Interface ClientCredentialsProvider

All Known Implementing Classes:
ClientIdAndSecretCredentialsProvider, JWTClientCredentialsProvider, JWTClientSecretCredentialsProvider

public interface ClientCredentialsProvider
The simple SPI for authenticating clients/applications . It's used by adapter during all OIDC backchannel requests to Keycloak server (codeToToken exchange, refresh token or backchannel logout) . You can also use it in your application during direct access grants or service account request (See the service-account example from Keycloak demo for more info) When you implement this SPI on the adapter (application) side, you also need to implement org.keycloak.authentication.ClientAuthenticator on the server side, so your server is able to authenticate client You must specify a file META-INF/services/org.keycloak.protocol.oidc.client.authentication.ClientCredentialsProvider in the WAR that this class is contained in (or in the JAR that is attached to the WEB-INF/lib or as jboss module if you want to share the implementation among more WARs). NOTE: The SPI is not finished and method signatures are still subject to change in future versions (for example to support authentication with client certificate)
Author:
Marek Posolda
  • Method Details

    • getId

      String getId()
      Return the ID of the provider. Use this ID in the keycloak.json configuration as the subelement of the "credentials" element For example if your provider has ID "kerberos-keytab" , use the configuration like this in keycloak.json "credentials": { "kerberos-keytab": { "keytab": "/tmp/foo" } }
      Returns:
    • init

      void init(AdapterConfig adapterConfig, Object config)
      Called by adapter during deployment of your application. You can for example read configuration and init your authenticator here
      Parameters:
      adapterConfig - the adapter configuration
      config - the configuration of your provider read from keycloak.json . For the kerberos-keytab example above, it will return map with the single key "keytab" with value "/tmp/foo"
    • setClientCredentials

      void setClientCredentials(AdapterConfig adapterConfig, Map<String,String> requestHeaders, Map<String,String> formParams)
      Called every time adapter needs to perform backchannel request
      Parameters:
      adapterConfig - Fully resolved deployment
      requestHeaders - You should put any HTTP request headers you want to use for authentication of client. These headers will be attached to the HTTP request sent to Keycloak server
      formParams - You should put any request parameters you want to use for authentication of client. These parameters will be attached to the HTTP request sent to Keycloak server