Interface ClientCredentialsProvider
- All Known Implementing Classes:
ClientIdAndSecretCredentialsProvider
,JWTClientCredentialsProvider
,JWTClientSecretCredentialsProvider
public interface ClientCredentialsProvider
The simple SPI for authenticating clients/applications . It's used by adapter during all OIDC backchannel requests to Keycloak server
(codeToToken exchange, refresh token or backchannel logout) . You can also use it in your application during direct access grants or service account request
(See the service-account example from Keycloak demo for more info)
When you implement this SPI on the adapter (application) side, you also need to implement org.keycloak.authentication.ClientAuthenticator on the server side,
so your server is able to authenticate client
You must specify a file
META-INF/services/org.keycloak.protocol.oidc.client.authentication.ClientCredentialsProvider in the WAR that this class is contained in (or in the JAR that is attached to the WEB-INF/lib or as jboss module
if you want to share the implementation among more WARs).
NOTE: The SPI is not finished and method signatures are still subject to change in future versions (for example to support
authentication with client certificate)
- Author:
- Marek Posolda
-
Method Summary
Modifier and TypeMethodDescriptiongetId()
Return the ID of the provider.void
init
(AdapterConfig adapterConfig, Object config) Called by adapter during deployment of your application.void
setClientCredentials
(AdapterConfig adapterConfig, Map<String, String> requestHeaders, Map<String, String> formParams) Called every time adapter needs to perform backchannel request
-
Method Details
-
getId
String getId()Return the ID of the provider. Use this ID in the keycloak.json configuration as the subelement of the "credentials" element For example if your provider has ID "kerberos-keytab" , use the configuration like this in keycloak.json "credentials": { "kerberos-keytab": { "keytab": "/tmp/foo" } }- Returns:
-
init
Called by adapter during deployment of your application. You can for example read configuration and init your authenticator here- Parameters:
adapterConfig
- the adapter configurationconfig
- the configuration of your provider read from keycloak.json . For the kerberos-keytab example above, it will return map with the single key "keytab" with value "/tmp/foo"
-
setClientCredentials
void setClientCredentials(AdapterConfig adapterConfig, Map<String, String> requestHeaders, Map<String, String> formParams) Called every time adapter needs to perform backchannel request- Parameters:
adapterConfig
- Fully resolved deploymentrequestHeaders
- You should put any HTTP request headers you want to use for authentication of client. These headers will be attached to the HTTP request sent to Keycloak serverformParams
- You should put any request parameters you want to use for authentication of client. These parameters will be attached to the HTTP request sent to Keycloak server
-