Package org.keycloak.broker.oidc
Class OIDCIdentityProvider
java.lang.Object
org.keycloak.broker.provider.AbstractIdentityProvider<C>
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
org.keycloak.broker.oidc.OIDCIdentityProvider
- All Implemented Interfaces:
ExchangeExternalToken,ExchangeTokenToIdentityProviderToken,IdentityProvider<OIDCIdentityProviderConfig>,Provider
- Direct Known Subclasses:
GitLabIdentityProvider,GoogleIdentityProvider,KeycloakOIDCIdentityProvider,LinkedInOIDCIdentityProvider
public class OIDCIdentityProvider
extends AbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
implements ExchangeExternalToken
- Author:
- Pedro Igor
-
Nested Class Summary
Nested ClassesNested classes/interfaces inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
AbstractOAuth2IdentityProvider.EndpointNested classes/interfaces inherited from interface org.keycloak.broker.provider.IdentityProvider
IdentityProvider.AuthenticationCallback -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final Stringstatic final Stringstatic final Stringstatic final Stringprotected static final org.jboss.logging.Loggerstatic final Stringstatic final Stringstatic final Stringstatic final StringFields inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
ACCESS_DENIED, FEDERATED_REFRESH_TOKEN, FEDERATED_TOKEN_EXPIRATION, mapper, OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE, OAUTH2_GRANT_TYPE_REFRESH_TOKEN, OAUTH2_PARAMETER_ACCESS_TOKEN, OAUTH2_PARAMETER_CLIENT_ID, OAUTH2_PARAMETER_CLIENT_SECRET, OAUTH2_PARAMETER_CODE, OAUTH2_PARAMETER_GRANT_TYPE, OAUTH2_PARAMETER_REDIRECT_URI, OAUTH2_PARAMETER_RESPONSE_TYPE, OAUTH2_PARAMETER_SCOPE, OAUTH2_PARAMETER_STATEFields inherited from class org.keycloak.broker.provider.AbstractIdentityProvider
ACCOUNT_LINK_URL, sessionFields inherited from interface org.keycloak.broker.provider.IdentityProvider
EXTERNAL_IDENTITY_PROVIDER, FEDERATED_ACCESS_TOKEN -
Constructor Summary
ConstructorsConstructorDescriptionOIDCIdentityProvider(KeycloakSession session, OIDCIdentityProviderConfig config) -
Method Summary
Modifier and TypeMethodDescriptionvoidauthenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context) voidbackchannelLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm) protected voidbackchannelLogout(UserSessionModel userSession, String idToken) callback(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event) JAXRS callback endpoint for when the remote IDP wants to callback to keycloak.protected jakarta.ws.rs.core.UriBuilderprotected BrokeredIdentityContextexchangeExternalImpl(EventBuilder event, jakarta.ws.rs.core.MultivaluedMap<String, String> params) protected jakarta.ws.rs.core.ResponseexchangeSessionToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject) protected jakarta.ws.rs.core.ResponseexchangeStoredToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject) protected BrokeredIdentityContextextractIdentity(AccessTokenResponse tokenResponse, String accessToken, JsonWebToken idToken) protected BrokeredIdentityContextextractIdentityFromProfile(EventBuilder event, com.fasterxml.jackson.databind.JsonNode userInfo) protected StringgetFederatedIdentity(String response) protected KeyWrapperprotected Stringprotected SimpleHttpgetRefreshTokenRequest(KeycloakSession session, String refreshToken, String clientId, String clientSecret) protected Stringprotected Stringprotected StringgetUsernameFromUserInfo(com.fasterxml.jackson.databind.JsonNode userInfo) protected booleanisAuthTimeExpired(JsonWebToken idToken, AuthenticationSessionModel authSession) booleanprotected static booleanisTokenTypeSupported(JsonWebToken parsedToken) jakarta.ws.rs.core.ResponsekeycloakInitiatedBrowserLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm) Called when a Keycloak application initiates a logout through the browser.protected StringparseTokenInput(String encodedToken, boolean shouldBeSigned) Parses a JWT token that can be a JWE, JWS or JWE/JWS.voidpreprocessFederatedIdentity(KeycloakSession session, RealmModel realm, BrokeredIdentityContext context) protected voidprocessAccessTokenResponse(BrokeredIdentityContext context, AccessTokenResponse response) refreshTokenForLogout(KeycloakSession session, UserSessionModel userSession) Returns access token response as a string from a refresh token invocation on the remote OIDC brokerbooleanReload keys for the identity provider if permitted in it.For example OIDC or SAML providers will reload the keys from the jwks or metadata endpoint.protected booleanprotected final BrokeredIdentityContextvalidateJwt(EventBuilder event, String subjectToken, String subjectTokenType) validateToken(String encodedToken) protected JsonWebTokenvalidateToken(String encodedToken, boolean ignoreAudience) protected booleanMethods inherited from class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
asJsonNode, authenticateTokenRequest, buildUserInfoRequest, doGetFederatedIdentity, exchangeExternal, exchangeExternalComplete, exchangeExternalUserInfoValidationOnly, exchangeFromToken, extractTokenFromResponse, generateToken, getAccessTokenResponseParameter, getConfig, getJsonProperty, getSignatureContext, hasExternalExchangeToken, performLogin, retrieveToken, validateExternalTokenThroughUserInfoMethods inherited from class org.keycloak.broker.provider.AbstractIdentityProvider
close, exchangeErrorResponse, exchangeNotLinked, exchangeNotLinkedNoStore, exchangeNotSupported, exchangeTokenExpired, exchangeUnsupportedRequiredType, export, getLinkingUrl, getMarshaller, importNewUser, updateBrokeredUserMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.keycloak.broker.provider.ExchangeExternalToken
exchangeExternal, exchangeExternalCompleteMethods inherited from interface org.keycloak.broker.provider.IdentityProvider
isMapperSupported, supportsLongStateParameter
-
Field Details
-
logger
protected static final org.jboss.logging.Logger logger -
SCOPE_OPENID
- See Also:
-
FEDERATED_ID_TOKEN
- See Also:
-
USER_INFO
- See Also:
-
FEDERATED_ACCESS_TOKEN_RESPONSE
- See Also:
-
VALIDATED_ID_TOKEN
- See Also:
-
ACCESS_TOKEN_EXPIRATION
- See Also:
-
EXCHANGE_PROVIDER
- See Also:
-
VALIDATED_ACCESS_TOKEN
- See Also:
-
-
Constructor Details
-
OIDCIdentityProvider
-
-
Method Details
-
callback
public Object callback(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event) Description copied from interface:IdentityProviderJAXRS callback endpoint for when the remote IDP wants to callback to keycloak.- Specified by:
callbackin interfaceIdentityProvider<OIDCIdentityProviderConfig>- Overrides:
callbackin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>- Returns:
-
refreshTokenForLogout
Returns access token response as a string from a refresh token invocation on the remote OIDC broker- Parameters:
session-userSession-- Returns:
-
backchannelLogout
public void backchannelLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm) - Specified by:
backchannelLogoutin interfaceIdentityProvider<OIDCIdentityProviderConfig>- Overrides:
backchannelLogoutin classAbstractIdentityProvider<OIDCIdentityProviderConfig>
-
backchannelLogout
-
keycloakInitiatedBrowserLogout
public jakarta.ws.rs.core.Response keycloakInitiatedBrowserLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm) Description copied from interface:IdentityProviderCalled when a Keycloak application initiates a logout through the browser. This is expected to do a logout with the IDP- Specified by:
keycloakInitiatedBrowserLogoutin interfaceIdentityProvider<OIDCIdentityProviderConfig>- Overrides:
keycloakInitiatedBrowserLogoutin classAbstractIdentityProvider<OIDCIdentityProviderConfig>- Returns:
- null if this is not supported by this provider
-
exchangeStoredToken
protected jakarta.ws.rs.core.Response exchangeStoredToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject) - Overrides:
exchangeStoredTokenin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
processAccessTokenResponse
protected void processAccessTokenResponse(BrokeredIdentityContext context, AccessTokenResponse response) -
getRefreshTokenRequest
protected SimpleHttp getRefreshTokenRequest(KeycloakSession session, String refreshToken, String clientId, String clientSecret) -
exchangeSessionToken
protected jakarta.ws.rs.core.Response exchangeSessionToken(jakarta.ws.rs.core.UriInfo uriInfo, EventBuilder event, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject) - Overrides:
exchangeSessionTokenin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getFederatedIdentity
- Overrides:
getFederatedIdentityin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
isAuthTimeExpired
-
extractIdentity
protected BrokeredIdentityContext extractIdentity(AccessTokenResponse tokenResponse, String accessToken, JsonWebToken idToken) throws IOException - Throws:
IOException
-
getusernameClaimNameForIdToken
-
getUserInfoUrl
-
getIdentityProviderKeyWrapper
-
verify
-
parseTokenInput
Parses a JWT token that can be a JWE, JWS or JWE/JWS. It returns the content as a string. If JWS is involved the signature is also validated. A IdentityBrokerException is thrown on any error.- Parameters:
encodedToken- The token in the encoded string format.shouldBeSigned- true if the token should be signed (id token), false if the token can be only encrypted and not signed (user info).- Returns:
- The content in string format.
-
validateToken
-
validateToken
-
authenticationFinished
public void authenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context) - Specified by:
authenticationFinishedin interfaceIdentityProvider<OIDCIdentityProviderConfig>- Overrides:
authenticationFinishedin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getDefaultScopes
- Specified by:
getDefaultScopesin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
isIssuer
- Specified by:
isIssuerin interfaceExchangeExternalToken- Overrides:
isIssuerin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
supportsExternalExchange
protected boolean supportsExternalExchange()- Overrides:
supportsExternalExchangein classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getProfileEndpointForValidation
- Overrides:
getProfileEndpointForValidationin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
extractIdentityFromProfile
protected BrokeredIdentityContext extractIdentityFromProfile(EventBuilder event, com.fasterxml.jackson.databind.JsonNode userInfo) - Overrides:
extractIdentityFromProfilein classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
getUsernameFromUserInfo
-
validateJwt
protected final BrokeredIdentityContext validateJwt(EventBuilder event, String subjectToken, String subjectTokenType) -
isTokenTypeSupported
-
exchangeExternalImpl
protected BrokeredIdentityContext exchangeExternalImpl(EventBuilder event, jakarta.ws.rs.core.MultivaluedMap<String, String> params) - Overrides:
exchangeExternalImplin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
createAuthorizationUrl
- Overrides:
createAuthorizationUrlin classAbstractOAuth2IdentityProvider<OIDCIdentityProviderConfig>
-
preprocessFederatedIdentity
public void preprocessFederatedIdentity(KeycloakSession session, RealmModel realm, BrokeredIdentityContext context) - Specified by:
preprocessFederatedIdentityin interfaceIdentityProvider<OIDCIdentityProviderConfig>- Overrides:
preprocessFederatedIdentityin classAbstractIdentityProvider<OIDCIdentityProviderConfig>
-
reloadKeys
public boolean reloadKeys()Description copied from interface:IdentityProviderReload keys for the identity provider if permitted in it.For example OIDC or SAML providers will reload the keys from the jwks or metadata endpoint.- Specified by:
reloadKeysin interfaceIdentityProvider<OIDCIdentityProviderConfig>- Returns:
- true if reloaded, false if not
-