MultivaluedMap<String,String> params)
javax.ws.rs.core.Response
keycloakInitiatedBrowserLogout(KeycloakSession session, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, RealmModel realm)
Called when a Keycloak application initiates a logout through the browser.void
preprocessFederatedIdentity(KeycloakSession session, RealmModel realm, BrokeredIdentityContext context)
protected void
processAccessTokenResponse(BrokeredIdentityContext context, AccessTokenResponse response)
String
refreshTokenForLogout(KeycloakSession session, UserSessionModel userSession)
Returns access token response as a string from a refresh token invocation on the remote OIDC brokerprotected boolean
supportsExternalExchange()
protected BrokeredIdentityContext
validateJwt(EventBuilder event, String subjectToken, String subjectTokenType)
JsonWebToken
validateToken(String encodedToken)
protected JsonWebToken
validateToken(String encodedToken, boolean ignoreAudience)
protected boolean
verify(JWSInput jws)
-
Methods inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
asJsonNode, authenticateTokenRequest, buildUserInfoRequest, doGetFederatedIdentity, exchangeExternal, exchangeExternalComplete, exchangeExternalUserInfoValidationOnly, exchangeFromToken, extractTokenFromResponse, generateToken, getAccessTokenResponseParameter, getConfig, getJsonProperty, getSignatureContext, hasExternalExchangeToken, performLogin, retrieveToken, validateExternalTokenThroughUserInfo
-
Methods inherited from class org.keycloak.broker.provider.AbstractIdentityProvider
close, exchangeErrorResponse, exchangeNotLinked, exchangeNotLinkedNoStore, exchangeNotSupported, exchangeTokenExpired, exchangeUnsupportedRequiredType, export, getLinkingUrl, getMarshaller, importNewUser, updateBrokeredUser
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.keycloak.broker.provider.ExchangeExternalToken
exchangeExternal, exchangeExternalComplete
-
-
-
-
Field Detail
-
logger
protected static final org.jboss.logging.Logger logger
-
SCOPE_OPENID
public static final String SCOPE_OPENID
- See Also:
- Constant Field Values
-
FEDERATED_ID_TOKEN
public static final String FEDERATED_ID_TOKEN
- See Also:
- Constant Field Values
-
USER_INFO
public static final String USER_INFO
- See Also:
- Constant Field Values
-
FEDERATED_ACCESS_TOKEN_RESPONSE
public static final String FEDERATED_ACCESS_TOKEN_RESPONSE
- See Also:
- Constant Field Values
-
VALIDATED_ID_TOKEN
public static final String VALIDATED_ID_TOKEN
- See Also:
- Constant Field Values
-
ACCESS_TOKEN_EXPIRATION
public static final String ACCESS_TOKEN_EXPIRATION
- See Also:
- Constant Field Values
-
EXCHANGE_PROVIDER
public static final String EXCHANGE_PROVIDER
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
OIDCIdentityProvider
public OIDCIdentityProvider(KeycloakSession session, OIDCIdentityProviderConfig config)
-
-
Method Detail
-
callback
public Object callback(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event)
Description copied from interface:IdentityProvider
JAXRS callback endpoint for when the remote IDP wants to callback to keycloak.- Specified by:
callback
in interfaceIdentityProvider<OIDCIdentityProviderConfig>
- Overrides:
callback
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
- Returns:
-
refreshTokenForLogout
public String refreshTokenForLogout(KeycloakSession session, UserSessionModel userSession)
Returns access token response as a string from a refresh token invocation on the remote OIDC broker- Parameters:
session
-userSession
-- Returns:
-
backchannelLogout
public void backchannelLogout(KeycloakSession session, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, RealmModel realm)
- Specified by:
backchannelLogout
in interfaceIdentityProvider<OIDCIdentityProviderConfig>
- Overrides:
backchannelLogout
in classAbstractIdentityProvider<OIDCIdentityProviderConfig>
-
backchannelLogout
protected void backchannelLogout(UserSessionModel userSession, String idToken)
-
keycloakInitiatedBrowserLogout
public javax.ws.rs.core.Response keycloakInitiatedBrowserLogout(KeycloakSession session, UserSessionModel userSession, javax.ws.rs.core.UriInfo uriInfo, RealmModel realm)
Description copied from interface:IdentityProvider
Called when a Keycloak application initiates a logout through the browser. This is expected to do a logout with the IDP- Specified by:
keycloakInitiatedBrowserLogout
in interfaceIdentityProvider<OIDCIdentityProviderConfig>
- Overrides:
keycloakInitiatedBrowserLogout
in classAbstractIdentityProvider<OIDCIdentityProviderConfig>
- Returns:
- null if this is not supported by this provider
-
exchangeStoredToken
protected javax.ws.rs.core.Response exchangeStoredToken(javax.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)
- Overrides:
exchangeStoredToken
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
processAccessTokenResponse
protected void processAccessTokenResponse(BrokeredIdentityContext context, AccessTokenResponse response)
-
getRefreshTokenRequest
protected SimpleHttp getRefreshTokenRequest(KeycloakSession session, String refreshToken, String clientId, String clientSecret)
-
exchangeSessionToken
protected javax.ws.rs.core.Response exchangeSessionToken(javax.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)
- Overrides:
exchangeSessionToken
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getFederatedIdentity
public BrokeredIdentityContext getFederatedIdentity(String response)
- Overrides:
getFederatedIdentity
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
isAuthTimeExpired
protected boolean isAuthTimeExpired(JsonWebToken idToken, AuthenticationSessionModel authSession)
-
extractIdentity
protected BrokeredIdentityContext extractIdentity(AccessTokenResponse tokenResponse, String accessToken, JsonWebToken idToken) throws IOException
- Throws:
IOException
-
getusernameClaimNameForIdToken
protected String getusernameClaimNameForIdToken()
-
getUserInfoUrl
protected String getUserInfoUrl()
-
verify
protected boolean verify(JWSInput jws)
-
validateToken
public JsonWebToken validateToken(String encodedToken)
-
validateToken
protected JsonWebToken validateToken(String encodedToken, boolean ignoreAudience)
-
authenticationFinished
public void authenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context)
- Specified by:
authenticationFinished
in interfaceIdentityProvider<OIDCIdentityProviderConfig>
- Overrides:
authenticationFinished
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getDefaultScopes
protected String getDefaultScopes()
- Specified by:
getDefaultScopes
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
isIssuer
public boolean isIssuer(String issuer, javax.ws.rs.core.MultivaluedMap<String,String> params)
- Specified by:
isIssuer
in interfaceExchangeExternalToken
- Overrides:
isIssuer
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
supportsExternalExchange
protected boolean supportsExternalExchange()
- Overrides:
supportsExternalExchange
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getProfileEndpointForValidation
protected String getProfileEndpointForValidation(EventBuilder event)
- Overrides:
getProfileEndpointForValidation
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
extractIdentityFromProfile
protected BrokeredIdentityContext extractIdentityFromProfile(EventBuilder event, com.fasterxml.jackson.databind.JsonNode userInfo)
- Overrides:
extractIdentityFromProfile
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getUsernameFromUserInfo
protected String getUsernameFromUserInfo(com.fasterxml.jackson.databind.JsonNode userInfo)
-
validateJwt
protected final BrokeredIdentityContext validateJwt(EventBuilder event, String subjectToken, String subjectTokenType)
-
exchangeExternalImpl
protected BrokeredIdentityContext exchangeExternalImpl(EventBuilder event, javax.ws.rs.core.MultivaluedMap<String,String> params)
- Overrides:
exchangeExternalImpl
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
createAuthorizationUrl
protected javax.ws.rs.core.UriBuilder createAuthorizationUrl(AuthenticationRequest request)
- Overrides:
createAuthorizationUrl
in classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
preprocessFederatedIdentity
public void preprocessFederatedIdentity(KeycloakSession session, RealmModel realm, BrokeredIdentityContext context)
- Specified by:
preprocessFederatedIdentity
in interfaceIdentityProvider<OIDCIdentityProviderConfig>
- Overrides:
preprocessFederatedIdentity
in classAbstractIdentityProvider<OIDCIdentityProviderConfig>
-
-