All Classes and Interfaces

Class
Description
 
 
Abstract class that handles the logic for importing and updating brokered users for all mappers that map a SAML attribute into a Keycloak group.
Abstract class that handles the logic for importing and updating brokered users for all mappers that map a SAML attribute into a Keycloak role.
 
 
 
 
 
 
 
Abstract class that handles the logic for importing and updating brokered users for all mappers that map an OIDC claim into a Keycloak role.
 
 
 
 
 
 
 
 
 
Helper base class for ClientModel implementations for ClientStorageProvider implementations.
 
 
 
 
 
 
 
 
 
Abstract helper class that Authenticator implementations can leverage
 
 
 
 
 
 
 
 
 
 
Abstract class for Social Provider mappers which allow mapping of JSON user profile field into Keycloak user attribute.
 
 
Handles some common transaction logic related to start, rollback-only etc.
 
Abstract "store" for bulk sending of the updates related to lastSessionRefresh
 
 
Stateful per-request object
 
 
Abstract class for number validator.
 
 
 
 
Set the 'sub' claim to pairwise .
 
Base class for parsers
Base PartialImport for most resource types.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Abstract saml request context for any SAML request received.
 
Helper class for securing local services.
 
Base class for arbitrary value type validators.
Simple support for STaX type of parsing.
 
 
 
 
 
Base class for String value format validators.
This abstract class provides implementations for everything but getUsername().
The AbstractUserAdapter.Streams interface makes all collection-based methods in AbstractUserAdapter default by providing implementations that delegate to the Stream-based variants instead of the other way around.
Assumes everything is managed by federated storage except for username.
Deprecated.
This interface is no longer necessary; collection-based methods were removed from the parent interface and therefore the parent interface can be used directly
 
 
Abstract base for Freemarker context bean providing information about user profile to render dynamic or crafted forms.
 
 
Abstract class that is meant to be extended by implementations of VaultProvider that want to have support for key resolvers.
Abstract class that is meant to be extended by implementations of VaultProviderFactory that want to offer support for the configuration of key resolvers.
Enum containing the available VaultKeyResolvers.
 
 
 
 
 
 
 
 
 
 
 
 
OAuth 2.0 Access Token Response json
Created by st on 29/03/17.
 
 
 
 
 
A AccountResourceProvider creates JAX-RS resource instances for the Account endpoints, allowing an implementor to override the behavior of the entire Account console.
A factory that creates AccountResourceProvider instances.
A Spi to replace Account resources.
 
 
 
 
CRUD data in the authentication session, which are related to step-up authentication
 
Enum for actions taken by PartialImport.
 
 
 
Handler of the action token.
 
 
Java class for ActionType complex type.
Java class for ActivationLimitDurationType complex type.
Java class for ActivationLimitDurationType complex type.
Java class for ActivationLimitSessionType complex type.
Java class for ActivationLimitSessionType complex type.
Java class for ActivationLimitType complex type.
Java class for ActivationLimitType complex type.
Java class for ActivationLimitUsagesType complex type.
Java class for ActivationLimitUsagesType complex type.
Java class for ActivationPinType complex type.
Java class for ActivationPinType complex type.
Configuration for Java based adapters
 
Configuration options relevant for configuring http client that can be used by adapter.
 
 
Java class for AdditionalMetadataLocationType complex type.
 
 
 
Posted to managed client from admin server.
 
 
 
 
 
 
 
 
 
 
Created by st on 21/03/17.
 
 
 
 
 
 
 
Useful as a function pointer, i.e.
Useful as a function pointer, i.e.
 
 
A AdminRealmResourceProvider creates JAX-RS sub-resource instances for paths relative to Realm's RESTful Admin API that could not be resolved by the server.
A factory that creates AdminRealmResourceProvider instances.
A Spi to plug additional sub-resources to Realms' RESTful Admin API.
 
Root resource for admin console and admin REST API
 
 
 
 
Java class for AdviceType complex type.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Java class for AffiliationDescriptorType complex type.
 
 
 
 
 
 
 
Java class for AgreementMethodType complex type.
 
 
Deprecated.
 
Authenticator will always successfully authenticate.
 
Populates token with requested scope.
Protocol mapper to add allowed web origins to the access token to the 'allowed-origins' claim
Java class for AlphabetType complex type.
Java class for AlphabetType complex type.
Ancestor for a provider factory for both a standalone ProviderFactory and a ComponentFactory.
 
 
And condition for filters.
A criteria that matches a property based on its annotations
 
 
Parses any DOM tree to a list of DOM representations.
 
The provider allows to extract X.509 client certificate forwarded to keycloak configured behind the Apache reverse proxy.
 
 
 
 
Deprecated.
Handles selective disclosure of elements within a top-level array claim, supporting both visible and undisclosed elements.
 
 
Provides a way to create and resolve artifacts for SAML Artifact binding
Exception to indicate a configuration error in ArtifactResolver.
A factory that creates ArtifactResolver instances.
Exception to indicate a processing error in ArtifactResolver.
 
Java class for ArtifactResolveType complex type.
Java class for ArtifactResponseType complex type.
Security Exception indicating expiration of SAML2 assertion
Java class for AssertionIDRequestType complex type.
Utility to deal with assertions
 
 
 
 
When using AsyncResponse.resume(Object) directly in the code, the response is returned before all changes done withing this execution are committed.
 
Base resource class for the admin REST api of one realm
Pass-thru atheneticator that just sets the context to attempted.
 
 
Java class for AttributeAuthorityDescriptorType complex type.
Interface of the user profile attribute change listener.
Constants for attributes
Java class for AttributeConsumingServiceType complex type.
 
Configuration of the attribute group.
 
Java class for AttributeQueryType complex type.
Validator to check that User Profile attribute value is not blank (nor null) if the attribute is required based on AttributeMetadata predicate.
Holds attributes, their values and provides utility methods to manage them.
 
This interface wraps the attributes associated with a user profile.
Holds an attribute and its values, providing useful methods for obtaining and formatting values.
 
Java class for AttributeStatementType complex type.
 
 
Java class for AttributeType complex type.
 
 
Protocol mapper, which adds all client_ids of "allowed" clients to the audience field of the token.
Java class for AudienceRestrictionType complex type.
 
A Function to be used by CacheStream to extract the client's ID from the client sessions associated to a UserSessionEntity.
WARNING: Generated code! Do not edit!
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
An Updater implementation that keeps track of AuthenticatedClientSessionModel changes.
Provides the interface for requesting the authentication(AuthN) and authorization(AuthZ) by an authentication device (AD) to the external entity via Authentication Channel.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Defines constants for authentication flow bindings.
Callback to be triggered during various lifecycle events of authentication flow.
Factory to create AuthenticationFlowCallback instances.
This interface encapsulates information about an execution in an AuthenticationFlow.
 
Set of error codes that can be thrown by an Authenticator, FormAuthenticator, or FormAction
Throw this exception from an Authenticator, FormAuthenticator, or FormAction if you want to completely abort the flow.
 
 
 
 
 
 
 
Stateless object that manages authentication
 
 
 
 
 
NOTE: Calling setter doesn't automatically enlist for update
 
WARNING: Generated code! Do not edit!
 
Allow to encode compound string to fully lookup authenticationSessionModel
 
WARNING: Generated code! Do not edit!
 
Represents the state of the authentication.
 
 
 
Syntactic sugar for {@code RemoteInfinispanKeycloakTransaction<String, RootAuthenticationSessionEntity, ByRealmIdQueryConditionalRemover<String, RootAuthenticationSessionEntity>>
This interface is for users that want to add custom authenticators to an authentication flow.
Java class for AuthenticatorBaseType complex type.
Java class for AuthenticatorBaseType complex type.
 
 
 
 
 
 
Factory for creating Authenticator instances.
 
Java class for AuthenticatorTransportProtocolType complex type.
Java class for AuthenticatorTransportProtocolType complex type.
 
 
Java class for AuthnAuthorityDescriptorType complex type.
Type that represents an AuthnContextClassRef
Java class for AuthnContextComparisonType.
Java class for AuthnContextDeclarationBaseType complex type.
Java class for AuthnContextDeclarationBaseType complex type.
Type that represents an AuthnContextDeclRef
Type that represents an AuthnContextDecl
Java class for AuthnContextType complex type.
Java class for AuthnMethodBaseType complex type.
Java class for AuthnMethodBaseType complex type.
Java class for AuthnQueryType complex type.
Java class for AuthnRequestType complex type.
Java class for AuthnStatementType complex type.
 
OAuth 2.0 Authorization Code Grant https://datatracker.ietf.org/doc/html/rfc6749#section-4.1
Factory for OAuth 2.0 Authorization Code Grant
 
 
 
The internal Keycloak representation of a Rich Authorization Request authorization_details object, together with some extra metadata to make it easier to work with this data in other parts of the codebase.
The JSON representation of a Rich Authorization Request's "authorization_details" object.
 
Common base class for Authorization REST endpoints implementation, which have to be implemented by each protocol.
Implements some checks typical for OIDC Authorization Endpoint.
 
 
 
The main contract here is the creation of PermissionEvaluator instances.
 
 
 
This context object will contain all parsed Rich Authorization Request objects, together with the internal representation that Keycloak is going to use for Scopes.
 
 
 
 
 
 
An entry point for obtaining permissions from the server.
 
 
 
 
 
 
 
 
 
 
 
This is class serves as an entry point for clients looking for access to Keycloak Authorization Services.
Simple crypto provider to be used with the authz-client.
Java class for AuthzDecisionQueryType complex type.
Java class for AuthzDecisionStatementType complex type.
Parse the parameters from PAR
Parse the parameters from request queryString
Parse the parameters from OIDC "request" object
 
 
Class to detect if SSSD is available in the system.
 
 
 
 
 
 
 
 
 
 
Base32 - encodes and decodes RFC3548 Base32 (see http://www.faqs.org/rfcs/rfc3548.html )
Encodes and decodes to and from Base64 notation.
A Base64.InputStream will read data from another java.io.InputStream, given in the constructor, and encode/decode to/from Base64 notation on the fly.
A Base64.OutputStream will write data to another java.io.OutputStream, given in the constructor, and encode/decode to/from Base64 notation on the fly.
 
Common Adapter configuration
 
Abstract Type that represents an ID
Common Realm Configuration
 
 
 
 
Base functionality of an Updater implementation.
 
Base Class for the Stax writers for SAML
 
The default implementation is compliant with RFC 2617
compliant with RFC 6749
 
 
 
 
 
Checks a password against a configured password blacklist.
A BlacklistPasswordPolicyProviderFactory.PasswordBlacklist describes a list of too easy to guess or potentially leaked passwords that users should not be able to use.
Validator to check that User Profile attribute value is not blank (null value is OK!).
Java class for booleanType.
 
 
Represents all identity information obtained from an IdentityProvider after a successful authentication.
Validator to check that User Profile username is provided during Brokerin/Federation.
 
 
The point of this is to improve experience of browser history (back/forward/refresh buttons), but ensure there is no more redirects then necessary.
 
 
 
 
 
A ConditionalRemover implementation to delete SessionEntity based on the realmId value.
 
 
 
 
 
 
 
 
The cache entry, which contains list of all identityProvider links for particular user.
 
 
 
 
Cached authorization model classes will implement this interface.
 
 
 
 
 
 
Cached realms will implement this interface
 
 
 
 
 
 
 
 
 
 
 
 
Cached users will implement this interface
 
 
WARNING: Generated code! Do not edit!
Some notes on how this works: This implementation manages optimistic locking and version checks itself.
 
 
 
 
 
 
 
 
 
 
Java class for CanonicalizationMethodType complex type.
 
 
 
 
 
 
PEM values of key and certificate
The Class CertificateUtils provides utility functions for generation of V1 and V3 X509Certificate
The Class CertificateUtils provides utility functions for generation of V1 and V3 X509Certificate
 
 
Configure Certificate validation
 
 
 
 
 
 
Represents a chunk from the Vite build manifest (see ViteManifest).
Represents an authentication request sent by a consumption device (CD).
 
 
OpenID Connect Client-Initiated Backchannel Authentication Flow https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.10.1
Factory for OpenID Connect Client-Initiated Backchannel Authentication Flow
Provides the resolver that converts several types of receives login hint to its corresponding UserModel.
 
 
 
Java class for CipherDataType complex type.
Java class for CipherReferenceType complex type.
Holding metadata on a claim of verifiable credential.
 
 
 
 
 
 
Claims parameter as described in the OIDC specification https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
 
 
 
 
 
 
 
 
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
 
Clear all expired revoked tokens.
 
 
 
 
Clear user cache.
 
Clear user cache.
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
 
 
 
 
 
 
 
 
Encapsulates information about the execution in ClientAuthenticationFlow
This interface is for users that want to add custom client authenticators to an authentication flow.
Factory for creating ClientAuthenticator instances.
 
 
 
 
 
 
TODO: remove this class entirely?
Information about the client connection
OAuth 2.0 Client Credentials Grant https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
Factory for OAuth 2.0 Client Credentials Grant
The simple SPI for authenticating clients/applications .
 
Represents the context in the request to register/read/update/unregister client by Dynamic Client Registration or Admin REST API.
Encapsulates necessary data about client login request (OIDC or SAML request).
Provider plugin interface for importing clients from an arbitrary configuration format
Provider plugin interface for importing clients from an arbitrary configuration format
 
 
 
 
 
 
Validates client based on "client_id" and "client_secret" sent either in request parameters or in "Authorization: Basic" header .
Traditional OAuth2 authentication of clients based on client_id and client_secret
 
 
 
 
 
 
Provides a template/sample client config adapter file.
 
 
 
 
Abstraction interface for lookoup of clients by id and clientId.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Client Policies' (the set of all Client Policy) external representation class
 
 
Utilities for treating client policies/profiles
Just adds some type-safety to the ClientPolicyConditionConfiguration
This condition determines to which client a client policy is adopted.
 
 
 
Provides Client Policy Context.
Events on which client policies mechanism detects and do its operation
 
Just adds some type-safety to the ClientPolicyExecutorConfiguration
This executor specifies what action is executed on the client to which a client policy is adopted.
 
 
 
Provides a method for handling an event defined in ClientPolicyEvent.
 
 
 
 
 
Client Policy's external representation class
 
 
Client Profile's external representation class
Client Profiles' (the set of all Client Profile) external representation class
 
 
 
 
Provider of the client records.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
Created by st on 29/03/17.
 
 
Base resource class for managing one particular client of a realm.
 
 
 
 
Partial Import handler for Client Roles.
 
 
 
WARNING: Generated code! Do not edit!
 
 
 
 
Binding between client and clientScope
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Provider of the client scopes records.
 
 
 
WARNING: Generated code! Do not edit!
 
 
Base resource class for managing one particular client of a realm.
 
 
 
 
 
 
 
 
 
Base resource class for managing a realm's client scopes.
 
 
 
Stored configuration of a Client scope Storage provider instance.
 
 
 
 
 
 
Syntactic sugar for RemoteChangeLogTransaction<SessionKey, AuthenticatedClientSessionEntity, AuthenticatedClientSessionUpdater, UserAndClientSessionConditionalRemover<AuthenticatedClientSessionEntity>>
 
 
 
Request-scoped context object
The key stored in the RemoteCache for RemoteAuthenticatedClientSessionEntity.
WARNING: Generated code! Do not edit!
 
 
Util class with Infinispan Ickle Queries for RemoteAuthenticatedClientSessionEntity.
A ConditionalRemover implementation to remove RemoteAuthenticatedClientSessionEntity based on some filters over its state.
 
 
 
 
 
PartialImport handler for Clients.
 
 
Base resource class for managing a realm's clients.
 
Base interface for components that want to provide an alternative storage mechanism for clients This is currently a private incomplete SPI.
 
Stored configuration of a Client Storage provider instance.
 
Deprecated.
TODO:client-types javadocs
 
 
TODO:client-types javadoc
 
 
 
 
 
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Ensures that there are not concurrent executions of same task (either on this host or any other cluster host)
 
Task to be executed on all cluster nodes once it's notified.
Various utils related to clustering and concurrent tasks on cluster nodes
 
 
 
 
A Function that converts the Collection to a Stream.
WARNING: Generated code! Do not edit!
 
 
SAML Action Type
SAML Advice Type
SAML AssertionType
Predecessor of AuthenticationSessionModel, ClientLoginSessionModel and ClientSessionModel (then action tickets).
 
 
 
Common configuration useful for all providers
Mapper related to mapping of LDAP groups to keycloak model objects (either keycloak roles or keycloak groups)
 
SAML Request Abstract Type
 
Java class for StatusDetailType complex type.
Java class for ComplexAuthenticatorType complex type.
Java class for ComplexAuthenticatorType complex type.
 
 
 
 
 
 
 
Stored configuration of a User Storage provider instance.
 
 
 
 
 
 
 
 
 
KeyLocator that represents a list of multiple KeyLocators.
 
A Condition is used to specify how a specific query parameter is defined in order to filter query results.
Java class for ConditionAbstractType complex type.
 
 
 
 
An OTPFormAuthenticator that can conditionally require OTP authentication.
It handles conditional remove operations.
 
 
 
 
 
 
Java class for ConditionsType complex type.
Conditions validation as per Section 2.5 of https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Event listener which synchronizes mapper configs, when references change.
Interface for updating references in mapper configs, when references (like group path) change.
 
 
Exception indicating an issue with the configuration
 
 
 
 
 
 
 
 
 
 
 
 
Java class for ContactType complex type.
Java class for ContactTypeType.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Created by st on 21/03/17.
 
A Utility class that parses the Response object into the underlying ID attribute
Marking any required action implementation, that is supposed to work with user credentials
Single purpose method that knows how to authenticate a user based on a credential type.
 
Pojo to represent a CredentialDefinition for internal handling
 
 
used to set an execution a state based on type.
 
 
Implentations of this interface can validate CredentialInput, i.e.
Represents a credentials issuer according to the OID4VCI Credentials Issuer Metadata
 
 
 
Used just in cases when we want to "directly" update or retrieve the hash or salt of user credential (For example during export/import)
Holds all information required to build a uri to a credentials offer.
 
 
 
Marking implementation of the action, which is able to register credential of the particular type
 
Represents a CredentialRequest according to OID4VCI
Represents a CredentialResponse according to the OID4VCI Spec
Represents a CredentialsOffer according to the OID4VCI Spec
 
Pojo to represent a CredentialSubject for internal handling
 
 
 
 
 
 
Output of credential validation
 
 
 
 
 
Cross-DC based CrossDCLastSessionRefreshStore Tracks the queue of lastSessionRefreshes, which were updated on this host.
 
 
 
 
Abstraction to handle differences between the APIs for non-fips and fips mode
 
 
This class overrides original ForeignKeySnapshotGenerator from liquibase 3.5.5.
 
We need to remove DELETE SQL command, which liquibase adds by default when inserting record to table lock.
 
We use "SELECT FOR UPDATE" pessimistic locking (Same algorithm like Hibernate LockMode.PESSIMISTIC_WRITE )
 
Liquibase lock service, which has some bugfixes and assumes timeouts to be configured in milliseconds
 
 
 
 
 
 
Util class for localized date and time representation
 
Global database lock to ensure that some actions in DB can be done just be one cluster node at a time.
Lock namespace to have different lock types or contexts.
 
 
Java class for DCEValueType complex type.
 
 
 
 
 
The decision strategy dictates how the policies associated with a given policy are evaluated and how a final decision is obtained.
Java class for DecisionType.
 
UserProfileProvider loading configuration from the changeable JSON file stored in component config.
 
 
 
 
 
Handles hash production for a decoy entry from the given salt.
Part of action token that is intended to be used e.g.
 
The default implementation for Attributes.
 
 
 
 
A single thread will log failures.
 
 
 
The provider retrieves a client certificate and the certificate chain (if any) from the incoming TLS connection.
The factory and the corresponding providers extract a client certificate and the certificate chain (if any) from the incoming TLS connection.
 
 
 
 
 
 
Binding between realm and default clientScope
 
 
Not thread safe.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
This wraps the functionality about export/import for the storage.
 
 
The default HttpClientFactory for HttpClientProvider's used by Keycloak for outbound HTTP calls.
 
 
 
 
 
 
 
 
 
 
Default implementation of DefaultLazyLoader that only fetches data once.
 
 
 
 
 
This wraps the functionality for migrations of the storage.
Various common utils needed for migration from older version to newer
 
The default implementation for generating/formatting user code of OAuth 2.0 Device Authorization Grant.
 
 
 
 
 
 
 
 
 
ArtifactResolver for artifact-04 format.
 
A ScriptingProvider that uses a ScriptEngineManager to evaluate scripts with a ScriptEngine.
 
 
 
 
 
The default implementation for the security profile.
 
 
 
 
 
Default token exchange implementation
Default token exchange provider factory
 
The default implementation for UserProfile.
 
Default VaultCharSecret implementation based on CharBuffer.
Default raw secret implementation for byte[].
Default VaultCharSecret implementation based on String.
Default VaultTranscriber implementation that uses the configured VaultProvider to obtain raw secrets and convert them into other types.
Encoder of saml messages based on DEFLATE compression
 
 
 
 
Explicitly deny access to the resources.
 
Allows to CRUD for configurations (like Authenticator configs).
Allows to register "deployed configurations", which are retrieved in runtime from deployed providers and hence are not saved in the DB
 
 
 
 
 
 
 
 
 
 
Extract PrivateKey, PublicKey, and X509Certificate from a DER encoded byte array or file.
 
Holder containing the information about a destination
Check that Destination field in SAML request/response is either unset or matches the expected one.
 
Cookie encapsulating data to be displayed on the info/error page.
 
 
 
 
 
OAuth 2.0 Device Authorization Grant https://datatracker.ietf.org/doc/html/rfc8628#section-3.4
Factory for OAuth 2.0 Device Authorization Grant
 
 
 
 
 
 
 
 
Java class for DeviceTypeType.
Java class for DeviceTypeType.
Java class for DigestMethodType complex type.
 
 
 
 
Construct a DirExportProviderFactory to be used to export one or more realms.
 
 
Persistence of userSessions is disabled .
Handles undisclosed claims and array elements, providing functionality to generate disclosure digests from Base64Url encoded strings.
 
Manages the specification of undisclosed claims and array elements.
 
 
Represents a DisplayObject, as used in the OID4VCI Credentials Issuer Metadata
Per the docker auth v2 spec, access is defined like this: { "type": "repository", "name": "samalba/my-app", "actions": [ "push", "pull" ] }
 
 
 
 
 
 
 
 
Representation of the docker-compose.yaml file
 
 
Implements a docker-client understandable format.
JSON Representation of a Docker Error in the following format: { "code": "UNAUTHORIZED", "message": "access to the requested resource is not authorized", "detail": [ { "Type": "repository", "Name": "samalba/my-app", "Action": "pull" }, { "Type": "repository", "Name": "samalba/my-app", "Action": "push" } ] }
 
The “kid” field has to be in a libtrust fingerprint compatible format.
 
 
Creates a response understandable by the docker client in the form: { "token" : "eyJh...nSQ", "expires_in" : 300, "issued_at" : "2016-09-02T10:56:33Z" }
* { "iss": "auth.docker.com", "sub": "jlhawn", "aud": "registry.docker.com", "exp": 1415387315, "nbf": 1415387015, "iat": 1415387015, "jti": "tYJCO1c6cnyy7kAn0c7rKPgbV1H1bFws", "access": [ { "type": "repository", "name": "samalba/my-app", "actions": [ "push" ] } ] }
 
 
Utility dealing with DOM
PLINK-158: Maintain backward compatibility
Validate input being any kind of Number.
 
 
 
 
 
 
 
 
 
Java class for DSAKeyValueType complex type.
Dummy lock service injected to Liquibase.
Validator to check User Profile email duplication conditions based on realm settings like isDuplicateEmailsAllowed.
Validator to check that User Profile username already exists in database for another user in case of it's change, and fail in this case.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Implementation of an LD-Crypto Suite for Ed25519Signature2018
 
 
 
 
 
 
 
 
Validator to check User Profile email duplication conditions if isDuplicateEmailsAllowed is false but isRegistrationEmailAsUsername is true.
 
 
 
 
 
 
Email Validator Utility to check email inputs based on hibernate-validator implementation.
Email format validation - accepts plain string and collection of strings, for basic behavior like null/blank values handling and collections support see AbstractStringValidator.
 
A ConditionalRemover that does not remove anything.
 
Assertion that is encrypted
Java class for EncryptedDataType complex type.
Represents an element that is encrypted
Java class for EncryptedKeyType complex type.
Java class for EncryptedType complex type.
Java class for EncryptionMethodType complex type.
 
Java class for EncryptionPropertiesType complex type.
Java class for EncryptionPropertyType complex type.
Java class for EndpointType complex type.
Java class for EntitiesDescriptorType complex type.
*
 
 
 
 
Java class for EntityDescriptorType complex type.
 
 
Classes implementing this interface guarantee that for each instance of this class, there exists an mutually unique integer which is stable in time, and identifies always the same instance of this class.
 
Providers that are only supported in some environments can implement this interface to be able to determine if they should be available or not.
Replaces any ${} strings with their corresponding system property.
 
 
Error Codes for PicketLink https://docs.jboss.org/author/display/PLINK/PicketLink+Error+Codes
 
 
 
 
Represents an error response, containing the error type as defined by OID4VCI
 
 
 
Enum to handle potential errors in issuing credentials with the error types defined in OID4VCI
 
 
 
 
 
 
 
Wraps a ScriptModel so it can be evaluated with custom bindings.
An Evaluation is mainly used by PolicyProvider in order to evaluate a single and specific ResourcePermission against the configured policies.
This interface serves as a bridge between the policy evaluation runtime and the environment in which it is running.
A factory for the different PermissionEvaluator implementations.
 
AttributeChangeListener to audit user profile attribute changes into Event.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Java class for EvidenceType complex type.
 
Use to unwrap exceptions specifically if there is an exception at JTA commit
 
Exchange a token crafted by this provider for a local realm token.
 
 
 
 
 
 
 
 
 
Expiration data for Infinispan storage, in milliseconds.
Token verification exception that bears an error to be logged via event system and a message to show to the user e.g.
 
This adapter allows the exporter to act independent of APIs used to serve the exported data to the caller.
Custom consumer that is allowed to throw an IOException as writing to an output stream might do this.
 
 
Manage importing and updating of realms for the store.
Just to wrap IOException
 
 
 
 
 
 
A type that contains a list of ExtensionType
Java class for ExtensionOnlyType complex type.
Java class for ExtensionOnlyType complex type.
Java class for ExtensionsType complex type.
Java class for ExtensionsType complex type.
Java class for ExtensionType complex type.
Java class for ExtensionType complex type.
 
 
 
 
 
User attribute mapper.
 
 
 
 
 
 
 
 
 
 
 
 
The MySQL database is the only database where columns longer than 255 characters are changed to a TEXT column, allowing for up to 64k characters.
 
 
 
 
 
 
 
 
 
 
 
 
A text-based vault provider, which stores each secret in a separate file.
Creates and configures FilesPlainTextVaultProvider.
 
 
 
 
 
Constants copied from XMLConstants to work around issues with IntelliJ See https://issues.redhat.com/browse/KEYCLOAK-19403
Status of an execution/authenticator in a Authentication Flow
 
 
 
 
Thrown internally when authenticator wants to fork the current flow.
Fine grain processing of a form.
Factory for instantiating FormAction objects.
 
Enum of supported credential formats
 
This class is responsible for rendering a form.
Factory for instantiating FormAuthenticators.
 
Interface that encapsulates the current state of the current form being executed
Message (eg.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Mapper useful for the LDAP deployments when some attribute (usually CN) is mapped to full name of user
 
Set the 'name' claim to be first + last name.
Check that switch "fullScopeAllowed" is not enabled for the clients
 
Check that switch "fullScopeAllowed" is not enabled for the clients
Not thread-safe.
Constants
 
 
 
 
 
 
 
 
 
 
 
 
Java class for anonymous complex type.
Java class for anonymous complex type.
 
 
 
User attribute mapper.
 
 
Result of the "global" request (like push notBefore or logoutAll), which is send to all cluster nodes
 
 
 
 
User attribute mapper.
Java class for GoverningAgreementRefType complex type.
Java class for GoverningAgreementRefType complex type.
Java class for GoverningAgreementsType complex type.
Java class for GoverningAgreementsType complex type.
 
 
 
WARNING: Generated code! Do not edit!
A Supplier that returns a Collector to group and count elements.
WARNING: Generated code! Do not edit!
 
Updates a group reference in a mapper config, when the path of a group changes.
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
 
Maps user group membership
 
 
 
 
 
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
 
 
 
 
 
 
 
Provider of group records
 
 
 
WARNING: Generated code! Do not edit!
 
 
 
 
 
Partial import handler for Groups.
 
 
 
 
 
 
Stored configuration of a Group Storage provider instance.
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
 
The provider allows to extract X.509 client certificate forwarded to the keycloak middleware configured behind the haproxy reverse proxy.
 
 
Mappings UserModel property (the property name of a getter method) to an AttributeStatement.
 
 
 
 
Key locator for a bunch of keys.
 
 
 
 
 
 
 
Add a role to a token
Mappings UserModel property (the property name of a getter method) to an AttributeStatement.
 
 
 
 
 
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
 
 
 
 
 
 
 
The Hostname provider is used by Keycloak to decide URLs for frontend and backend requests.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Abstraction for creating HttpClients.
 
 
 
 
 
 
 
 
Deprecated.
Class is deprecated and may be removed in the future.
Represents an incoming HTTP request.
Represents an out coming HTTP response.
 
 
Java class for IdentificationType complex type.
Java class for IdentificationType complex type.
Represents a security identity, which can be a person or non-person entity that was previously authenticated.
 
Encapsulates parsing logic related to state passed to identity provider in "state" (or RelayState) parameter
 
 
 
 
 
 
 
 
 
 
 
 
 
Specifies a mapping from broker login to user data.
 
PartialImport handler for Identity Provider Mappers.
 
 
 
 
A model type representing the configuration for identity providers.
 
 
 
 
PartialImport handler for Identity Providers.
 
 
 
The IdentityProviderStorageProvider is concerned with the storage/retrieval of the configured identity providers in Keycloak.
Enum to control how login identity providers should be fetched.
Enum that contains all fields that are considered when deciding if a provider should be available for login or not.
 
 
 
IdentityStore representation providing minimal SPI TODO: Rather remove this abstraction
An LSResource Resolver for schema validation
 
Utility class that generates unique IDs
 
 
 
 
 
 
 
 
 
 
 
 
 
Java class for IDPEntryType complex type.
Holds essential information about an IDP for creating saml messages.
Java class for IDPListType complex type.
 
 
 
 
 
Java class for IDPSSODescriptorType complex type.
Same like classic username+password form, but for use in IdP linking.
 
Representation of a token that represents a time-limited verify e-mail action.
Action token handler for verification of e-mail address.
 
 
A validator that fails when the attribute is marked as read only and its value has changed.
 
Session note metadata for impersonation details stored in user session notes.
 
 
 
 
This is an optional capability interface that is intended to be implemented by any UserStorageProvider that supports validating users.
 
 
 
Deprecated.
 
This is an optional capability interface that is intended to be implemented by any UserStorageProvider that supports syncing users to keycloak local storage.
 
 
 
WARNING: Generated code! Do not edit!
Java class for IndexedEndpointType complex type.
 
 
Startup initialization for reading persistent userSessions to be filled into infinispan/memory.
 
 
 
 
 
 
This impl is aware of Cross-Data-Center scenario too
 
 
 
 
 
 
 
 
 
 
 
Impl for sending infinispan messages across cluster and listening to them
 
 
 
 
TODO: Check if Boolean can be used as single-use cache argument instead of SingleUseObjectValueEntity.
 
 
 
 
 
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
Note that this state is NOT thread safe.
WARNING: Generated code! Do not edit!
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
 
 
User attribute mapper.
Validate input being integer number Integer or Long.
 
 
 
 
 
 
 
Handles invalidation requests.
Tagging interface for the kinds of invalidatable object
 
Representation of a token that represents a time-limited verify e-mail action.
Action token handler for handling invitation of an existing user to an organization.
Wraps a ScriptModel and makes it Invocable.
 
A date validator that only takes into account the format associated with the current locale.
Exception indicating that the IssueInstant is missing
Holds info about the issuer for saml messages creation
Exception indicating that the issuer is not trusted
Handle verifiable credentials (SD-JWT VC), enabling the parsing of existing VCs as well as the creation and signing of new ones.
 
Options for Issuer-signed JWT verification.
 
 
 
 
 
 
 
Utility to obtain JAXB2 marshaller/unmarshaller etc
Utility class associated with JAXP Validation
 
 
 
 
 
 
Factory for the SAML v2 Authn Response
SAML Constants
Define the constants based on URI
 
An interface to represent signed (JWS) and encrypted (JWE) JWTs.
This interface represents a JOSE header.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Create hashes for long values stored in the database.
A JPA based implementation of IdentityProviderStorageProvider.
A JPA based implementation of IdentityProviderStorageProviderFactory.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Migration class to remove old rh-sso themes.
Migration class to update themes for those who had upgraded to 22.0.0 already.
Custom liquibase change to migrate legacy terms and conditions required action for federated users (table FED_USER_REQUIRED_ACTION, in line with what JpaUpdate21_0_2_TermsAndConditionsRequiredAction did to migrate the same action for regular users.
 
 
Custom SQL change to migrate the organization ID and the hide on login page config from the IDP config table to the IDP table.
 
 
Update CREATED_ON and LAST_SESSION_REFRESH columns to current startup time
 
 
Status of database up-to-dateness
 
 
 
 
 
 
 
 
 
 
 
Component model backed by JSON configuration.
 
 
Utility class to handle simple JSON serializable for Keycloak.
Utility methods for manipulating JSON objects.
 
 
 
 
 
 
 
 
JTA TransactionManager lookup
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Client authentication based on JWT signed by client private key .
Client authentication based on JWT signed by client private key .
Client authentication based on JWT signed by client secret instead of private key .
Client authentication based on JWT signed by client secret instead of private key .
Common validation for JWT client authentication with private_key_jwt or with client_secret
Common signing service logic to handle proofs.
VerifiableCredentialsSigningService implementing the JWT_VC format.
Provider Factory to create JwtSigningServices
JWT VC Issuer metadata for endpoint /.well-known/jwt-vc-issuer
WellKnownProvider implementation for JWT VC Issuer metadata at endpoint /.well-known/jwt-vc-issuer
WellKnownProviderFactory implementation for JWT VC Issuer metadata at endpoint /.well-known/jwt-vc-issuer
Override explicitly added ExceptionMapper for handling UnrecognizedPropertyException in RestEasy Jackson org.jboss.resteasy.plugins.providers.jackson.UnrecognizedPropertyExceptionHandler
Configuration specific to KerberosFederationProvider
 
 
Factory for standalone Kerberos federation provider.
Provides abstraction to handle differences between various JDK vendors (Sun, IBM)
 
 
 
Provides serialization/deserialization of kerberos GSSCredential, so it can be transmitted from auth-server to the application and used for further calls to kerberos-secured services
 
 
 
Java class for KeyActivationType complex type.
Java class for KeyActivationType complex type.
 
Options for Key Binding JWT verification.
 
Provides a Keycloak client.
 
Provides a Keycloak client builder with the ability to customize the underlying RESTEasy client used to communicate with the Keycloak server.
 
 
 
 
 
 
 
Custom subclass to expose protected liquibase API.
A Logger implementation that delegates to a JBoss Logger.
A LogService implementation that creates instances of KeycloakLogger.
Override explicitly added ExceptionMapper for handling MismatchedInputException in RestEasy Jackson
 
WARNING: Generated code! Do not edit!
Set of helper methods, which are useful in various model implementations.
 
 
 
 
 
 
Class of constants relating to the OpenAPI annotations in Keycloak and the Keycloak Admin REST API
 
 
 
 
 
 
 
Allows sanitizing of html that uses Freemarker ?no_esc.
Based on the EbayPolicyExample in owasp java-html-sanitizer.
Available in secured requests under HttpServletRequest.getAttribute() Also available in HttpSession.getAttribute under the classname of this class
 
 
 
Task to be executed inside transaction
Interface for tasks that compute a result and need access to the KeycloakSession.
 
 
 
 
 
 
Java class for KeyDescriptorType complex type.
Java class for KeyInfoConfirmationDataType complex type.
 
Tools for KeyInfo object manipulation.
Java class for KeyInfoType complex type.
This interface defines a method for obtaining a security key by ID.
Helper class that facilitates the hash of a Key to be located easier.
 
 
 
 
 
 
 
 
 
 
Java class for KeySharingType complex type.
Java class for KeySharingType complex type.
 
 
 
 
Java class for KeyStorageType complex type.
Java class for KeyStorageType complex type.
Configuration of KeyStore.
 
 
 
Java class for KeyTypes.
 
 
 
Java class for KeyValueType complex type.
Java class for localizedURIType complex type.
 
 
WARNING: Generated code! Do not edit!
A functional interface that can be used to return data D from a source S where implementations are free to define how and when data is fetched from source as well how it is internally cached.
Value object to represent an OID (object identifier) as used to describe LDAP schema, extension and features.
 
 
 
 
 
 
Single RDN inside the DN.
 
An IdentityStore implementation backed by an LDAP directory
 
TODO: Possibly add "priority" instead of hardcoding behaviour
 
 
This class provides a set of operations to manage LDAP trees.
 
Configuration specific to LDAPStorageProvider
Default IdentityQuery implementation.
 
 
 
 
 
 
 
 
 
TODO: LDAPStorageMapper should be divided into more interfaces and let the LDAPStorageMapperManager to check which operation (feature) is supported by which mapper implementation
 
 
 
 
Track which LDAP users were already enlisted during this transaction
 
Utility class for working with LDAP.
Allow to directly call some operations against LDAPIdentityStore.
User model delegate, which tracks what attributes were written to LDAP in this transaction.
Pojo to represent a linked-data proof
Enum containing the w3c-registered Signature Suites
VerifiableCredentialsSigningService implementing the LDP_VC format.
Provider Factory to create LDSigningServices
 
 
Java class for LengthType complex type.
Java class for LengthType complex type.
String value length validation - accepts plain string and collection of strings, for basic behavior like null/blank values handling and collections support see AbstractStringValidator.
 
 
API for linking/unlinking social login accounts
Interface for all implementations of LD-Signature Suites
Specific OIDC LinkedIn provider for Sign In with LinkedIn using OpenID Connect product app.
Specific OIDC LinkedIn provider for Sign In with LinkedIn using OpenID Connect product app.
Specific public key loader that assumes that use for the keys is the requested one.
User attribute mapper.
Method used to format the link expiration time period in emails.
 
 
 
 
 
 
 
 
This interface is used for controlling load balancer.
 
 
Prepare information for the load balancer (possibly in a multi-site setup) whether this Keycloak cluster should receive traffic.
 
A date validator that only takes into account the format associated with the current locale.
 
 
 
 
 
 
 
 
 
Java class for localizedNameType complex type.
Java class for localizedURIType complex type.
 
WARNING: Generated code! Do not edit!
 
WARNING: Generated code! Do not edit!
Indicates that retrieve lock wasn't successful, but it worth to retry it in different transaction (For example if we were trying to create LOCK table, but other transaction created the table in the meantime etc)
 
 
 
 
The decision strategy dictates how the policies associated with a given policy are evaluated and how a final decision is obtained.
 
 
This check verifies that user ID (subject) from the token matches the one from the authentication session.
Verifies that if authentication session exists and any action is required according to it, then it is the expected one.
Verifies whether the given redirect URL, when set, is valid for the given client.
 
 
Syntactic sugar for RemoteChangeLogTransaction<LoginFailureKey, LoginFailureEntity, LoginFailuresUpdater, ByRealmIdConditionalRemover<LoginFailureKey, LoginFailureEntity>>
 
WARNING: Generated code! Do not edit!
 
WARNING: Generated code! Do not edit!
Implementation of Updater and UserLoginFailureModel.
 
 
 
 
 
 
 
 
 
 
Java class for localizedURIType complex type.
 
 
 
 
Java class for LogoutRequestType complex type.
 
 
 
 
Utilities for OIDC logout
 
 
 
 
 
 
A Service Provider Interface (SPI) that allows to plug-in an embedded or remote cache manager instance.
Options for the management interface that handles management endpoints (f.e.
 
 
Java class for ManageNameIDRequestType complex type.
Java class for ManifestType complex type.
A Function to extract the key from a Map.Entry.
WARNING: Generated code! Do not edit!
 
Serializer and deserializer for ProviderConfigProperty.MAP_TYPE
 
 
An Map implementation that keeps track of any modification performed in the Map.
Ids of the protostream type.
Specifies the maximum age of an authentication with which a password may be changed without re-authentication.
 
 
 
 
 
 
Java class for mediumType.
Java class for mediumType.
 
 
 
 
 
 
 
 
 
Bean used to hold form messages per field.
Enum with types of messages.
 
 
 
Identity provider for Microsoft account.
 
 
User attribute mapper.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Implements the migration necessary for version 6.0.0.
 
 
 
 
 
 
Handle the migration of the datastore and an imported realm representation.
 
 
 
 
Various common utils needed for migration from older version to newer
 
 
 
 
 
 
 
Thrown when data can't be retrieved for the model.
 
Thrown to indicate that an error is expected as a result of the validations run against a model.
 
Mapper specific to MSAD LDS.
 
Mapper specific to MSAD.
 
 
 
WARNING: Generated code! Do not edit!
 
 
 
 
 
 
 
Changes VARCHAR type with size greater than 255 to text type for MySQL 8 and newer.
 
A criteria that matches a property based on name
 
 
Java class for NameIDMappingRequestType complex type.
Java class for NameIDMappingResponseType complex type.
Java class for NameIDPolicyType complex type.
Represents a NameIDType
Helper class in process of parsing signature out of SAML token.
Utility methods related to networking.
The NGINX Provider extract end user X.509 certificate send during TLS mutual authentication, and forwarded in an http header.
The factory and the corresponding providers extract a client certificate from a NGINX reverse proxy (TLS termination).
The NGINX Trusted Provider verify extract end user X.509 certificate sent during TLS mutual authentication, verifies it against provided CA the and forwarded in an HTTP header along with a new header ssl-client-verify: SUCCESS.
Simple mapper that adds the nonce claim into the access token as before.
 
Validate that value exists and is not empty nor blank.
 
 
A PasswordPolicyProvider which does not allow to use the current email as password.
 
Check that input value is not empty.
An exception that indicates that something is not ready for use.
 
 
Java class for nymType.
Java class for nymType.
Data associated with the oauth2 code.
 
 
 
Representation for Device Authorization Response.
 
 
 
 
 
 
 
 
Provider interface for OAuth 2.0 grant types
 
Base class for OAuth 2.0 grant types
Provider interface for OAuth 2.0 grant types
A Spi to support pluggable OAuth 2.0 grant types in Token Endpoint.
 
OAuth2WellKnownProviderFactory implementation for the OAuth2 auto discovery
Deprecated.
 
 
 
A type that contains a list of objects
Any class with package org.jboss.resteasy.skeleton.key will use NON_DEFAULT inclusion
Java class for ObjectType complex type.
 
 
 
 
Type of credential offer uri to be returned.
 
Hacked extension to UserSessionModel so that user id can be obtain directly so
Implementation of the TimeProvider that delegates calls to the common Time class.
Pojo, containing all information required to create a VCClient.
Provides the client-registration functionality for OID4VC-clients.
Implementation of the ClientRegistrationProviderFactory to integrate the OID4VC protocols with Keycloak's client-registration.
Allows to add the context to the credential subject
Interface for all OID4VC related provider factories, to ensure usage of the same feature flag.
Map issuance date to the credential, under the default claim name "iat"
Provides the (REST-)endpoints required for the OID4VCI protocol.
WellKnownProvider implementation to provide the .well-known/openid-credential-issuer endpoint, offering the Credential Issuer Metadata as defined by the OID4VCI protocol
WellKnownProviderFactory implementation for the OID4VCI metadata
Factory for creating all OID4VC related endpoints and the default mappers.
Base class for OID4VC Mappers, to provide common configuration and functionality for all of them
Allows to add statically configured claims to the credential subject
Sets an ID for the credential, either randomly generated or statically configured
Adds the users roles to the credential subject
Allows to add types to the credential subject
Allows to add user attributes to the credential subject
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Resource class for the oauth/openid connect token service
 
 
 
 
 
 
Callback for component creation.
Java class for OneTimeUseType complex type.
Callback for component update.
 
Identity provider for Openshift V3.
 
 
 
Identity provider for Openshift V4.
OpenShift 4 Identity Provider configuration class.
OpenShift 4 Identity Provider factory class.
Java class for OperationalProtectionType complex type.
Java class for OperationalProtectionType complex type.
 
 
 
 
Validation against list of allowed values - accepts plain string and collection of strings (every value is validated against allowed values), for basic behavior like null/blank values handling and collections support see AbstractStringValidator.
 
 
 
 
 
 
 
 
 
 
JPA entity representing an internet domain that can be associated with an organization.
Model implementation of an organization internet domain.
Representation implementation of an organization internet domain.
 
 
 
 
 
 
 
 
 
 
 
 
 
A Provider that manages organization and its data within the scope of a realm.
 
 
 
 
 
 
An enum with utility methods to process the OIDCLoginProtocolFactory.ORGANIZATION scope.
 
 
 
 
 
 
 
Java class for OrganizationType complex type.
Java class for AuthenticatorBaseType complex type.
Java class for AuthenticatorTransportProtocolType complex type.
Java class for AuthnContextDeclarationBaseType complex type.
Java class for AuthnMethodBaseType complex type.
 
 
 
 
 
The supported encodings when reading the raw secret from the storage
 
 
 
 
 
 
 
 
 
 
 
 
PAMAuthenticator for Unix users
 
Pushed Authorization Request endpoint
Parse the parameters from a request object sent to PAR Endpoint
 
 
 
General Exception indicating parsing exception
Main interface for PartialImport handlers.
This class manages the PartialImport handlers.
Deprecated.
Used for partial import of users, groups, clients, roles, and identity providers.
 
This class represents a single result for a resource imported.
Aggregates all the PartialImportResult objects.
 
 
 
 
 
 
 
 
 
 
 
An implementation of the LDAP Password Modify Extended Operation client request.
 
 
 
Created by st on 23/05/17.
 
 
 
 
 
 
 
 
 
Java class for PasswordType complex type.
Java class for PasswordType complex type.
 
Deprecated.
Recommended to use UserCredentialModel as it contains all the functionality required by this class
 
A utility class for handling URI template parameters.
 
Validate String against configured RegEx pattern - accepts plain string and collection of strings, for basic behavior like null/blank values handling and collections support see AbstractStringValidator.
 
 
 
User attribute mapper.
Implementation PBKDF2 password hash algorithm.
Deprecated.
The PBKDF2 provider with SHA1 and the recommended number of 1.300.000 iterations is known to be very slow.
PBKDF2 Password Hash provider with HMAC using SHA256
Provider factory for SHA512 variant of the PBKDF2 password hash algorithm.
Java class for PDPDescriptorType complex type.
 
Utility classes to extract PublicKey, PrivateKey, and X509Certificate from openssl generated PEM files
Utility classes to extract PublicKey, PrivateKey, and X509Certificate from openssl generated PEM files
 
 
An PermissionEvaluator represents a source of ResourcePermission, responsible for emitting these permissions to a consumer in order to evaluate the authorization policies based on a EvaluationContext.
User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html#uma-grant-type
Factory for User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization
 
An entry point for managing permission tickets using the Protection API.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
A PermissionTicketStore is responsible to manage the persistence of PermissionTicket instances.
 
 
 
 
 
 
 
 
 
Run one thread per session type and drain the queues once there is an entry.
Marker interface for tasks that update persistent sessions
Capture information for a deferred update of the session stores.
 
 
 
 
 
 
The store is supposed to do periodic bulk update of lastSessionRefresh times of all userSessions, which were refreshed during some period of time.
 
This validator disallowing bunch of characters we really not to expect in names of persons (fist, middle, last names).
Java class for PGPDataType complex type.
Java class for anonymous complex type.
Java class for anonymous complex type.
Any exception that is raised by the security module extends from this runtime exception class, making it easy for other modules and extensions to catch all security-related exceptions in a single catch block, if need be.
Constants useful to the JBoss Identity Federation project
This interface acts as a Log Facade for PicketLink, from which exceptions and messages should be created or logged.
Factory class to create PicketLinkLogger instances.
 
 
 
 
 
 
 
Represents an authorization policy and all the configuration associated with it.
 
 
 
The policy enforcement mode dictates how authorization requests are handled by the server.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
A PolicyEvaluator evaluates authorization policies based on a given ResourcePermission, sending the results to a Decision point through the methods defined in that interface.
 
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
An entry point for managing user-managed permissions for a particular resource
 
 
 
 
 
A PolicyStore is responsible to manage the persistence of Policy instances.
 
 
 
WARNING: Generated code! Do not edit!
Exception that is thrown when validation errors are found when creating/updating policies.
 
Utility for the HTTP/Post binding
 
 
Executed at startup after model migration is finished
 
Represents a pre-authorized grant, as used by the Credential Offer in OID4VCI
 
Factory for Pre-Authorized Code Grant
Container for the pre-authorized code to be used in a Credential Offer
Present LDAP condition attrname=* for filters
Java class for PrincipalAuthenticationMechanismType complex type.
Java class for PrincipalAuthenticationMechanismType complex type.
 
Java class for PrivateKeyProtectionType complex type.
Java class for PrivateKeyProtectionType complex type.
Exception to indicate a server processing error
 
 
 
 
 
 
 
 
 
 
 
Proof to be used in the Credential Request(to allow holder binding) according to OID4VCI
Enum to provide potential proof types for holder-binding
See: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-cwt-proof-type
See: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-jwt-proof-type
See: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-ldp_vp-proof-type
See: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types
Utility class for working with JavaBean style properties
 
 
A representation of a JavaBean style property
A property criteria can be used to filter the properties found by a PropertyQuery
Utilities for working with property queries
Queries a target class for properties that match certain criteria.
An entry point for managing resources using the Protection API.
An entry point to access the Protection API endpoints.
 
 
 
 
 
Specifies a mapping from user data to a protocol claim assertion.
 
 
 
 
 
Base resource for managing users
 
 
 
Configuration property metadata.
Builds a list of ProviderConfigProperty instances.
 
 
 
At boot time, keycloak discovers all factories.
 
 
 
 
 
 
ProxyMappings describes an ordered mapping for hostname regex patterns to a HttpHost proxy.
ProxyMappings.ProxyMapping describes a Proxy Mapping with a Hostname Pattern that is mapped to a proxy HttpHost.
A DefaultRoutePlanner that determines the proxy to use for a given target hostname by consulting the given ProxyMappings.
 
 
Java class for ProxyRestrictionType complex type.
 
 
 
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
 
 
 
 
Java class for PublicKeyType complex type.
Java class for PublicKeyType complex type.
Resource class for public realm information
 
 
 
 
 
 
Validator to check that User Profile attribute value is not changed if attribute is read-only.
Thrown when UserStorageProvider UserModel adapter is read-only
 
Will be good to get rid of this class and use ReadOnlyUserModelDelegate, but it can't be done now due the backwards compatibility.
Readonly proxy for a SSSD UserModel that prevents attributes from being updated.
 
This interface provides methods to query information from a realm.
 
 
Base resource class for the admin REST api of one realm
 
 
 
 
 
 
- the high level architecture of this cache is an invalidation cache.
 
 
 
 
 
 
 
Per request object
Deprecated.
Deprecated.
 
 
 
 
 
 
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
 
WARNING: Generated code! Do not edit!
 
 
 
A RealmResourceProvider creates JAX-RS sub-resource instances for paths relative to Realm's RESTful API that could not be resolved by the server.
A factory that creates RealmResourceProvider instances.
A Spi to plug additional sub-resources to Realms' RESTful API.
PartialImport handler for Realm Roles.
 
Top level resource for Admin REST API
 
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Utility class for SAML HTTP/Redirect binding
A Destination holder that holds the destination host url and the destination query string
 
Java class for anonymous complex type.
 
Java class for ReferenceType complex type.
Java class for ReferenceType complex type.
Utility class for working with JDK Reflection and also CDI's {link Annotated} metadata.
 
OAuth 2.0 Refresh Token Grant https://datatracker.ietf.org/doc/html/rfc6749#section-6
Factory for OAuth 2.0 Refresh Token Grant
 
 
 
 
 
 
 
 
 
 
 
 
 
Validator to check User Profile email attribute value during Registration when "RegistrationEmailAsUsername()" is enabled.
Validator to check User Profile username attribute value during Registration when "RegistrationEmailAsUsername()" is enabled.
 
 
 
 
 
 
Validator to check User Profile username attribute uniqueness during registration (when "RegistrationEmailAsUsername()" is NOT enabled).
 
 
 
 
 
 
 
 
 
Java class for RelayStateType complex type.
 
WARNING: Generated code! Do not edit!
 
Get either just remoteCache associated with remoteStore associated with infinispan cache of given name.
 
 
 
 
A KeycloakTransaction implementation that keeps track of changes made to entities stored in a Infinispan cache.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
An UserSessionProvider implementation that uses only RemoteCache as storage.
 
 
WARNING: Generated code! Do not edit!
 
 
WARNING: Generated code! Do not edit!
Performs an entity replacement in Infinispan, using its versions instead of equality.
WARNING: Generated code! Do not edit!
 
Java class for RequestAbstractType complex type.
Provides some info about current HTTP request.
Java class for RequestedAttributeType complex type.
Java class for RequestedAuthnContextType complex type.
Java class for RequestType complex type.
 
Represents the configurable properties of a RequiredAction.
Holds the configuration for a required action.
Represents the configuration of a RequiredAction.
Interface that encapsulates information about the current required action
 
 
 
Factory interface for RequiredActionProvider's.
Helpers for managing RequiredActions.
RequiredAction provider.
 
 
 
 
Some endpoints (like register new required action) doesn't support all the fields (like setEnabled etc).
 
 
 
 
 
 
 
 
 
 
Representation of a token that represents a time-limited reset credentials action.
 
 
 
 
Useful when there is a need for callback when time offset is restarted.
 
Represents a resource, which is usually protected by a set of policies within a resource server.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
OAuth 2.0 Resource Owner Password Credentials Grant https://datatracker.ietf.org/doc/html/rfc6749#section-4.3
Factory for OAuth 2.0 Resource Owner Password Credentials Grant
 
 
Represents a permission for a given resource.
 
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
One or more resources that the resource server manages as a set of protected resources.
 
 
 
 
Represents a resource server, whose resources are managed and protected.
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
A ResourceServerStore is responsible to manage the persistence of ResourceServer instances.
 
WARNING: Generated code! Do not edit!
 
 
 
 
 
A ResourceStore is responsible to manage the persistence of Resource instances.
Represents Keycloak resource types for which AdminEvent's can be triggered.
Enum for each resource type that can be partially imported.
 
WARNING: Generated code! Do not edit!
Java class for ResponseType complex type.
Java class for ResponseType complex type.
 
This is an an encoded token that is stored as a cookie so that if there is a client timeout, then the authentication session can be restarted.
Deprecated.
use org.keycloak.util.KeycloakSessionUtil instead
An implementation of ResteasyClientProvider based on RESTEasy classic.
An SPI for using the JAX-RS Client API regardless of the underlying stack.
Java class for RestrictedLengthType complex type.
Java class for RestrictedLengthType complex type.
Java class for RestrictedPasswordType complex type.
Java class for RestrictedPasswordType complex type.
 
 
Java class for RetrievalMethodType complex type.
 
Runnable, which provides some additional info (iteration for now)
Needed here because: - java.util.function.Supplier defined from Java 8 - Adds some additional info (current iteration)
Needed here because: - java.util.function.BiConsumer defined from Java 8 - Adds some additional info (current iteration and called throwable
 
 
Stores a list of revoked tokens in the database, so it is available after restarts.
Use this to revoke a token, so they will be available even after the restart of Keycloak.
 
 
 
Pojo representation of a role to be added by the OID4VCTargetRoleMapper
 
 
 
WARNING: Generated code! Do not edit!
 
Sometimes its easier to just interact with roles by their ID instead of container/role-name
Sometimes its easier to just interact with roles by their ID instead of container/role-name
Updates a role reference in a mapper config, when a client ID changes.
Updates a role reference a in mapper config, when a role name changes.
 
 
 
Java class for RoleDescriptorType complex type.
 
Map realm roles or roles of particular client to LDAP groups
 
 
 
Abstraction interface for lookup of both realm roles and client roles by id, name and description.
 
 
Base resource for managing users
 
 
 
Map an assigned role to a different position and name in the token
Map an assigned role to a different position and name in the token
 
 
 
 
 
 
 
 
Provider of the role records.
 
 
 
WARNING: Generated code! Do not edit!
 
 
Helper class to ensure that all the user's permitted roles (including composite roles) are loaded just once per request.
 
 
 
This class handles both realm roles and client roles.
 
 
 
 
Base interface for components that want to provide an alternative storage mechanism for roles
 
Stored configuration of a Role Storage provider instance.
 
 
WARNING: Generated code! Do not edit!
 
 
 
WARNING: Generated code! Do not edit!
Represents usually one browser session with potentially many browser tabs.
Introspects token accordingly with UMA Bearer Token Profile.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Java class for RSAKeyValueType complex type.
 
 
Deprecated.
Limit the amount of data read to prevent a OutOfMemoryError.
 
SAML11 Action Type
Parse the saml assertion
Write the SAML 11 Assertion to stream
 
 
 
Constants for the SAML v1.1 Specifications
 
Utility for parsing SAML 1.1 payload
 
Parse the SAML2 AuthnRequest
Write the SAML11RequestType to stream
Parse the SAML 11 Response
Write the SAML11ResponseType to stream
 
 
Parse the saml subject
 
 
 
 
Handles for dealing with SAML2 Authentication
 
 
 
 
Marker Interface
API for SAML2 Request
 
API for dealing with SAML2 Response objects
Class that deals with SAML2 Signature
PublicKeyLoader to retrieve keys from a SAML metadata entity endpoint.
 
Parse the SAML Response
 
 
Deal with AssertionType
Parse the saml assertion
Elements and attribute names from saml-schema-assertion-2.0.xsd
Write the SAML Assertion to stream
 
 
Parse the in the saml assertion
Parse the in the saml assertion
 
 
Parse the in the saml assertion
 
SAML mapper to add a audience restriction into the assertion, to another client (clientId) or to a custom URI.
SAML audience resolve mapper.
Parse the in the saml assertion
Provider interface for SAML authentication preprocessing.
 
 
Parse the in the saml assertion
 
Context for the saml authn request.
Parse the SAML2 AuthnRequest
Parse the in the saml assertion
 
 
Executor factory for SAML client that ensures REDIRECT is not used for responses and forces POST binding configuration option in the client creation/update.
Configuration of a SAML-enabled client.
Parse the in the saml assertion
 
 
 
This implementation locates the decryption keys within realm keys.
A Holder class that can store the SAML object as well as the corresponding DOM object.
 
 
This enum provides mapping between Keycloak provided encryption algorithms and algorithms from xmlsec.
 
 
 
Parse the SAML Entities Descriptor
 
Parse the SAML Metadata element "EntityDescriptor"
Parses <samlp:Extensions> SAML2 element into series of DOM nodes.
Parses <samlp:Extensions> SAML2 element into series of DOM nodes.
 
 
 
 
 
 
 
 
Context for the saml logout request.
 
 
KeyLocator that caches the keys into a PublicKeyStorageProvider.
PublicKeyLoader to retrieve keys from a SAML metadata entity endpoint.
 
Deals with SAML2 Metadata
Write the SAML metadata elements
 
 
 
Parse SAML payload
Utility methods for SAML Parser
 
 
 
 
 
Implementations of this interface are builders that can register <samlp:Extensions> content providers.
 
 
Elements from saml-schema-protocol-2.0.xsd
 
Parse the <ProxyRestriction Count=\"\"> tag
 
Base Class for SAML Request Parsing
Parse the in the saml assertion
Parse the SAML2 RequestedAuthnContext
 
Writes a SAML2 Request Type to Stream
Parse the SAML Response
Write a SAML Response to stream
 
 
 
 
 
Executor factory that enforces that all URLs configured in a SAML client are secure (https).
Resource class for the saml connect token service
 
 
Policy executor that enforces client and server (full document or assertion) signature is ON.
 
 
Parse the Single Log Out requests
Parse the SLO Response
 
 
 
Base Class for all Response Type parsing for SAML2
Base Class for all Response Type parsing for SAML2
Base Class for all Response Type parsing for SAML2
 
 
Parse the saml subject
 
 
 
Manages the schemas for PicketLink
Represents a scope, which is usually associated with one or more resources in order to define the actions that can be performed or a specific access context.
 
 
 
 
 
 
 
 
 
Base class for managing the scope mappings of a specific client.
 
 
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
A bounded extent of access that is possible to perform on a resource set.
 
A ScopeStore is responsible to manage the persistence of Scope instances.
 
WARNING: Generated code! Do not edit!
Java class for ScopingType complex type.
A ScriptModel which holds some meta-data.
An Authenticator that can execute a configured script during authentication flow.
This class provides a mapper that uses javascript to attach a value to an attribute for SAML tokens.
OIDC ProtocolMapper that uses a provided JavaScript fragment to compute the token claim value.
Callback interface for customization of Bindings for a ScriptEngine.
 
Indicates compilation problems reported by a ScriptException and adds additional metadata.
Augments a ScriptException and adds additional metadata.
A Provider than provides Scripting capabilities.
 
 
A representation of a Script with some additional meta-data.
 
 
Handle jws, either the issuer jwt or the holder key binding jwt.
Main entry class for selective disclosure jwt (SD-JWT).
 
 
Represents a top level claim in the payload of a JWT.
Strong typing claim name to avoid parameter mismatch.
Strong typing salt to avoid parameter mismatch.
VerifiableCredentialsSigningService implementing the SD_JWT_VC format.
Provider Factory to create SdJwtSigningServices
 
Runs SD-JWT verification in isolation with only essential properties.
 
 
 
 
Java class for SecretKeyProtectionType complex type.
Java class for SecretKeyProtectionType complex type.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Privileged Blocks
Java class for SecurityAuditType complex type.
Java class for SecurityAuditType complex type.
 
 
 
 
 
Default configuration for security profile.
The security profile provider is a default security configuration that enforces a minimum level of security in the keycloak environment.
 
 
 
 
Adding an in-JVM lock to prevent a best-effort concurrent executions for the same ID.
 
 
 
 
 
 
 
 
Marker interface for ProviderFactory of Provider which wants to show some info on "Server Info" page in Admin console.
 
 
 
 
Non-recoverable error thrown during server startup
A specific Attributes implementation to handle service accounts.
 
 
 
Main logger for the Keycloak Services module.
Warning this class consists of generated code.
Deprecated.
- DELETE once only used from within legacy datastore module
 
 
 
 
 
WARNING: Generated code! Do not edit!
Represents an entity containing data about a session, i.e.
An updated interface for Infinispan cache.
 
WARNING: Generated code! Do not edit!
Postpone sending notifications of session events to the commit of Keycloak transaction
 
Shared methods to calculate the session expiration and idle.
Function definition used for the lifespan and idle calculations for the infinispan session entities.
 
 
Object, which contains some context data to be used by SessionLoader implementation.
Object, which is computed before each worker iteration and contains some data to be used by the corresponding worker iteration.
Result of single worker iteration
 
WARNING: Generated code! Do not edit!
 
Created by st on 29/03/17.
 
 
 
 
 
A Function to unwrap the SessionEntity from the SessionEntityWrapper.
WARNING: Generated code! Do not edit!
tracks all changes to the underlying session in this transaction
 
 
 
 
WARNING: Generated code! Do not edit!
Deprecated.
for removal in Keycloak 27
Event to trigger that will add defaults for a realm after it has been imported.
 
 
 
 
 
Password that uses SHA to encode passwords.
This element indicates that the Principal has been authenticated by a challenge-response protocol utilizing shared secret keys and symmetric cryptography.
This element indicates that the Principal has been authenticated by a challenge-response protocol utilizing shared secret keys and symmetric cryptography.
 
 
Holds information about signature
Java class for SignatureMethodType complex type.
Java class for SignaturePropertiesType complex type.
Java class for SignaturePropertyType complex type.
 
 
 
 
 
Java class for SignatureType complex type.
Signature utility for signing content
A Transfer Object used by XMLSignatureUtil
Indicates the failure of signature validation
Java class for SignatureValueType complex type.
 
Java class for SignedInfoType complex type.
Properties for configuring the VerifiableCredentialsSigningService's
Abstract base class to provide the Signing Services common functionality
Exception to be thrown if credentials signing does fail
 
 
Convenience interface to ease implementation of small Validator implementations.
 
Construct a SingleFileExportProvider to be used to export one or more realms.
 
 
 
Provides a cache to store data for single-use use case or the details about used action tokens.
 
 
Syntactic sugar for RemoteInfinispanKeycloakTransaction<String, SingleUseObjectValueEntity, ConditionalRemover<String, SingleUseObjectValueEntity>>
 
WARNING: Generated code! Do not edit!
This model represents contents of an action token shareable among Keycloak instances in the cluster.
 
 
 
 
 
 
 
 
 
 
 
 
 
Holds the information about a Service Provider
Java class for SPKIDataType complex type.
 
 
 
 
Java class for SPSSODescriptorType complex type.
 
Using this class is ugly, but it is the only way to push our truststore to the default LDAP client implementation.
Java class for SSODescriptorType complex type.
 
 
SPI provider implementation to retrieve data from SSSD and authenticate against PAM
 
Stackoverflow social provider.
 
 
User attribute mapper.
 
 
Java class for StatementAbstractType complex type.
Deals with SAML2 Statements
Java class for StatusCodeType complex type.
Java class for StatusDetailType complex type.
Java class for StatusResponseType complex type.
Java class for StatusType complex type.
Interface to indicate the parser.
Utility for the stax based parser
Utility class that deals with StAX
Utility methods for stax writing
 
 
 
 
 
A factory for the different types of storages that manage the persistence of the domain model types.
 
 
 
 
Event for notifying the store, so it can do migrations on the representation as needed.
Event for notifying the store about the need to reconfigure user providers synchronization.
 
 
 
 
 
 
A utility class for replacing properties in strings.
 
Utilities to serialize objects to string.
 
Utility dealing with Strings
 
 
interface to encapsulate the getComponentProperties() function in order to make the code unit-testable
Useful when you want to describe config properties that are effected by the parent ComponentModel
Java class for SubjectConfirmationDataType complex type.
Java class for SubjectConfirmationType complex type.
Validates and manages the credentials of a known entity (for example, a user).
 
Java class for SubjectLocalityType complex type.
Java class for SubjectQueryAbstractType complex type.
Java class for SubjectType complex type.
 
 
 
Substring condition for ldap filters, attrname=*some*thing* for example.
A supported credential, as used in the Credentials Issuer Metadata in OID4VCI
 
 
 
 
 
 
 
 
Provides replacing of system properties for parsed values
 
Utility dealing with the system properties at the JVM level for PicketLink
 
Wrapper around ScheduledTask.
 
Java class for TechnicalProtectionBaseType complex type.
Java class for TechnicalProtectionBaseType complex type.
 
 
Java class for TerminateType complex type.
 
 
 
 
 
 
 
 
 
 
 
Theme resource
A theme resource provider can be used to load additional templates and resources.
 
 
 
 
 
 
 
 
 
 
TOTP: Time-based One-time Password Algorithm Based on http://tools.ietf.org/html/draft-mraihi-totp-timebased-06
 
 
 
 
 
Interface to provide the current time
 
 
 
 
 
Java class for TimeSyncTokenType complex type.
Java class for TimeSyncTokenType complex type.
 
 
 
 
 
Token exchange context
OAuth 2.0 Authorization Code Grant https://datatracker.ietf.org/doc/html/rfc8693#section-2.1
Factory for OAuth 2.0 Authorization Code Grant
Provides token exchange mechanism for supported tokens
A factory that creates TokenExchangeProvider instances.
A Spi to support pluggable token exchange handlers in the OAuth2 Token Endpoint.
 
 
A token introspection endpoint based on RFC-7662.
Provides introspection for a determined OAuth2 token type.
A factory that creates TokenIntrospectionProvider instances.
 
A Spi to support additional tokens types to the OAuth2 Token Introspection Endpoint.
 
 
 
Stateless object that creates tokens and manages oauth access codes
 
Check if access token was revoked with OAuth revocation endpoint
 
 
Exception thrown for cases when token is invalid due to time constraints (expired, or not yet valid).
 
 
 
 
 
 
 
 
 
Thrown when token signature is invalid.
 
Java class for TokenType complex type.
Java class for TokenType complex type.
 
 
Exception thrown on failed verification of a token.
 
 
 
Functional interface of checks that verify some part of a JWT.
 
 
 
Used for UpdateTotp required action
Used for TOTP login
 
 
 
 
 
 
Utility to deal with JAXP Transformer
Java class for TransformsType complex type.
Java class for TransformsType complex type.
Java class for TransformType complex type.
 
 
 
ConfigurationException in the TrustKeyManager
Processing Exception in the trust key manager
Builds a system-wide truststore from the given config options.
 
 
 
 
 
 
 
 
Represents a transaction code as used in the pre-authorized grant in the Credential Offer in OID4VCI
Delegates to client-type and underlying delegate
A criteria that matches a property based on its type
Different options can be used to match a specific property based on its type.
Utility class for Types
Abstract base class for types that can have extra attributes
*
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Deprecated.
for removal in Keycloak 27
Base helper class.
Configuration of the Attribute.
Configuration of permissions for the attribute
Config of the rules when attribute is required.
Config of the rules when attribute is selected.
Configuration of the User Profile for one realm.
 
Utility methods to work with User Profile Configurations
Used to track cache revisions
 
 
 
 
 
This will perform update operation for particular attribute/property just if the existing value is not already same.
 
 
Abstraction, which allows to display updateProfile page in various contexts (Required action of already existing user, or first identity provider login when user doesn't yet exists in Keycloak DB)
An interface used by RemoteChangeLogTransaction.
A factory interface that creates, wraps or deletes entities.
 
 
Configuration of the attribute group.
 
 
A type that holds URI
 
URI validation - accepts URI, URL and single String.
 
 
 
 
 
See https://support.microsoft.com/en-us/kb/305144
 
 
 
 
Deprecated.
This interface is no longer necessary; collection-based methods were removed from the parent interface and therefore the parent interface can be used directly
 
 
 
 
Mappings UserModel.attribute to an ID Token claim.
 
Mappings UserModel attribute (not property name of a getter method) to an AttributeStatement.
 
Deprecated.
This interface is no longer necessary; collection-based methods were removed from the parent interface and therefore the parent interface can be used directly
This is an optional capability interface that is intended to be implemented by any UserStorageProvider that supports bulk operations.
All these methods effect an entire cluster of Keycloak instances.
 
 
 
 
WARNING: Generated code! Do not edit!
 
Allows mapping of user client role mappings to an ID and Access Token claim.
 
 
 
 
Deprecated.
This interface is no longer necessary, collection-based methods were removed from the parent interface and therefore the parent interface can be used directly
 
 
 
 
WARNING: Generated code! Do not edit!
This is an optional capability interface that is intended to be implemented by UserStorageProvider that supports count queries.
Handling credentials for a given user for the store.
 
 
 
 
Deprecated.
This interface is no longer necessary; collection-based methods were removed from the parent interface and therefore the parent interface can be used directly
 
 
 
Deprecated.
This interface is no longer necessary; collection-based methods were removed from the parent interface and therefore the parent interface can be used directly
 
WARNING: Generated code! Do not edit!
 
WARNING: Generated code! Do not edit!
 
 
 
 
 
 
 
Used when user added/removed
WARNING: Generated code! Do not edit!
 
 
 
Deprecated.
This interface is no longer necessary; collection-based methods were removed from the parent interface and therefore the parent interface can be used directly
 
 
 
 
 
 
 
 
 
 
 
 
 
 
This is an optional capability interface that is intended to be implemented by any UserStorageProvider that supports basic user querying.
 
 
 
 
 
 
 
 
Delegation pattern.
 
 
 
Validator to check that User Profile username is provided.
Validator to check that User Profile username is provided.
Validator to check User Profile username change and prevent it if not allowed in realm.
 
 
This validator disallowing bunch of characters we really not to expect in username.
 
 
 
 
 
 
 
 
 
 
 
An interface that serves an entry point for managing users and their attributes.
 
 
Extension of the ValidationContext used when validators are called for UserProfile attribute validation.
Constants related to user profile
This interface represents the different contexts from where user profiles are managed.
This interface allows user storage providers to customize the user profile configuration and its attributes for realm on a per-user storage provider basis.
 
 
The provider responsible for creating UserProfile instances.
 
 
 
 
 
Mappings UserModel property (the property name of a getter method) to an AttributeStatement.
Mappings UserModel property (the property name of a getter method) to an ID Token claim.
 
 
 
This is an optional capability interface that is intended to be implemented by any UserStorageProvider that supports complex user querying.
This is an optional capability interface that is intended to be implemented by any UserStorageProvider that supports complex user querying.
Allows mapping of user realm role mappings to an ID and Access Token claim.
This is an optional capability interface that is intended to be implemented by any UserStorageProvider that supports addition of new users.
 
 
 
 
 
Deprecated.
This interface is no longer necessary; collection-based methods were removed from the parent interface and therefore the parent interface can be used directly
 
Base resource for managing users
 
 
 
Deprecated.
This interface is no longer necessary; collection-based methods were removed from the parent interface and therefore the parent interface can be used directly
Strategy for how to retrieve LDAP roles of user
Roles of user will be retrieved from "memberOf" attribute of our user
Roles of user will be retrieved by sending LDAP query to retrieve all roles where "member" is our user
Extension specific to Active Directory.
 
Syntactic sugar for RemoteChangeLogTransaction<SessionKey, UserSessionEntity, UserSessionUpdater, UserAndClientSessionConditionalRemover<UserSessionEntity>>
Deprecated, for removal: This API element is subject to removal in a future version.
To be removed without replacement.
 
WARNING: Generated code! Do not edit!
 
 
 
 
Flag used when creating user session
 
 
Describes a user session note for simple and generic ProtocolMapperModel creation.
Mappings UserSessionModel.note to an ID Token claim.
Maps a user session note to a SAML attribute
 
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
Util class with Infinispan Ickle Queries for RemoteUserSessionEntity.
A ConditionalRemover implementation to remove RemoteUserSessionEntity based on some filters over its state.
 
 
A KeycloakTransaction implementation that wraps all the user and client session transactions.
The Updater implementation to keep track of modifications for UserSessionModel.
 
 
 
PartialImport handler for users.
 
 
Base resource for managing users
 
 
A class implementing this interface represents a user storage provider to Keycloak.
Optional type that can be used by implementations to describe edit mode of user storage
WARNING: Generated code! Do not edit!
 
Stored configuration of a User Storage provider instance.
WARNING: Generated code! Do not edit!
 
 
 
 
 
 
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
 
 
 
 
 
 
 
Interface that encapsulates the current validation that is being performed.
Holds information about the validation state.
 
 
Denotes an error found during validation.
 
 
 
Denotes the result of a validation.
 
 
 
Validates given input in a ValidationContext.
 
A typed wrapper around a Map based Validator configuration.
 
Validate that input value is ValidatorConfig and it is correct for validator (inputHint must be ID of the validator config is for) by Validators.validateConfig(org.keycloak.models.KeycloakSession, String, ValidatorConfig).
A factory for custom Validator implementations plugged-in through this SPI.
Facade for Validation functions with support for Validator implementation lookup by id.
An Spi for custom Validator implementations.
A CharBuffer based representation of the secret obtained from the vault that supports automated cleanup of memory.
This exception is thrown when the factory fails to init due to a configuration error.
VaultKeyResolver is a BiFunction whose implementation of the BiFunction.apply(Object, Object) method takes two Strings representing the realm name and the key name (as used in ${vault.key} expressions) and returns another String representing the final constructed key that is to be used when obtaining secrets from the vault.
Thrown when a vault directory doesn't exist.
 
 
Provider interface for a vault.
 
Raw representation of the secret obtained from vault that supports automated cleanup of memory.
SPI for a low-level vault access.
A String based representation of the secret obtained from the vault that supports automated cleanup of memory.
A facade to the configured vault provider that exposes utility methods for obtaining the vault secrets in different formats (such as VaultRawSecret, VaultCharSecret or VaultStringSecret).
Holds the verifiable credential to sign and additional context information.
Exception to be thrown in case credentials issuance fails.
Provider Factory to create VerifiableCredentialsSigningServices
Spi implementation of the creation of VerifiableCredentialsSigningService
Pojo to represent a VerifiableCredential for internal handling
 
Interface to be used for signing verifiable credentials.
 
 
 
Representation of a token that represents a time-limited verify e-mail action.
Action token handler for verification of e-mail address.
 
 
 
 
 
 
 
This class is used to parse the Vite manifest file which is generated by the build, this file contains a mapping of non-hashed asset filenames to their hashed versions, which can then be used to render the correct asset links for scripts, styles, etc.
Authenticator for WebAuthn authentication, which will be typically used when WebAuthn is used as second factor.
 
 
 
 
 
 
 
 
 
 
Credential provider for WebAuthn 2-factor credential of the user
 
Authenticator for WebAuthn authentication with passwordless credential.
 
Credential provider for WebAuthn passwordless credential of the user
 
Required action for register WebAuthn passwordless credential for the user.
 
 
Required action for register WebAuthn 2-factor credential for the user
 
 
Created by st on 22.09.15.
 
 
 
 
 
 
WARNING: Generated code! Do not edit!
This class defines the constants used throughout the WS-Trust implementation code.
 
 
 
Exception used to convey that an error has happened when handling a WS-Trust request message.
X500 SAML Profile Constants Adapted from http://code.google.com/p/simplesamlphp/source/browse/trunk/attributemap/name2oid.php?r=2654
 
 
 
 
 
 
 
 
 
 
 
 
Base Class for all Response Type parsing for SAML2
Java class for X509DataType complex type.
Java class for X509IssuerSerialType complex type.
Elements from saml-schema-protocol-2.0.xsd
Utility for XML Encryption Note: This utility is currently using Apache XML Security library API.
 
 
Utility for XML Signature Note: You can change the canonicalization method type by using the system property "picketlink.xmlsig.canonicalization"
Util class dealing with xml based time