Package org.keycloak.authentication.authenticators.client

Class JWTClientAuthenticator

java.lang.Object

org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator

org.keycloak.authentication.authenticators.client.JWTClientAuthenticator

All Implemented Interfaces:

ClientAuthenticator, ClientAuthenticatorFactory, ConfigurableAuthenticatorFactory, ConfiguredProvider, Provider, ProviderFactory<ClientAuthenticator>

public class JWTClientAuthenticator
extends AbstractClientAuthenticator

Client authentication based on JWT signed by client private key . See specs for more details. This is server side, which verifies JWT from client_assertion parameter, where the assertion was created on adapter side by org.keycloak.adapters.authentication.JWTClientCredentialsProvider

Author:

Marek Posolda

Field Summary

Fields

Modifier and Type	Field	Description
static String	ATTR_PREFIX
static String	CERTIFICATE_ATTR
static String	PROVIDER_ID

Fields inherited from interface org.keycloak.authentication.ConfigurableAuthenticatorFactory

REQUIREMENT_CHOICES

Constructor Summary

Constructors

Constructor	Description
JWTClientAuthenticator()

Method Summary

Modifier and Type	Method	Description
void	authenticateClient(ClientAuthenticationFlowContext context)	Initial call for the authenticator.
Map<String,Object>	getAdapterConfiguration(ClientModel client)	Get configuration, which needs to be used for adapter ( keycloak.json ) of particular client.
List<ProviderConfigProperty>	getConfigProperties()
List<ProviderConfigProperty>	getConfigPropertiesPerClient()	List of config properties for this client implementation.
String	getDisplayType()	Friendly name for the authenticator
String	getHelpText()
String	getId()
Set<String>	getProtocolAuthenticatorMethods(String loginProtocol)	Get authentication methods for the specified protocol
AuthenticationExecutionModel.Requirement[]	getRequirementChoices()	What requirement settings are allowed.
protected PublicKey	getSignatureValidationKey(ClientModel client, ClientAuthenticationFlowContext context, JWSInput jws)
boolean	isConfigurable()	Is this authenticator configurable globally?

Methods inherited from class org.keycloak.authentication.authenticators.client.AbstractClientAuthenticator

close, create, create, getReferenceCategory, init, isFormDataRequest, isUserSetupAllowed, postInit

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.authentication.ClientAuthenticatorFactory

supportsSecret

Methods inherited from interface org.keycloak.provider.ConfiguredProvider

getConfig

Methods inherited from interface org.keycloak.provider.ProviderFactory

getConfigMetadata, order

Field Detail

PROVIDER_ID

public static final String PROVIDER_ID

See Also:

Constant Field Values

ATTR_PREFIX

public static final String ATTR_PREFIX

See Also:

Constant Field Values

CERTIFICATE_ATTR

public static final String CERTIFICATE_ATTR

See Also:

Constant Field Values

Constructor Detail

JWTClientAuthenticator

public JWTClientAuthenticator()

Method Detail

authenticateClient

public void authenticateClient(ClientAuthenticationFlowContext context)

Description copied from interface: ClientAuthenticator

Initial call for the authenticator. This method should check the current HTTP request to determine if the request satisfies the ClientAuthenticator's requirements. If it doesn't, it should send back a challenge response by calling the ClientAuthenticationFlowContext.challenge(Response).

getSignatureValidationKey

protected PublicKey getSignatureValidationKey(ClientModel client,
                                              ClientAuthenticationFlowContext context,
                                              JWSInput jws)

getDisplayType

public String getDisplayType()

Description copied from interface: ConfigurableAuthenticatorFactory

Friendly name for the authenticator

Returns:

isConfigurable

public boolean isConfigurable()

Description copied from interface: ClientAuthenticatorFactory

Is this authenticator configurable globally?

Returns:

getRequirementChoices

public AuthenticationExecutionModel.Requirement[] getRequirementChoices()

Description copied from interface: ConfigurableAuthenticatorFactory

What requirement settings are allowed.

Returns:

getHelpText

public String getHelpText()

getConfigProperties

public List<ProviderConfigProperty> getConfigProperties()

getConfigPropertiesPerClient

public List<ProviderConfigProperty> getConfigPropertiesPerClient()

Description copied from interface: ClientAuthenticatorFactory

List of config properties for this client implementation. Those will be shown in admin console in clients credentials tab and can be configured per client. Applicable only if "isConfigurablePerClient" is true

Returns:

getAdapterConfiguration

public Map<String,Object> getAdapterConfiguration(ClientModel client)

Description copied from interface: ClientAuthenticatorFactory

Get configuration, which needs to be used for adapter ( keycloak.json ) of particular client. Some implementations may return just template and user needs to edit the values according to his environment (For example fill the location of keystore file)

Returns:

getId

public String getId()

getProtocolAuthenticatorMethods

public Set<String> getProtocolAuthenticatorMethods(String loginProtocol)

Description copied from interface: ClientAuthenticatorFactory

Get authentication methods for the specified protocol

Parameters:

loginProtocol - corresponds to ProviderFactory.getId()

Returns:

name of supported client authenticator methods in the protocol specific "language"