Package org.keycloak.protocol.oidc
Class OIDCLoginProtocol
java.lang.Object
org.keycloak.protocol.oidc.OIDCLoginProtocol
- All Implemented Interfaces:
LoginProtocol
,Provider
- Author:
- Bill Burke, Stian Thorgersen
-
Nested Class Summary
Nested classes/interfaces inherited from interface org.keycloak.protocol.LoginProtocol
LoginProtocol.Error
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
protected EventBuilder
static final String
protected jakarta.ws.rs.core.HttpHeaders
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final int
static final int
static final int
static final int
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
protected RealmModel
static final String
static final String
static final String
static final String
static final String
protected OIDCResponseMode
protected OIDCResponseType
static final String
protected KeycloakSession
static final String
static final String
static final String
protected jakarta.ws.rs.core.UriInfo
-
Constructor Summary
ConstructorDescriptionOIDCLoginProtocol
(KeycloakSession session, RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, jakarta.ws.rs.core.HttpHeaders headers, EventBuilder event) -
Method Summary
Modifier and TypeMethodDescriptionjakarta.ws.rs.core.Response
authenticated
(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx) jakarta.ws.rs.core.Response
backchannelLogout
(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) jakarta.ws.rs.core.Response
buildRedirectUri
(OIDCRedirectUriBuilder redirectUriBuilder, AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx) this method can be used in extension-implementations to theOIDCLoginProtocol
to add additional parameters to the redirectUri after successful authentication and to store these e.g.jakarta.ws.rs.core.Response
buildRedirectUri
(OIDCRedirectUriBuilder redirectUriBuilder, AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx, Exception ex, LoginProtocol.Error oidcError) this method can be used in extension-implementations to theOIDCLoginProtocol
to add additional parameters to the redirectUri after failed authenticationvoid
close()
jakarta.ws.rs.core.Response
finishBrowserLogout
(UserSessionModel userSession, AuthenticationSessionModel logoutSession) This method is called when browser logout is going to be finished.jakarta.ws.rs.core.Response
frontchannelLogout
(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) getClientData
(AuthenticationSessionModel authSession) Returns client data, which will be wrapped in the "clientData" parameter sent within "authentication flow" requests.protected boolean
isAuthTimeExpired
(UserSessionModel userSession, AuthenticationSessionModel authSession) protected boolean
isPromptLogin
(AuthenticationSessionModel authSession) protected boolean
isReAuthRequiredForKcAction
(UserSessionModel userSession, AuthenticationSessionModel authSession) boolean
requireReauthentication
(UserSessionModel userSession, AuthenticationSessionModel authSession) jakarta.ws.rs.core.Response
sendError
(ClientModel client, ClientData clientData, LoginProtocol.Error error) Send the specified error to the specified client with the use of this protocol.jakarta.ws.rs.core.Response
sendError
(AuthenticationSessionModel authSession, LoginProtocol.Error error, String errorMessage) boolean
sendPushRevocationPolicyRequest
(RealmModel realm, ClientModel resource, int notBefore, String managementUrl) Send not-before revocation policy to the given client.setEventBuilder
(EventBuilder event) setHttpHeaders
(jakarta.ws.rs.core.HttpHeaders headers) setRealm
(RealmModel realm) setSession
(KeycloakSession session) setUriInfo
(jakarta.ws.rs.core.UriInfo uriInfo)
-
Field Details
-
LOGIN_PROTOCOL
- See Also:
-
STATE_PARAM
- See Also:
-
SCOPE_PARAM
- See Also:
-
AUTHORIZATION_DETAILS_PARAM
- See Also:
-
CODE_PARAM
- See Also:
-
RESPONSE_TYPE_PARAM
- See Also:
-
GRANT_TYPE_PARAM
- See Also:
-
REDIRECT_URI_PARAM
- See Also:
-
POST_LOGOUT_REDIRECT_URI_PARAM
- See Also:
-
CLIENT_ID_PARAM
- See Also:
-
NONCE_PARAM
- See Also:
-
MAX_AGE_PARAM
- See Also:
-
PROMPT_PARAM
- See Also:
-
LOGIN_HINT_PARAM
- See Also:
-
REQUEST_PARAM
- See Also:
-
REQUEST_URI_PARAM
- See Also:
-
UI_LOCALES_PARAM
- See Also:
-
CLAIMS_PARAM
- See Also:
-
ACR_PARAM
- See Also:
-
ID_TOKEN_HINT
- See Also:
-
LOGOUT_STATE_PARAM
- See Also:
-
LOGOUT_REDIRECT_URI
- See Also:
-
LOGOUT_VALIDATED_ID_TOKEN_SESSION_STATE
- See Also:
-
LOGOUT_VALIDATED_ID_TOKEN_ISSUED_AT
- See Also:
-
ISSUER
- See Also:
-
RESPONSE_MODE_PARAM
- See Also:
-
PROMPT_VALUE_NONE
- See Also:
-
PROMPT_VALUE_LOGIN
- See Also:
-
PROMPT_VALUE_CONSENT
- See Also:
-
PROMPT_VALUE_SELECT_ACCOUNT
- See Also:
-
CLIENT_SECRET_BASIC
- See Also:
-
CLIENT_SECRET_POST
- See Also:
-
CLIENT_SECRET_JWT
- See Also:
-
PRIVATE_KEY_JWT
- See Also:
-
TLS_CLIENT_AUTH
- See Also:
-
CODE_CHALLENGE_PARAM
- See Also:
-
CODE_CHALLENGE_METHOD_PARAM
- See Also:
-
PKCE_CODE_CHALLENGE_MIN_LENGTH
public static final int PKCE_CODE_CHALLENGE_MIN_LENGTH- See Also:
-
PKCE_CODE_CHALLENGE_MAX_LENGTH
public static final int PKCE_CODE_CHALLENGE_MAX_LENGTH- See Also:
-
PKCE_CODE_VERIFIER_MIN_LENGTH
public static final int PKCE_CODE_VERIFIER_MIN_LENGTH- See Also:
-
PKCE_CODE_VERIFIER_MAX_LENGTH
public static final int PKCE_CODE_VERIFIER_MAX_LENGTH- See Also:
-
PKCE_METHOD_PLAIN
- See Also:
-
PKCE_METHOD_S256
- See Also:
-
session
-
realm
-
uriInfo
protected jakarta.ws.rs.core.UriInfo uriInfo -
headers
protected jakarta.ws.rs.core.HttpHeaders headers -
event
-
responseType
-
responseMode
-
-
Constructor Details
-
OIDCLoginProtocol
public OIDCLoginProtocol(KeycloakSession session, RealmModel realm, jakarta.ws.rs.core.UriInfo uriInfo, jakarta.ws.rs.core.HttpHeaders headers, EventBuilder event) -
OIDCLoginProtocol
public OIDCLoginProtocol()
-
-
Method Details
-
setSession
- Specified by:
setSession
in interfaceLoginProtocol
-
setRealm
- Specified by:
setRealm
in interfaceLoginProtocol
-
setUriInfo
- Specified by:
setUriInfo
in interfaceLoginProtocol
-
setHttpHeaders
- Specified by:
setHttpHeaders
in interfaceLoginProtocol
-
setEventBuilder
- Specified by:
setEventBuilder
in interfaceLoginProtocol
-
authenticated
public jakarta.ws.rs.core.Response authenticated(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx) - Specified by:
authenticated
in interfaceLoginProtocol
-
buildRedirectUri
public jakarta.ws.rs.core.Response buildRedirectUri(OIDCRedirectUriBuilder redirectUriBuilder, AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx) this method can be used in extension-implementations to theOIDCLoginProtocol
to add additional parameters to the redirectUri after successful authentication and to store these e.g. in the clientSession -
buildRedirectUri
public jakarta.ws.rs.core.Response buildRedirectUri(OIDCRedirectUriBuilder redirectUriBuilder, AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx, Exception ex, LoginProtocol.Error oidcError) this method can be used in extension-implementations to theOIDCLoginProtocol
to add additional parameters to the redirectUri after failed authentication -
sendError
public jakarta.ws.rs.core.Response sendError(AuthenticationSessionModel authSession, LoginProtocol.Error error, String errorMessage) - Specified by:
sendError
in interfaceLoginProtocol
-
getClientData
Description copied from interface:LoginProtocol
Returns client data, which will be wrapped in the "clientData" parameter sent within "authentication flow" requests. The purpose of clientData is to be able to send HTTP error response back to the client if authentication fails due some error and authenticationSession is not available anymore (was either expired or removed). So clientData need to contain all the data to be able to send such response. For instance redirect-uri, state in case of OIDC or RelayState in case of SAML etc.- Specified by:
getClientData
in interfaceLoginProtocol
- Parameters:
authSession
- session from which particular clientData can be retrieved- Returns:
- client data, which will be wrapped in the "clientData" parameter sent within "authentication flow" requests
-
sendError
public jakarta.ws.rs.core.Response sendError(ClientModel client, ClientData clientData, LoginProtocol.Error error) Description copied from interface:LoginProtocol
Send the specified error to the specified client with the use of this protocol. ClientData can contain additional metadata about how to send error response to the client in a correct way for particular protocol. For instance redirect-uri where to send error, state to be used in OIDC authorization endpoint response etc. This method is usually used when we don't have authenticationSession anymore (it was removed or expired) as otherwise it is recommended to use#sendError(AuthenticationSessionModel, Error)
NOTE: This method should also validate if provided clientData are valid according to given client (for instance if redirect-uri is valid) as clientData is request parameter, which can be injected to HTTP URLs by anyone.- Specified by:
sendError
in interfaceLoginProtocol
- Parameters:
client
- client where to send errorclientData
- clientData with additional protocol specific metadata needed for being able to properly send error with the use of this protocolerror
- error to be used- Returns:
- response if error was sent. Null if error was not sent.
-
backchannelLogout
public jakarta.ws.rs.core.Response backchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) - Specified by:
backchannelLogout
in interfaceLoginProtocol
-
frontchannelLogout
public jakarta.ws.rs.core.Response frontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) - Specified by:
frontchannelLogout
in interfaceLoginProtocol
-
finishBrowserLogout
public jakarta.ws.rs.core.Response finishBrowserLogout(UserSessionModel userSession, AuthenticationSessionModel logoutSession) Description copied from interface:LoginProtocol
This method is called when browser logout is going to be finished. It is not triggered during backchannel logout- Specified by:
finishBrowserLogout
in interfaceLoginProtocol
- Parameters:
userSession
- user session, which was logged outlogoutSession
- authentication session, which was used during logout to track the logout state- Returns:
- response to be sent to the client
-
requireReauthentication
public boolean requireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession) - Specified by:
requireReauthentication
in interfaceLoginProtocol
- Returns:
- true if SSO cookie authentication can't be used. User will need to "actively" reauthenticate
-
isPromptLogin
-
isAuthTimeExpired
protected boolean isAuthTimeExpired(UserSessionModel userSession, AuthenticationSessionModel authSession) -
isReAuthRequiredForKcAction
protected boolean isReAuthRequiredForKcAction(UserSessionModel userSession, AuthenticationSessionModel authSession) -
sendPushRevocationPolicyRequest
public boolean sendPushRevocationPolicyRequest(RealmModel realm, ClientModel resource, int notBefore, String managementUrl) Description copied from interface:LoginProtocol
Send not-before revocation policy to the given client.- Specified by:
sendPushRevocationPolicyRequest
in interfaceLoginProtocol
- Returns:
true
if revocation policy was successfully updated at the client,false
otherwise.
-
close
public void close()
-