Package org.keycloak.federation.kerberos
Class KerberosFederationProvider
java.lang.Object
org.keycloak.federation.kerberos.KerberosFederationProvider
- All Implemented Interfaces:
CredentialAuthentication
,CredentialInputUpdater
,CredentialInputValidator
,Provider
,ImportedUserValidation
,UserLookupProvider
,UserStorageProvider
,UserProfileDecorator
public class KerberosFederationProvider
extends Object
implements UserStorageProvider, UserLookupProvider, CredentialInputValidator, CredentialInputUpdater, CredentialAuthentication, ImportedUserValidation, UserProfileDecorator
- Author:
- Marek Posolda
-
Nested Class Summary
Nested classes/interfaces inherited from interface org.keycloak.storage.UserStorageProvider
UserStorageProvider.EditMode
-
Field Summary
Modifier and TypeFieldDescriptionprotected KerberosFederationProviderFactory
static final String
protected KerberosConfig
protected UserStorageProviderModel
protected KeycloakSession
-
Constructor Summary
ConstructorDescriptionKerberosFederationProvider
(KeycloakSession session, UserStorageProviderModel model, KerberosFederationProviderFactory factory) -
Method Summary
Modifier and TypeMethodDescriptionauthenticate
(RealmModel realm, CredentialInput input) void
close()
decorateUserProfile
(String providerId, UserProfileMetadata metadata) Decorates user profile with additional metadata.void
disableCredentialType
(RealmModel realm, UserModel user, String credentialType) protected UserModel
findOrCreateAuthenticatedUser
(RealmModel realm, KerberosPrincipal kerberosPrincipal) Called after successful authenticationgetDisableableCredentialTypesStream
(RealmModel realm, UserModel user) Obtains the set of credential types that can be disabled viadisableCredentialType
.getUserByEmail
(RealmModel realm, String email) Returns a user with the given email belonging to the realmgetUserById
(RealmModel realm, String id) Returns a user with the given id belonging to the realmgetUserByUsername
(RealmModel realm, String username) Exact search for a user by its username.protected UserModel
importUserToKeycloak
(RealmModel realm, KerberosPrincipal kerberosPrincipal) boolean
isConfiguredFor
(RealmModel realm, UserModel user, String credentialType) boolean
isValid
(RealmModel realm, UserModel user, CredentialInput input) Tests whether a credential is validvoid
preRemove
(RealmModel realm) Callback when a realm is removed.void
preRemove
(RealmModel realm, GroupModel group) Callback when a group is removed.void
preRemove
(RealmModel realm, RoleModel role) Callback when a role is removed.boolean
boolean
supportsCredentialType
(String credentialType) toString()
boolean
updateCredential
(RealmModel realm, UserModel user, CredentialInput input) validate
(RealmModel realm, UserModel user) If this method returns null, then the user in local storage will be removedprotected boolean
validPassword
(String kerberosPrincipal, String password) Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
Methods inherited from interface org.keycloak.storage.user.UserLookupProvider
getUserByCredential
-
Field Details
-
KERBEROS_PRINCIPAL
- See Also:
-
session
-
model
-
kerberosConfig
-
factory
-
-
Constructor Details
-
KerberosFederationProvider
public KerberosFederationProvider(KeycloakSession session, UserStorageProviderModel model, KerberosFederationProviderFactory factory)
-
-
Method Details
-
validate
Description copied from interface:ImportedUserValidation
If this method returns null, then the user in local storage will be removed- Specified by:
validate
in interfaceImportedUserValidation
- Returns:
- null if user no longer valid
-
getUserByUsername
Description copied from interface:UserLookupProvider
Exact search for a user by its username. Returns a user with the given username belonging to the realm- Specified by:
getUserByUsername
in interfaceUserLookupProvider
- Parameters:
realm
- the realm modelusername
- (case-sensitivity is controlled by storage)- Returns:
- found user model, or
null
if no such user exists
-
getUserByEmail
Description copied from interface:UserLookupProvider
Returns a user with the given email belonging to the realm- Specified by:
getUserByEmail
in interfaceUserLookupProvider
- Parameters:
realm
- the realm modelemail
- email address- Returns:
- found user model, or
null
if no such user exists
-
getUserById
Description copied from interface:UserLookupProvider
Returns a user with the given id belonging to the realm- Specified by:
getUserById
in interfaceUserLookupProvider
- Parameters:
realm
- the realm modelid
- id of the user- Returns:
- found user model, or
null
if no such user exists
-
preRemove
Description copied from interface:UserStorageProvider
Callback when a realm is removed. Implement this if, for example, you want to do some cleanup in your user storage when a realm is removed- Specified by:
preRemove
in interfaceUserStorageProvider
-
preRemove
Description copied from interface:UserStorageProvider
Callback when a role is removed. Allows you to do things like remove a user role mapping in your external store if appropriate- Specified by:
preRemove
in interfaceUserStorageProvider
-
preRemove
Description copied from interface:UserStorageProvider
Callback when a group is removed. Allows you to do things like remove a user group mapping in your external store if appropriate- Specified by:
preRemove
in interfaceUserStorageProvider
-
updateCredential
- Specified by:
updateCredential
in interfaceCredentialInputUpdater
-
disableCredentialType
- Specified by:
disableCredentialType
in interfaceCredentialInputUpdater
-
getDisableableCredentialTypesStream
Description copied from interface:CredentialInputUpdater
Obtains the set of credential types that can be disabled viadisableCredentialType
.- Specified by:
getDisableableCredentialTypesStream
in interfaceCredentialInputUpdater
- Parameters:
realm
- a reference to the realm.user
- the user whose credentials are being searched.- Returns:
- a non-null
Stream
of credential types.
-
supportsCredentialType
- Specified by:
supportsCredentialType
in interfaceCredentialInputUpdater
- Specified by:
supportsCredentialType
in interfaceCredentialInputValidator
-
supportsCredentialAuthenticationFor
- Specified by:
supportsCredentialAuthenticationFor
in interfaceCredentialAuthentication
-
isConfiguredFor
- Specified by:
isConfiguredFor
in interfaceCredentialInputValidator
-
isValid
Description copied from interface:CredentialInputValidator
Tests whether a credential is valid- Specified by:
isValid
in interfaceCredentialInputValidator
- Parameters:
realm
- The realm in which to which the credential belongs touser
- The user for which to test the credentialinput
- the credential details to verify- Returns:
- true if the passed secret is correct
-
validPassword
-
authenticate
- Specified by:
authenticate
in interfaceCredentialAuthentication
-
close
public void close() -
findOrCreateAuthenticatedUser
protected UserModel findOrCreateAuthenticatedUser(RealmModel realm, KerberosPrincipal kerberosPrincipal) Called after successful authentication- Parameters:
realm
- realmkerberosPrincipal
-- Returns:
- user if found or successfully created. Null if user with same username already exists, but is not linked to this provider
-
importUserToKeycloak
-
toString
-
decorateUserProfile
Description copied from interface:UserProfileDecorator
Decorates user profile with additional metadata. For instance, metadata attributes, which are available just for your user-storage provider can be added there, so they are available just for the users coming from your provider.
This method is invoked every time a user is being managed through a user profile provider.
- Specified by:
decorateUserProfile
in interfaceUserProfileDecorator
- Parameters:
providerId
- the id of the user storage provider to which the user is associated withmetadata
- the currentUserProfileMetadata
for the current realm- Returns:
- a list of attribute metadata.The
AttributeMetadata
returned from this method overrides any other metadata already set inmetadata
for a given attribute.
-